FOILING PHISHERS

 < Day Day Up > 

In a perfect world, phisher spam would be turned away at your ISP's mail server and never despoil your inbox. But in the real world, phisher scams and other fraudulent email will occasionally get around even the savviest spam filters. And with pharming, DNS poisoning, and other more insidious threats on the rise (see Chapter 3, "Don't Buy the Pharm"), even savvy users who'd never fall for a phisher email can get nailed. So banks and other financial institutions are trying to make it harder for someone to spoof your identity when you log on, as well as make it harder for scammers to create bogus sites that look like your bank's.

Banks and ISPs are hoping that "two-factor authentication" will do the trick. This scheme combines something you know (such as a password) with something you have (a card or other device). If you've ever withdrawn money using an ATM card and a PIN, you've used two-factor authentication.

Hardware security tokens such as smart cards and computer dongles have been around for 20 years, but they've mostly been issued to employees at security-conscious corporations. By 2007, research firm Gartner, Inc. predicts up to 75 percent of financial institutions will employ some form of additional authentication, whether it's via software, hardware tokens, or an "out-of-band" authentication device such as a cell phone or pager.

In September 2004, America Online and RSA Security introduced the AOL PassCode service, which employs a keychain fob that produces a new six-digit code every minute. Users log onto their accounts using both a password and the dynamically generated number. The PassCode service costs $2 to $5 a month, depending on the number of screen names on each account, plus $10 for the fob. E-Trade, Yahoo, and Sony Online Entertainment are eyeing similar technology.

Another scheme put forth by RSA Security involves your cell phone. When you log into your bank account, the web site sends a text message containing a numeric code to your phone. You must enter this code, along with your password, in order to gain entry. So far, banks in Europe and New Zealand have implemented this plan, but no U.S. banks have publicly employed it.

Palo Alto, California-based PassMark offers bank customers an easy-to-understand defense against phishers. After you enter your username, you're shown an image (say, a picture of your dog) and asked to enter a pass phrase (e.g., "bad dog, no biscuit") before you can log on. Such PassMarks can also be put in email, so you know the message really came from your bank (see Figure 7-4).

annoyances 7-4. With PassMark's authentication scheme, bank customers must enter their username and a pass phrase before they can log in; the image confirms it's really their bank they're talking to.


BOT'S ALL, FOLKS

2004 might well be remembered as the year of the zombie. During the first six months of 2004, Symantec's early warning system detected an average of 30,000 new zombies every day. During the last six months of the year, however, the daily average dropped to only 5,000, according to Symantec's March 2005 Internet Security Threat Report.

Why the sudden plunge? One reason is that large regional and backbone service providers have gotten more proactive in identifying botnets and shutting them down, says Alfred Huger, senior director of engineering for Symantec's security response team. Another reason: Windows XP Service Pack 2, which turns on Windows' built-in firewall by default.

"The day SP2 came out, we saw a marked decrease in the number of bots showing up in our system," says Huger. "It's difficult to attribute it to anything else but SP2."

But there's a third, less sunny reason for the drop in bots: the hackers have changed tactics. Systems like Symantec's watch for port scanning, where a zombie PC actively scans ranges of IP addresses looking for unprotected machines. But attackers are increasingly abandoning this scheme for other methods, such as hiding a Trojan horse inside a free downloadable program they can use to hijack your PC, or via "drive-by hacking" where your computer can be infected merely by visiting a web site or viewing a pop-up ad. These new tactics make the number of zombies in the wild much harder to ascertain and defeat.

There's one thing that won't change in the foreseeable future. The best way to fight zombies is to install anti-virus, firewall, and anti-spy apps, and keep them up to date. It's a lousy job, but somebody has to do it and that somebody is you.


The idea here is that while a phisher scammer could easily create a bogus email message or web site that looks exactly like your banks' home page, they'd find it pretty hard to duplicate your dog (or whatever image you choose). As a second precaution, PassMark assigns a unique ID to every device you use to access your account, then makes sure the device and the account info match up before you can log on.

     < Day Day Up > 


    Computer Privacy Annoyances
    Computer Privacy Annoyances
    ISBN: 596007752
    EAN: N/A
    Year: 2005
    Pages: 89

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net