Evading Phishers Hooks

Strong authentication is needed to blunt "phisher's" hooks.

Do you know what "phisher" fraud is? if you dont, you should. In phisher fraud, a prankster copies a Web site, hosts it on his or her domain, then sends convincing spam—which appears to be authored by the real owner of the site—to millions of users requesting they return to the hijacked site to "secure your account." At the masquerading site, a victim faces a branded page requesting such information as user ID, password, credit card number and expiration date, and Social Security number. Unwittingly, a number of victims have given up their private access information to criminals.

If youre a retailer and struck by phisher fraud, its bad. Youve got accounts creating mischief, and you and the credit card companies have an exposure. If youre the account holder, its a hassle, and youll have some fraudulent charges to deal with. However, if a bank gets stung, the life savings of a customer could be at risk. With just a user name and password, theres typically no limit to the size of a check or a transfer that a culprit can create online.

This type of scam will only get worse unless we change the way we access the Internet. The solution is strong, multifactor authentication. This kind of authentication is not new; it can prevent prank phone calls from being made from cell phones, and it helps keep ATMs from attack by pranksters.

Strong authentication, according to some estimates, has enabled a billion-dollar market for downloadable ring tones for mobile handsets. On unauthenticated desktops, in contrast, the market for all types of music has been negligible. Authentication is at the core of e-commerce.

Im not suggesting we eliminate anonymity. However, its time for sites, individuals and the PC industry to adopt strong authentication. With a simple microprocessor Subscriber Identity Module card such as those in some credit cards and in Global System for Mobile Communications phones issued by wireless carriers, you could authenticate yourself to a site and, in turn, have the site authenticate itself to you. Remember, as in phisher, identity theft works in both directions.

Until the PC industry figures out how to get more security than a user name and password in its customers hands, my bet is theres going to be some great phishing ahead.

Some of the more advanced PC companies, along with such carriers as Vodafone, are beginning to offer support for microprocessor card readers. Its time you looked into how your site could leverage the technology to strongly authenticate customers and employees and protect your company from corporate identity theft.

Jonathan Schwartz is executive vice president of software for Sun Microsystems Inc. Free Spectrum is a forum for the IT community. Comments and submissions may be sent to free_spectrum@ziffdavis.com.