6. Make yourself a difficult target. Perhaps the most important thing you should do is examine whether your authentication process is strong enough. Miller, who declined to divulge any details about the impact of the June 25 phishing attack, says PayPal is looking at a host of stronger authentication options, giving users tokens from RSA Security, which would create a new password every 60 seconds. PayPal is also considering biometric techniques such as collecting a voiceprint from customers. Several European banks are already experimenting with stronger authentication methods for online banking and payment authorization. Scandinavia's Nordea gives customers a scratch-off card (similar to a lottery ticket) that contains one-time-use passwords that customers use along with their chosen password. Barclays is piloting handheld smart-card readers for its MasterCard customers. When a cardholder wants to make a purchase online, he puts his card (which contains a smart chip) into the portable card reader and punches his PIN in. The device then displays a secure, one-time code that the customer enters into a pop-up box on the retailer's Web site. Salmond of APACS says that the devices cost less than $10.
The key, of course, is making sure customers will use these tools. "You can give customers a whole range of different tools to identify themselves," says Salmond, "but if they then hand over their password or credit card number to a third party," such techniques offer no protection whatsoever. And if phishers can access your customers' accounts - or, worse, steal their identities - it's your brand, and your bottom line, that will suffer.
SIDEBAR: Test Your Phishing Acumen
E-Mail security vendor MailFrontier offers a challenging quiz to test your phishing IQ. View 10 real-life examples of suspect e-mail messages, then decide - legitimate or fraud? Go to: survey.mailfrontier.com/survey/quiztest.html and see how you do.
SIDEBAR: More Resources in the Phishing Fight
The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and e-mail spoofing. Check out APWG's incredibly useful site, which publishes monthly phishing attack trend reports and offers annotated examples of current phishing scams as well as an archive of past phishing e-mails.
Trusted Electronic Communications Forum (TECF) is a new organization formed by companies in the retail, financial services, telecommunications and high-tech industries to combat phishing, spoofing and identity fraud. One of the group's first initiatives is hammering out what it calls a Trusted Dialog standard. The idea is to offer free plug-ins for e-mail clients which will review all messages and flag as potentially fraudulent any that purport to be from an organization using the TECF spec but are not properly signed by that organization. TECF's goal is to have plug-ins available this northern autumn.
TECF's Board of Governance includes representatives from ABN AMRO, AT&T Wireless, Best Buy, Charles Schwab, CipherTrust, DIRECTV, E*Trade, Fidelity Investments, GE Access, HSBC, IBM, National City Bank, PostX Corporation, Royal Bank of Scotland and Siebel Systems.
SIDEBAR: Ten Tips for a Spoof-Proof Life
Some helpful hints for your employees and customers
- Treat with caution any unsolicited e-mail that purports to come from a trusted company.
- If you're suspicious about an e-mail, don't click on any links. Don't even cut and paste a link into your browser. Open a new browser window and type the URL for the company yourself. Hyperlinks can show you one thing, but send you somewhere else.
- Be suspicious of e-mails that don't greet you by name. A message that says "Dear eBay customer" probably is not from eBay.
- Ask yourself: Why is the company writing to me about this? If you have any doubts, call the company or go to its Web site on your own.
- Don't click on any attachments: They could contain viruses or spyware that records where you go online and captures any passwords or credit card numbers you type online.
- Look for "https" in URLs displayed in your browser's address bar. The "S" stands for secure. If you don't see it, you're not in a secure Web session and shouldn't enter any personal or financial data.
- Another clue: If you see an @ sign in the middle of the URL, good chance this is a phishing site. Legitimate companies use the domain name in their Web address (www.company.com), and don't have an @ sign in their URL address.
- Maintain up-to-date firewalls and security patches.
- If your information is compromised, get a fraud alert placed on your credit report.
- Visit The Federal Trade Commission's ID Theft page (www.consumer theft) for more information on how to protect yourself from identity theft.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.