SPECIAL REPORT

New Internet Security Forum Seeks To End Phishing

A newly formed antiphishing group is promising to introduce ways to shut down the spread of online identity fraud scams. Shawn Eldridge, chairman of the new group, Trusted Electronic Communications Forum, sees results coming within the next four to six months.

“Phishing” for user identification through e-mail scams is quickly becoming the number one online security concern. Analysts report that 76 percent of the known or suspected phishing attacks occurred since October 2003.

Also known as spoofing or carding, phishing scams prey on unaware computer users to divulge their vital personal and financial information. According to a recent study by Gartner, 57 million U.S. Internet users have received fraudulent e-mail linked to phishing scams, and about 1.7 million of them might have been tricked into divulging personal information.

Using sophisticated techniques, phishers rely on spoofed e-mails and fraudulent Web sites to trick e-mail recipients to enter their credit card numbers, account usernames and passwords, social security numbers and more. In recent months, the Federal Trade Commission confirmed phishing attacks against Best Buy, UPS, Bank of America, PayPal and the First Union Bank.

As phishers continue to launch these identity-stealing scams, a conglomerate of cross-industry experts has formed a new organization to combat phishing, spoofing and identity fraud. The Trusted Electronic Communications Forum (TECF) includes key players from retail, financial services, healthcare and technology industries.

Certification, Standards

The TECF was formed in June as a collaborative endeavor by leaders of corporations in numerous industries. The new group’s mission is to help mitigate the risks posed by phishing, spoofing and other tactics of online identity fraud. The group also will focus on finding an immediate cross-geographic and industry-wide standard to protect consumers and businesses.

The Forum’s founding members are leaders in the retail, telecommunications, banking and technology industries. They include ABN AMRO, AT&T Wireless, Best Buy, Charles Schwab, CipherTrust, DirecTV, E*Trade, Fidelity Investments, GE Access, HSBC, IBM, National City Bank, PostX Corporation, Royal Bank of Scotland and Siebel Systems.

The TECF also plans to contribute to the public dialogue about phishing and spoofing through its members and through periodic research reports.

The Forum hopes to use its influence to promote methodologies, technologies and best practices to shut down phishing attacks. It will assist in the prosecution of offenders.

The TECF has three primary goals. One is stopping the erosion of e-mail as a viable business tool. The second is preventing the decline of e-commerce as a result of brand distrust. The third goal is to reverse the overall negative effects that phishing epidemics have had on the Internet landscape.

Two-Pronged Approach

TECF Chairman Eldridge told TechNewsWorld that no single group was looking for solutions that were broad enough to stop phishing scams. What was needed was an organization that would approach the problems in their entirety.

“Phishing is out of control now. I came to the conclusion that we needed to be a cross-industry group that could push for both short-term and long-term solutions,” said Eldridge, who holds a senior management position at electronic information delivery firm PostX.

Eldridge asserted that identity theft is a multibillion dollar per year problem. Phishing and spoofing scams seriously erode consumers’ trust in the Internet and enterprise brands.

“The TECF’s goal is to serve all industries and countries as the resource for providing standards with technology, best practices and research. Ultimately, the TECF would like to be able to lead the push to assess, back and deploy an industry-wide standard solution,” Eldridge said.

Avivah Litan, a senior analyst at the Gartner Group, sees the formation of TECF as a step in the right direction to addressing the need for cross-industry standards and new legislation.

“Identity theft in the form of phishing and spoofing has proven to be a serious problem that isn’t going away anytime soon,” Litan said. “There are many different products and solutions being offered to address spoofing and phishing. However, there is a lack of uniformity and immediate deployment with these offerings.”

Structured Community Approach

The Forum is organized around four task groups or communities. Each one pursues solutions that impact on the related industries. The communities are technical standards, best practices, social engineering and government affairs.

“There is no silver bullet solution to curbing phishing,” Eldridge told TechNewsWorld. “It will take a combination of consumer education, technology, industrial cooperation and government action to go after offenders.”

Eldridge said each community is investigating how it can solve the problems associated with e-mail security.

“E-mail is insecure now. But there are things that can be done to make it more secure,” he said. “We are looking at proposals that haven’t as yet caught on industrywide for various reasons.”

A Needed Turn

Reaction to the Forum has been positive. Some view the move cynically. However, Ken Leonard, CEO of ScanAlert, an e-commerce security auditing company, noted that others will see it as an opportunity to get moving collectively on a solution that addresses multiple issues such as prevention, content authentication, e-mail and law enforcement.

An organization such as the TECF is critically important, Leonard said. He described it as a problem that touches everyone who uses computers.

“Phishing has become a gigantic problem for everyone involved in e-commerce, and a crisis in consumer confidence it causes hurts everyone,” Leonard told TechNewsWorld. “With the support of some of the world’s most powerful and influential banks, an organization like this can reach high up into government and companies like Microsoft to develop a solution.”

Leonard said he believes the TECF will be successful. If for no other reason, he sees it engendering or influencing the development of a viable solution.

“It will likely be successful because phishing has become such a universal issue. Banks like Citibank have seen their brands particularly imperiled by phishing, and they are going to use their influence to move the ball down the field as fast as possible,” Leonard said.

“Ultimate eradication of phishing, however, will probably require the collective efforts of trade associations, lobbying groups, industry and the gentle prod of legislation from governments around the world,” he said.

E-Mail Solutions Coming

That’s just what TECF Chairman Eldridge has in mind.

Eldridge emphasized that there is no 30-day solution to the phishing problem. But he said the Forum is working on solutions that can slow down the attacks, make it more difficult for phishers to pull off attacks and can reduce their success rates.

He didn’t provide specifics on what the solutions are or how they will work. However, he said the two biggest developments were occurring in the technical standards and the best practices communities of TECF.

In the short term, we will begin to see some improvements before this year ends, Eldridge promised. He said in the long term phishing will be stopped.

“We are hoping 2004 will be the year that produces results,” Eldridge said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

LinuxInsider Channels