Saturday, July 23, 2005
Phishing Targeting Small Banks
Smaller regional banks and credit unions have become prime targets for phishing -- sophisticated scams that send fraudulent e-mails to consumers directing them to fake Internet sites where they are ordered to provide personal or account information -- experts told UPI's The Web. Phishing scams hit an all-time high this spring, and even members of the White House employees credit union were probed. "The reason that phishing is on the rise is that there is a lot of money to be made illegally," said Alex Shipp, a senior antivirus technologist at MessageLabs in New York City, a provider of e-mail security services for businesses. "If you are a criminal and want to get into the business , there are people who will sell you software to set up illegal Web sites, and people who will process the credit card numbers you've stolen. A whole underworld infrastructure is developing."
Shipp's firm has produced a telling testimony on the phishing phenomenon. The study, part of MessageLabs' Intelligence Monthly Report for May 2005, indicated phishing attacks reached 9.1 million during May, an increase of about 1.4 million from the previous high reached last January. Massive amounts of scam e-mails are directing consumers to Web sites dressed up to look like those of Citibank, Northern Trust or LaSalle National Bank, as well as lesser-known financial firms.
Shipp said generally the smaller institutions use fewer security safeguards, and their customers may completely trust any e-mail coming to them that purports to be from their bank. The criminals are exploiting this. "At these smaller banks, they can compromise a few accounts, and get a lot of money, or at least what seems to be a lot of money for them," he said. "Many of the criminals are from the countries of the former Soviet Union. They don't need to have a lot of money to be considered rich."
Federal regulations have been put in place to protect the data of customers at all financial institutions, but sometimes the smaller institutions do not have the resources to pay for top-notch IT security, said John Colbert, chief executive officer of Guidance Software in Los Angeles, a security software company. "If they have a breach in security, they still have to notify customers," Colbert said. Banks and financial institutions are fighting back against the overseas hackers with new authentication technologies and better consumer-education programs. For many years, technologists have touted biometric readers -- technologies that can scan an individual's retina or read a thumbprint as a way of making Internet computing secure. The problem is that such solutions are based on hardware and are very expensive.
Now, software developers are attacking the problem. BioPassword, in suburban Seattle, has developed software that can track the unique ways every individual types on a computer keyboard.
"There is a particular way that each individual holds the keys and releases the keys, and a particular latency between each keystroke that each person has," said Greg Wood, BioPassword's chief technology officer. "The differences are in milliseconds -- and can be computed mathematically. Individual typing patterns may be more unique than individual thumbprints." Wood called the software impossible to crack, because no one can replicate the rhythm of another typist.
The technology was first developed for military applications at the Rand Corporation, the government-sponsored R&D think tank. It is related to the analysis of dots and dashes of the Morse Code communicators during World War I, said Wood, who previously worked at Microsoft for nine years before joining start-up BioPassword recently. Education Needed
Smaller financial institutions are starting to educate their customers about the risks of phishing scams, even as they are seeking software to solve their security and authentication problems, said Chris Novak, a senior consultant at Cybertrust in New York City. "They're adding materials to their Web sites, telling customers to be aware of the problem," Novak said. "Education is often the first step in stopping the criminals." In addition, smaller financial institutions are developing operational response plans, anticipating they will be victimized by a phishing attack. They also are planning how to conduct investigations of attacks when they do occur. The companies worry that if they do not address the issues, their brand images will be hurt, perhaps permanently. They also worry their customers might become victims of ID theft if they do not improve security. "At a lot of these smaller banks, you don't even have to present an ID when you go up to the teller and make a deposit or withdrawal," Novak said, "but it's not the same on the Internet. Any organization can be phished."
Brought to you by Guardian eCommerce.
Shipp's firm has produced a telling testimony on the phishing phenomenon. The study, part of MessageLabs' Intelligence Monthly Report for May 2005, indicated phishing attacks reached 9.1 million during May, an increase of about 1.4 million from the previous high reached last January. Massive amounts of scam e-mails are directing consumers to Web sites dressed up to look like those of Citibank, Northern Trust or LaSalle National Bank, as well as lesser-known financial firms.
Shipp said generally the smaller institutions use fewer security safeguards, and their customers may completely trust any e-mail coming to them that purports to be from their bank. The criminals are exploiting this. "At these smaller banks, they can compromise a few accounts, and get a lot of money, or at least what seems to be a lot of money for them," he said. "Many of the criminals are from the countries of the former Soviet Union. They don't need to have a lot of money to be considered rich."
Federal regulations have been put in place to protect the data of customers at all financial institutions, but sometimes the smaller institutions do not have the resources to pay for top-notch IT security, said John Colbert, chief executive officer of Guidance Software in Los Angeles, a security software company. "If they have a breach in security, they still have to notify customers," Colbert said. Banks and financial institutions are fighting back against the overseas hackers with new authentication technologies and better consumer-education programs. For many years, technologists have touted biometric readers -- technologies that can scan an individual's retina or read a thumbprint as a way of making Internet computing secure. The problem is that such solutions are based on hardware and are very expensive.
Now, software developers are attacking the problem. BioPassword, in suburban Seattle, has developed software that can track the unique ways every individual types on a computer keyboard.
"There is a particular way that each individual holds the keys and releases the keys, and a particular latency between each keystroke that each person has," said Greg Wood, BioPassword's chief technology officer. "The differences are in milliseconds -- and can be computed mathematically. Individual typing patterns may be more unique than individual thumbprints." Wood called the software impossible to crack, because no one can replicate the rhythm of another typist.
The technology was first developed for military applications at the Rand Corporation, the government-sponsored R&D think tank. It is related to the analysis of dots and dashes of the Morse Code communicators during World War I, said Wood, who previously worked at Microsoft for nine years before joining start-up BioPassword recently. Education Needed
Smaller financial institutions are starting to educate their customers about the risks of phishing scams, even as they are seeking software to solve their security and authentication problems, said Chris Novak, a senior consultant at Cybertrust in New York City. "They're adding materials to their Web sites, telling customers to be aware of the problem," Novak said. "Education is often the first step in stopping the criminals." In addition, smaller financial institutions are developing operational response plans, anticipating they will be victimized by a phishing attack. They also are planning how to conduct investigations of attacks when they do occur. The companies worry that if they do not address the issues, their brand images will be hurt, perhaps permanently. They also worry their customers might become victims of ID theft if they do not improve security. "At a lot of these smaller banks, you don't even have to present an ID when you go up to the teller and make a deposit or withdrawal," Novak said, "but it's not the same on the Internet. Any organization can be phished."
Brought to you by Guardian eCommerce.
