More than 5,000 computer attacks were recorded in August of last year, and some 25 banks in Europe have been targeted: the phishing problem continues to mushroom. The aim of this practice, also known as “brand spoofing”, is to extract money or confidential information from Internet users via emails that direct them to counterfeit websites. Victims receive a message that appears to really come from a bank, Internet service provider or other online service provider. The message asks the Internet user, as the result of a security problem, to confirm their login details. If the user clicks on the link in the message, they reach a phoney website that is a perfect copy of the concerned organisation’s or company’s website. Customers of several banks have already been victims of this type of fraud. Last year, bogus charity websites for the victims of the Tsunami even popped up. Google itself has been targeted: Internet users were recently invited to enter their bank card number on a replica of the famous search engine’s homepage in order to win a prize!
Given the extent of the problem, solutions using strong user authentication (such as domain name authentication, as in the Yahoo Domain Keys project, or the use of private and public keys) have been introduced. A number of banks and service providers are also using new techniques to provide their customers with more secure access to their online accounts. Here are some examples of these hardware and software solutions.
The phishing technique involves obtaining the victim’s passwords or bank details in order to access their online account. The use of tokens, with passwords that are valid for one use only, prevents this type of scam. The system is based on a small device that looks like a pocket calculator, and which automatically generates one-time passwords. The user enters the password provided by their token to access their account. At the other end, the bank’s website uses the same algorithm to compute the password to be generated. If the two passwords correspond, access is granted. The passwords generated can only be used once, making it impossible to steal them and use them fraudulently. Many banks in the USA and Europe, as well as Internet service providers like AOL (for its US customers), are using these tokens. However, the system does mean additional costs for customers, who pay for the token and generally for a monthly subscription to the service.
To improve password security, some banks plan to add an extra identification process that uses chip cards or USB keys. To access their online accounts, customers would have to not only enter a password, but also insert a chip card in a special reader or a USB key into their computer. Unless the card or key is stolen, it would be impossible for phishing fraudsters to access the user’s bank account. The chip card system does, however, have its disadvantages: it is expensive and can’t be used without a special reader. Specific USB keys seem to be a better option for use by the general public.
Password hashing is one of the countermeasures recommended by the Anti-Phishing Working Group. It is successful against identity theft because it “recomputes” the password and adds information specific to the site on which it is to be used. The system is transparent from the user’s point of view, who simply enters their password on an online form. The browser then converts this password and adds other information to it. This means that the full password entered by the user is not visible to the website for which it is intended; this site only receives the “hashed” password and then grants access using the same hashing algorithm as the user. This means that even if a user reveals their password on a phishing website, it can’t be used by hackers.
This system involves Internet users confirming requests for transactions or transfers via a text message sent by their mobile phone. The advantage of this system is that transactions on the online account are not authorised until the bank has received an answer to the text message. Of course, for this system to work, customers must provide the bank with their mobile number.
