Cyberspace is like the Wild West for digital crime. The global nature of the web, and the ease with which phishers can hide and avoid prosecution, makes it easy for them to steal from trusting consumers who shop, pay bills, and bank on the Internet. Organized crime is exploding online, snaring thousands of victims with cunning, technologically advanced phishing and pharming schemes.
You must take great precautions when sending any personal or financial information over the Internet, when downloading applications and software, or when using email and instant messaging. This article lists the top five tips to defend against phishing that leads to identity theft and financial fraud.
What’s Being Done about Phishing?
Legislation can provide a supporting role, but technological solutions are still the best way to fight phishing. This requires several simple tasks, such as downloading the latest version of your browser, patching your operating system, and always running up-to-date security software. Criminals use malicious code to launch advanced multifaceted assaults that exploit new vulnerabilities discovered every day. The assaults download spyware and other behind-the-scenes code that redirect users to fraudulent web sites.
Hackers also create shell code on legitimate commercial sites that steals users’ information while the real site runs in the foreground. The time window between when a group launches an attack and when a patch is ready to be distributed and downloaded to fix the hole—about three days—is when most people are victimized. However, consumers who install anti-spyware, anti-spam, and anti-virus tools, along with a personal firewall and privacy protection, will have systems that cannot be tricked by the current schemes, and will be protected against new dangers as they emerge.
New anti-phishing legislation is in the works worldwide. Legislators are tailoring laws to cyberspace; for example, by allowing prosecutors to pursue phishers without the normal burden of proof of showing specific damages to a victim. This is important since most phishers disappear in the time it takes to collect this evidence. Enforcing cyber legislation has hurdles, though: First, it’s difficult to find the criminal, since most can fake their whereabouts. Next, it’s challenging to obtain jurisdiction to investigate and prosecute hackers—especially in other countries. Finally, it’s difficult to enforce a guilty judgment, since the defendant can easily disappear or transfer their assets offshore.
Law enforcement doesn’t currently allocate enough time or resources to make a real dent in cyber crime. Most cases are brought by Internet service providers and corporations that are targeted, and only a handful of legal cases in the world have succeeded against spammers and phishers. Until there’s an easier and faster way to track the whereabouts of cyber criminals, and international cooperation in bringing them down, the public can’t rely on laws to protect them online.
What is Industry Doing?
Industry is trying to pick up the slack. U.S. banking regulators are requiring banks to implement stronger authentication measures, such as multifactor authentication and layered security, for their online banking customers. Many banks are already deploying sophisticated new tools. Some are using programs that combine mouse clicks and keystrokes to give customers access to their online accounts. However, hackers are countering with screen scrapers and keyloggers deposited by Trojan horses to capture these clicks and entries.
Other companies may choose to deliver personalized content that the user chooses, such as trivia information and images, for web site links and emails. This way, consumers instantly recognize the name of their first pet or the logo of their favorite sports team, and know that the personalized communication is legitimate because it contains information a phisher does not know. Many companies are also building strong security into their site design.
Tough measures such as two-factor authentication will prevent passive attacks including mass pharming of passwords and password guessing, but they won’t prevent rootkit assaults using remote attacker control. Here, the attacker just relays the extra login data as the user types it in, or the user simply authenticates both parts. Until the banking industry develops solutions to these types of attacks, consumers must use great caution when transacting online. Banks must also do more to independently verify online transactions before they authorize them.
Industry groups are working together to identify and shut down phishing sites. Digital PhishNet (DPN) <www.digitalphishnet.org> is a collaboration of corporations and law enforcement to streamline investigation and prosecution of phishers, and to shut down phishing sites and wipe out spam. Government and industry worldwide are going head to head with cyber criminals; but consumers must never let down their guard when playing, shopping, and working online.
Top 5 Ways to Defend Against Phishing
- Keep your operating system patched to stop known software vulnerabilities from being exploited. Install patches from software manufacturers as soon as they are distributed, since hackers can quickly assemble malware using pre-made components to exploit the weakness before the majority of people download the fix. A fully patched computer behind a firewall is the best defense against Trojan and spyware installation.
- Download the latest version of your browser to ensure that it is fully updated and utilizes the latest technologies. Internet Explorer 7 and other browsers include an anti-phishing toolbar to add another layer of protection. They use whitelists and blacklists of known sites, URL checks, and advanced heuristics to identify and filter out phishing sites.
- The origin of an email, the location of a page, and the use of SSL encryption can all be spoofed. Browser lock icons can also be spoofed. You should ensure SSL is being used (look for “https:” in the URL) and check the domain name of the site as an indicator of whether the site is legitimate. Watch out for similar sounding domains that a phisher can register for a fake web site, such as cred1tusa.com for creditusa.com. Because of hacker tricks, though, you can’t rely on these checks as an absolute indicator that the communication or site is safe.
- Use an Internet service provider (ISP) that implements strong anti-spam and anti-phishing technologies and policies. For example, AOL blocks known phishing sites so that customers can’t reach them. The SpamHaus organization <www.spamhaus.org> lists the current top-10 worst ISPs in this category—consider this when making your choice.
- Protect your computer with strong security software and keep it up to date. Hackers have databases containing millions of email addresses. They target vulnerabilities in email applications and web browsers, and design weaknesses in targeted web site programs. You can defend against phishing, though, because it blends existing techniques of spam and software exploitation.
The McAfee® Internet Security guarantees trusted PC protection from viruses, hackers, and spyware. Its cutting-edge features include X-Ray for Windows®, which detects and kills rootkits and other malicious applications that hide from Windows and other anti-virus programs. Its integrated anti-virus, anti-spyware, firewall, anti-spam, anti-phishing, and backup technologies work together to combat today’s sophisticated, multi-pronged attacks.