[Mb-civic] A washingtonpost.com article from: swiggard@comcast.net

[swiggard at comcast.net]

You have been sent this message from swiggard at comcast.net as a courtesy of washingtonpost.com 
 
 New Industry Helping Banks Fight Back
 
 By Brian Krebs
 
  A bustling new sector of the technology industry is helping companies cope with a surge in online financial fraud known as "phishing," which uses e-mail to lure people into giving up their financial data at counterfeit bank and e-commerce Web sites. 
 


 But the fledgling industry as a whole has adopted divergent approaches to combating the problem, and there are signs that federal regulators could soon step in and mandate specific technologies. As a result, many banks have put off adopting the new services until the market matures. In the meantime, some security experts say, a few banks are resorting to hacker-like tactics in their own defense. 
 


 Only a fraction of the roughly 9,000 financial institutions nationwide have been targeted by phishers, but that ratio is changing for the worse each day. To date, online con artists have impersonated more than 150 banks, yet only about a third of those targets have deployed commercial protective technologies, said David Jevans, chair of the Anti-Phishing Working Group, a coalition of banks and technology companies. 
 


 The anti-phishing market is so young that there is little public analyst information about how much banks are spending on the new technologies. The annual sales for each of the companies contacted for this story varied widely, ranging from less than $1 million to $20 million. But several companies only began selling their services in mid-2004, and nearly all said they expected business to double in 2005 as attackers begin targeting other industries. 
 


 Jim Maloney, chief security officer for Portland, Ore.-based Corillian, said the company provides anti-phishing services to roughly 20 banks, with nearly as many currently evaluating its products. Maloney declined to name the company's clients, but said the banking sites it manages in-house range from credit unions to several of the top 30 biggest financial institutions. 
 

Getting Ahead of the Phishers


 Most anti-phishing companies offer a mix of products, such as domain-name monitoring -- checking to see if potentially deceptive Internet addresses have been registered -- and a "takedown" service that involves contacting the Internet service provider (ISP) responsible and persuading them to shut down the offending site. 
 


 But phish busting is a complex endeavor that involves combating online criminal activity on a multitude of fronts, and most companies admittedly excel at just one or two of those areas. Some companies sift junk e-mail; others scour the Web for fraud sites. Some rely on close relationships with domain registrars and ISPs to gain intelligence on current or future attacks. Still others monitor online banking sites for signs that the sites are being cased as possible targets. 
 


 In acknowledgement of the fragmented market for the technologies they offer, several leading anti-phishing companies recently formed the "Anti-Fraud Alliance" to appeal to companies looking for a more comprehensive strategy. The group's members have agreed to promote and re-sell each others' products.
 


 Perhaps the most recognizable name in the alliance is Cupertino, Calif.-based Internet security firm Symantec Corp., makers of Norton antivirus software. Symantec provides customers with information about the latest e-mail scams. Last May, at the height of 2004's phishing epidemic, Symantec acquired anti-spam company Brightmail and now sells access to its spam caches to give clients early warning of scam e-mails. 
 


 One of the more unique approaches comes from Corillian, another member of the alliance. The company got its start in 1997 developing online banking sites for financial institutions and has built more than 60 such sites so far, a dozen of which are controlled directly from its headquarters. Because of this background, Corillian is adept at spotting the telltale signs of an impending phishing attack.
 


 Phishers casing a bank often spend unusual amounts of time on a site they wish to target, or use automated tools to quickly download a copy of every page on the site. Corillian also pays special attention to suspicious bank Web site traffic on weekends, when most phishers conduct their reconnaissance, Maloney said. 
 


 To look more authentic, many fraudulent Web sites also link directly to high-quality images on the targeted bank's real site. By scouring the bank's Internet logs for "hits" from unauthorized sites using their customers' images, the company often can locate a fraud site while it is still being built.
 


 Phishers nearly always verify stolen information before selling it on the black market, so when Corillian spots someone accessing numerous online bank accounts from the same Internet address, the company notifies the bank that those accounts have likely been compromised. 
 


 Alliance partner NameProtect, also based in Portland, watches for signs that phishers are incorporating its clients' trademarks by monitoring spam and domain-name registrations and by trawling the Internet for counterfeit bank sites that are still in production. 
 


