Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. The phishers may then use the information to conduct criminal activities for profit. A typical phishing email may ask the recipient to click on a URL that appears to belong to a well known Web site, but the link actually directs the user to a malicious site with the fraudulent intent to steal information.
In a recent twist, phishers have replaced malicious URLs with malicious “1-800” phone numbers. The brand name targeted in one particular instance was Chase Bank. The Chase Bank scam was initiated when users were enticed to dial a rogue 1-800 number listed in a phishing email. When they connected to the number, they were greeted by a warm voice asking for their account number, expiration date, and last four digits of their social security number . The message ended by acknowledging that the account details had been verified. The users probably hung up the phone feeling satisfied, while the attacker was most likely having a field day with his new-found wealth.
One worrisome aspect about this type of email is that traditional anti-phishing tools rely on the analysis of a URL (or the Web site it ultimately directs the user to) within the email text to ensure it is legitimate, but they cannot easily analyze telephone numbers within email text. The ultimate defense against phishing is user education; however, most users do not have the technical background to make sound security decisions. This is primarily because they do not have a sense for the right kinds of trust clues to look for when establishing that a particular email is from a reliable source.
Currently, an average user does consider the look and feel of the message to some extent when making a security decision. In reality though, the aspects of “look” and “feel” are much easier to reproduce than a user might realize. What makes matters worse is that companies may be conditioning users to make bad security decisions. For example, a couple of years ago, I received a letter from what appeared to be my credit card company, asking me to call them regarding a strange charge on my card. This letter looked like a complete fake. The stationery used differed from the type used in the regular statements I received (and for that matter, in any other correspondence I received from them), and in particular there was no logo of any sort on the letter. The letter provided me with a 1-800 number of the fraud department so I could investigate the charges further. So, I called the 1-800 number straight away. NOT!
I called the credit card company directly, using the 1-800 number printed on the back of my card (curiously, the main number for the company also looked completely different from the number sent in the letter, adding to my suspicion that the later was from a fake source). After calling the company directly, I asked to be transferred to the fraud department. The letter, as it turned out, was actually genuine. I resolved everything with the credit card company, and gave them some suggestions about improving their security practices, although I doubt they listened.
I was left with the very uneasy feeling about the security practices of the company. An attacker could have sent a similar letter which included their own fraudulent phone number. A naïve customer could have called the attacker’s number and probably divulged his credit card number and expiration date, social security number, billing address, and who knows what else.
This brings me to a related issue. Another area where companies may have conditioned their users into making bad security decisions is in the belief that one-way authentication is sufficient. Today, when you call most financial services institutions like credit card companies or banks, they ask you for all sorts of information to verify who you are (for example: your account number, address, social security number, mother’s maiden name, and other personal information that only you should know). In other words, they essentially “authenticate” you. Unfortunately, this authentication is purely unidirectional. They didn’t answer any of your questions, if you actually had any. How do you know that you are talking to them confidentially, and not someone else? They have not authenticated themselves to you. By not doing so, they send the message that one-way authentication is sufficient, and thereby increase the likelihood of their customers getting duped by mysterious letters that appear in both their email and snail mail.
Maybe the next time you call one of these companies, you should ask them to answer some basic questions as well!