Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on April 30, 2007 1:57 PM.

The previous post in this blog was Context aware attacks.

The next post in this blog is Verisign offers one time passwords on credit cards.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Context aware attacks | Main | Verisign offers one time passwords on credit cards »

Phishing sites down faster

BankNet 360 today ran a story "Phishing Scams Being Defeated Faster". It says that the Phishing Incident Reporting and Termination Squad "PIRT" is taking down phishing sites much faster than before.

The article says that most sites can be taken down in 24 hours with average response time a couple of hours. So, once a phishing site is known, this reduces the risk to financial institutions and other enterprises. This volunteer response organization is very good but, it's not enough. Why?

The latest research shows that an average of 11% of recipients of a phishing email respond. If the enterprise being hit is well targeted (i.e. the criminals have done their homework and have gotten the financial institutions members' emails - see my blog on context aware attacks), then the number of potential respondees can be quite high.

If the attack isn't immediately noted and the site isn't immediately taken down, then the financial hit to the institution and their customers can be high. So, while taking down the sites within a few hours of the authorities being informed is good, the damage may already have been done.

When you take into consideration that stronger authentication doesn't stop phishing attacks the bottom line is to educate your customers to never click on a link, or call a phone number mentioned in an email, or send a fax to a fax number mentioned in an email.

I believe that over one to two years of constant education an enterprise can cut by 40-60% the number of people who will fall prey to phishing attacks. In an economic sense, the financial gain to the criminal drops. Instead of getting 11% falling for the phishing attack, the number could be around 3-6%.

Furthermore, if smaller financial institutions like credit union adopt transaction authentication, then the amount of financial pain they incur from these attacks will also drop. Why?

The criminal logs on successfully and then tries to withdraw hundreds of dollars from an ATM in Eastern Europe or transfer money out of the account. The transaction software would recognize that this user behavior doesn't fit their customer's profile. It would then stop the payment and instead take action. It might begin to ask more detailed questions to the identity withdrawing money, place a call to their cell asking them to approve the withdrawal, etc.

Bottom line: Financial institutions should reduce their risk by implementing transaction authentication software and begin a constant education process with their customers. Failure to do so simply means the enterprise will incur larger losses each time a malware attack is made upon them.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Posted by Guy Huntington on April 30, 2007 1:57 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/222

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)