 In mid-2004, NameProtect inked a deal with MasterCard International to track the underground market for credit card information. Since then, the company has helped MasterCard find tens of thousands of stolen account numbers, said Sergio Pinon, MasterCard's senior vice president of global security. 
 


 NameProtect also shares most of its intelligence with the U.S. Secret Service and the FBI. Last year, the company helped authorities track down and shutter dozens of fraud-enabling Web sites that trafficked in more than 1.4 million stolen credit card numbers. 
 


 One of NameProtect's closest competitors, San Francisco-based MarkMonitor, last July launched a new service to help customers keep their brand names out of phishers' hands by monitoring online chat rooms and Internet-address registries to spot potential scam Web sites. MarkMonitor uses this data as evidence to convince registrars to transfer ownership of the domains to the companies that own the trademarks. 
 


 MarkMonitor, which is not part of the Anti-Fraud Alliance, also is rolling out another service called Identity Tracker, which can search the company's millions of Internet address records to connect a fraudulent or infringing site with the site's creator or owner. 
 


 Phishers who register domain names that contain trademarked words usually purchase the sites under false identities -- often using the credit data and identities of previous fraud victims. But Mark Shull, MarkMonitor's president and chief executive officer, said that in many cases scam artists reuse at least one piece of information with each registration, usually an e-mail address. By correlating registration data for a known fraud site against millions of other records, the company often finds that the same individual has registered dozens or even hundreds of addresses that could be used in future attacks. 
 


 "In many cases there are sites out there that give you the true identity or at least some piece of real information about whoever is behind it," Shull said. 
 

Poisoned Phish


 Few banks are eager to discuss publicly the steps they are taking to keep out hackers and identity thieves, in part because the scammers can use the information to make future attacks more successful. But some experts say a number of banks have taken a page from the attackers' playbook by using legally questionable techniques to disable public access to fraudulent sites. 
 


 Shutting down a phishing Web site can be a time-consuming and expensive task, particularly if the site is based in a foreign country that either lacks anti-hacking laws or stringent enforcement of such laws. The typical fake site stays online for six days before being shut down; in the meantime the company targeted by the scam must battle a public perception that it is powerless to prevent customers from being robbed. 
 


 Faced with such uncertainty, experts say some banks will quietly overwhelm the fraud sites with so much data that they can no longer accept information from would-be victims. These banks submit massive amounts of phony personal and financial information to a fraud site to dilute the phisher's database, a technique known as “stuffing” or poisoning.” 
 


 But Tom Liston, president and founder of Ingleside, Ill.-based LaBrea Technologies and a volunteer at the SANS Internet Storm Center in Bethesda, Md., said poisoning can result in a de facto "denial-of-service" attack. When launched with the intent to disable a legitimate Web site, such an attack is a federal crime that can carry a penalty of up to 10 years in prison. 
 


 "What you find is that these phishing sites are mostly run off of Web servers that have been installed on hijacked home computers, so they can't really take a whole lot of submissions all at once," said Liston, who said he has written and tested his own stuffing program against several fraud sites. "I've seen plenty of evidence that indicates that the banks have taken down sites this way, but most will never admit it or if they do they'll say it was done inadvertently as a result of poisoning." 
 


 A number of anti-phishing companies offer the retaliatory service, but few advertise them. One exception is New York City-based Cyota, which specializes in convincing ISPs to quickly disable phishing sites. The average fraud site stays active for roughly six days, but the company claims that most fraud sites targeting its customers last fewer than 5 hours. 
 


 Amir Orad, Cyota's vice president of marketing, said his company offers a poisoning service but that it does not condone denial-of-service attacks. Orad said the service is designed to help banks plant dummy account information at phishing sites, which the banks can then use as breadcrumbs leading them back to the people behind the attacks.
 


 Submitting too much fake data at once would only alert the phishers that the bogus information is being offered as a trap, Orad said. He added that Cyota has applied for several patents on its poisoning technology, which ensures that several minutes pass between submissions of dummy account data. 
 


 Dan Larkin, unit chief of the FBI's Internet Fraud Compliant Center in Morgantown, W.Va., said he has heard reports of banks disabling sites by knocking them offline, but added that the FBI has no evidence that any such incidents ever occurred. 
 


 Liston said he's not surprised. "Who exactly are the phishers going to complain to?" 
 

Phish: An Endangered Species?


 All of the anti-phishing companies can point to graphs or statistics on how rapidly their technologies can detect and disable scams, but few boast that they have devised a solution to prevent scams from being launched in the first place. 
 


