The Internet has delivered dramatic productivity improvements. Executives now have a simple way to exchange electronic mail messages, large and small companies are able to market their products worldwide and corporations have replaced manual procedures with automated ones. Along with these advances have come some downsides: a deluge of electronic mail marketing messages, a proliferation of spam and a number of online scams.
Phishing is the Internet’s latest black mark. In this ruse, criminals design e-mail notes and Web sites that resemble those from bona fide sources, such as merchants or financial institutions. When customers respond to seemingly legitimate messages, they send their personal data, such as credit card or bank account information, to bogus Web sites.
This information provides phishers with access to individuals’ personal accounts so they can perpetrate identity fraud.
Unfortunately, phishing has become quite popular. A Gartner Group study completed in April estimated that more than 57 million Americans (representing 40 percent of all online users) received a phishing e-mail, and 76 percent said the attack had taken place in the last six months.
Crooks Ahead of Posse
The numbers have alarmed corporations, which usually field the calls that come from irate consumers once they realize that they have been scammed. Also, companies do not want customers to loose their faith in the Internet and go back to inefficient manual techniques for ordering products.
Corporations understand that stronger authentication between users and companies is needed, but at the moment, the crooks are a few steps ahead of the posse.
The problem is that current security measures were designed to ensure that users are who they are rather than that vendors are legitimate, so the criminals are exploiting the weakest link in the security chain. As a result, the user-defined passwords that many firms rely on are no longer adequate security checks.
In response, internet service providers, financial institutions and online merchants are searching for new ways to authenticate their customers and themselves. The possible solutions include third-party authentication, the use of shared secrets, vendor maintained blacklists and the development of new security standards.
Third-party authentication systems, such as public key infrastructure (PKI), represent the most mature option. Here, a third party issues a security check, often a key that consists of complimentary pieces of encrypted code, to a user and a company. The user’s key is needed to begin the transaction, and the company’s key is needed to authorize it.
As a result, a transaction can only take place when both parties have the appropriate items. Typically, vendors, such as Verisign, have developed and managed the keys. In an effort to increase the use of this security check, vendors formed ad-hoc standards groups, such as the Liberty Alliance, that would be responsible for that process.
While third-party authentication lessens the likelihood of scams like phishing, it has not been widely implemented.
“Many firms have found that managing the keys is cumbersome and expensive,” said Shawn Eldridge, chairman of the Trusted Electronic Communications Forum (TECF), another vendor consortium examining the issue, as well as director of marketing at security supplier PostX.
Shared secrets are another option. One can view them as improved password security. The secrets are data, often preregistered questions and answers, such as “What’s your favorite team” or “What’s your pet’s name,” that is known by the user and the company. The questions are asked when a user logs on and rotated on a regular basis so a criminal can’t decipher the pattern.
Vendors have also been working to identify phishing sites and to block users from accessing them.
“Companies that are being really hurt by phishing activity, like online merchants and financial institutions, are taking the lead in developing technology to lessen the problem,” said Pete Lindstrom, research director at Spire Security, a security consulting firm.
The companies are actively monitoring communications between their customers and various Web sites. The suppliers then develop blacklists, lists of Web sites identified as conducting phishing activities. Vendors, such as eBay, have devised special tool bars that work within their users’ browsers. If a customer tries to visit a blacklisted site, the browser will either warn the person of potential danger or block him or her from making the trip.
Blacklists must be closely guarded because if phishers discover that their sites are on a blacklist, they will simply move to another site.
New standards are starting to emerge. Two sender-authentication proposals (one from Microsoft, dubbed Caller ID, and a second from Yahoo, called Domain Keys) are vying for attention. Under these options, e-mail senders must publish the IP address of their outgoing e-mail servers as part of an XML format e-mail “policy” in the Domain Name System (DNS) record for their domain. E-mail servers and clients that receive messages can then check the DNS record and match the “from” address in the message header to the published address of the approved sending servers. E-mail messages that don’t match the source address can be discarded.
The sender-authentication approach seems to have the most promise but also represents the most difficult work: ISPs need to update their domain name directories and e-mail clients, and companies, such as Microsoft, have to add support to their browsers.
While the vendors are aggressively taking up the task of improving authentication, delivering a solution will take a few years.
“We are essentially talking about a massive undertaking, reworking the way Internet operates,” Spire Security’s Lindstrom told TechNewsWorld.
He added: “In the next six months, the criminals will have the upper hand in the battle, so I expect the number of phishing cases will continue to rise. In a year or two, vendors should have the tools in place so they can at least slow down the rate of phishing attacks, but unfortunately, it is a problem, like viruses, that users and vendors are going to have continuously battle.”
They don’t have to wait for years – there is a solution today and it is working great!
Think about the hundreds of private phone networks in the world – they all talk to each other and you can pick up a phone on one network and talk to other people on other networks.
Now think of private email networks that don’t use the SMTP protocol but a simple use of the HTTP and other protocols through a web browser interface, with all of the PENs talking to each other behind the scenes using web services.
With the exception of the fact that people in the U.S. are generally limited to only one land-line choice, this model works. And with cell and Internet based phone services now popping up, that problem will disappear soon, too.
The private email network solution works well because only content approved by the company gets published under the company’s name – thereby certifying that when a someone see the company’s name in the "from" box, they know it came from that company.
You haven’t heard about it yet because there are way too many large companies that do not want to see this succeed. We are working with a small group of organizations (some of them are not too small) who have bought into the idea. This is the future of secure communications between all people, including businesses and consumers.