The recent rapid growth of phishing has severely attacked some well-known corporate institutions - especially banks that provide e-banking services - and is having a negative effect on customer confidence in using the Internet. According to the Phishing Activity Trends report, published by the Anti-Phishing Working Group (APWG) in October 2004, phishers are able to convince up to 5% of recipients to respond to them. The same report cites a substantial increase in phishing attacks, with the number of phishing emails reported as tripling over a three-month period from July 2004, and growing at the disturbing rate of 36% per month.

Phishing scams trick e-mail recipients into clicking a link in the message to reach the sender’s website. Once they are on the site, they are asked to enter username (or other account information) and passwords. The phishing messages look so official that victims don’t notice the website is only a look-alike version of the real site.

While direct losses from phishing fraud are on the rise, the cost of managing these losses may ultimately be far greater. The potential loss of customer confidence in using the Internet as a channel for transaction services is a critical issue, especially given the rising importance of online channels for services such as e-banking, e-shopping, e-trading and e-auctioning. Applications providers are screaming for solutions to ensure their online channels are secure mediums for their customers.

Legislation to fight against phishing

Legislation is often one direct reaction to this type of irresponsible activity, and the US has taken the first steps in this area. According to the Federal Trade Commission, 10 million Americans become victims of identity fraud every year. As such, two noteworthy pieces of anti-phishing legislation have gained public attention.

The first is the Identity Theft Penalty Enhancement Act (or ITPEA) signed by President Bush in July this year, which increases criminal penalties for phishing and other forms of identity fraud. This measure establishes punishment guidelines for anyone who possesses someone else’s personal information with intent to commit a crime. Under these new federal guidelines, anyone using another person’s identification information fraudulently is guilty of a new crime: aggravated identity theft. Convictions for this particular type of crime, in addition to other penalties, will result in a mandatory additional two years in
federal prison.

Another noteworthy piece of legislation is the Antiphishing Bill, which was introduced in July 2004 and, if passed, will define phishing as a federal crime. The Bill addresses the core tactic of Internet scammers, by prohibiting the creation of e-mail that represents itself as a legitimate message to trick the recipient into divulging personal information with intent to steal that identity.

Despite all these legislative measures, James Gildea, Director of Marketing for e-mail management firm IntelliReach, doesn’t put much faith in legal proposals. He sees attempts to legislate curbs on phishing attacks as having much the same result as recently enacted anti-spam laws. “To date, 32 states in the US have enacted anti-spam laws,” he said. “These laws have not done much to stop the flood of spam.”

Digi-Sign innovative solutions

If legislation is not an effective solution, technological alternatives may prove more efficient. Although a PKI solution may be the ultimate weapon to combat phishing attacks (as it is highly unlikely that a hacker can get hold of the other party’s private key should correct security measures be in place), the market now favours a simple, effective, low-cost and timely solution. Digi-Sign has derived two innovative solutions to counter phishing scams based on a shared secret between the user and the service provider.

One of the solutions makes use of mobile phones, which are popular and common. The mechanism is simple: when the user enters a service provider’s website, he simply enters the username or account identity number, as the case may be. An SMS message is then sent via mobile phone from the service provider to acknowledge that the user has entered a valid website. Upon receipt of the SMS message, the user can then enter his password and other account information without any worries. The same methodology, with appropriate adaptations, can also validate e-trading transactions.

Another Digi-Sign Solution is slightly more complicated, but doesn’t require external tools such as mobile phones. Take e-banking as an example. The user initially has to login his name and select a statement, question or picture, which has been pre-registered with the bank by the user for verification.

After typing in the user name, a pre-registered, randomly generated statement/ question/ picture will appear to confirm that the user has entered the correct website. However, the statement/ question/ picture will only stay for 10 seconds to make it more difficult for hackers to capture it. Users can also change the statement/ question/ picture regularly.

To further enhance security, the user may choose to see more statements/ questions/ pictures until he is confident that he has entered an authenticated website. With such safeguard, the user will feel safe to enter the password after verification to begin e-banking.

Thus, even if phishing cannot be combated absolutely, it is hoped that innovative solutions such these will help e-service users feel safe and secure to conduct their daily and essential business on the Internet.