 Yet security experts say banks can blunt attacks by requiring their online customers to use so-called "two-factor authentication": something they know – their username and password – plus something they have, such as a tiny, unique photograph or file that resides on their own computers. 
 


 Anti-Fraud Alliance member Passmark Security of Redwood City, Calif., offers such a service, and last month the company announced that a federal credit union has opted to require all of its customers to use Passmark's technology for online banking. 
 


 Few banks require such measures, in large part because of worries that they could drive customers away from Internet banking, which has helped banks to dramatically reduce customer service costs, said Ed Skoudis, founder of Intelguardians, a Washington-based information security consulting firm that frequently works with banks. 
 


 However, financial institutions may be starting to change this view, perhaps because of federal pressure. In December, the Federal Deposit Insurance Corp, which investigates financial institutions for compliance with banking regulations, issued recommendations urging banks to adopt two-factor authentication technologies as a way to stave off what it called a wave of "bank account hijacking." 
 


 "If the FDIC writes it, the [Office of the Comptroller of the Currency] and other regulators are almost certainly going to consider whether there should be hard and fast rules," said Jevans of the Anti-Phishing Working Group. 
 


 Officials from the OCC declined to comment for this story. But many in the financial services industry say there is little evidence that consumers are suffering large losses from the attacks, and that in most cases the credit card company or bank will absorb the costs of fraud. 
 


 Despite an eighty-fold increase in phishing attacks over the past year, banks haven't suffered corresponding losses because they have improved their methods for detecting fraudulent transactions before they are fully processed, said Chuck Wade, project leader for the Financial Services Technology Consortium, a group of banks, financial services firms, universities and government agencies. 
 


 Still, Wade said, such precautions are largely hidden from consumers, while the high visibility of relentless attacks threatens to undermine consumer confidence in online banking. And that visibility is becoming increasingly difficult for regulators and lawmakers to ignore. 
 


 "Pretty much everyone in the [banking] industry agrees that better authentication is important and needed," Wade said. "But we have to recognize that it has to be done with a long-term view in mind and in a cooperative fashion across multiple industries." 
 


 There are indications that preventive technologies are helping to deflect attacks, if only toward banks that may not be as experienced in fighting online fraud. In recent months, phishers have begun targeting dozens of smaller, regional financial institutions, many of which have operations in just a handful of states. 
 


 Kevin Omiliak, vice president of marketing for NameProtect, said online criminals will continue widening their target lists unless more financial institutions embrace anti-phishing technologies. 
 


 "If only the top two dozen banks deploy a solution ... then this will remain a Whac-a-Mole problem for some time," Omiliak said. 
 


 The FBI's Larkin said the anti-phishing industry continues to provide invaluable intelligence on the networks of online criminals behind these scams, data that is aiding numerous investigations. 
 


 "As we develop a better approach to the problem in terms of investigating and prosecuting these types of crimes ... a deterrent effect should follow," Larkin said. "We're doing some very good things with investigations that have led to search and seizures that you're not necessarily going to see the results of for a while. For now, we're simply making our way up the fraud food chain." 
 



Would you like to send this article to a friend? Go to 
http://www.washingtonpost.com/ac2/wp-dyn/admin/emailfriend?contentId=A6367-2005Mar4&sent=no&referrer=emailarticle
 
 

Visit washingtonpost.com today for the latest in:

News - http://www.washingtonpost.com/?referrer=emailarticle

Politics - http://www.washingtonpost.com/wp-dyn/politics/?referrer=emailarticle

Sports - http://www.washingtonpost.com/wp-dyn/sports/?referrer=emailarticle

Entertainment - http://www.washingtonpost.com/wp-dyn/artsandliving/entertainmentguide/?referrer=emailarticle

Travel - http://www.washingtonpost.com/wp-dyn/travel/?referrer=emailarticle

Technology - http://www.washingtonpost.com/wp-dyn/technology/?referrer=emailarticle




Want the latest news in your inbox? Check out washingtonpost.com's e-mail newsletters:

http://www.washingtonpost.com/ac2/wp-dyn?node=admin/email&referrer=emailarticle

Washingtonpost.Newsweek Interactive
c/o E-mail Customer Care
1515 N. Courthouse Road
Arlington, VA 22201 

© 2004 The Washington Post Company