User Experience for a Better World
Let’s fight phishing with better usability
Phishing is an example of a social engineering technique used to fool users, and exploits the poor user experience of current web security technologies.
Phishing is typically carried out by e-mail or SMS, and often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. At this point the user’s computer security is likely to show a warning. The problem is, it’s a familiar looking ‘call to action’, that might have last ‘popped up’ when you clicked on a photo attachment done by a ‘smart’ uncle in pdf format.
Moreover, it’s all very well hearing “have the latest anti-virus software applications loaded, and download all security patches (yawn) to your operating system in a timely fashion ...”, but who does? And does everyone know how to?
SABRIC (South African Banking Risk Information Centre) says phishing criminals try to mimic the reputable business as closely as possible, carefully copying the look of the business’s e-mail, and then directing the user to a fake website.
“The fraudsters go to great lengths to ensure that their fake websites look almost identical to the legitimate website of a bank”
This often makes it difficult for users to make the distinction between a genuine e-mail and the fake. It is important that users become vigilant and check all e-mails carefully when they make financial transactions online, SABRIC says, and going to a website from a link in e-mails, even when they seem genuine, should be avoided.
A common strategy is an e-mail to warn of a ‘security alert’ that needs urgent attention, or as a request by the bank for customers to update their information for ‘operational’ or ‘security’ purposes. The bank client will then be asked to disclose personal information such as usernames, passwords, telephone numbers or bank card details through bogus online forms on that site.
Unfortunately, we’re all going to have stop hiding behind the sofa; hoping that an ‘anti-something-or-another’ will somehow put an end to the problem. Just like backups (yawn!) and flossing, it’s that waste of time activity that we *really* need to do. To avoid phishing attempts, contact the company when it sends you an e-mail. Or type in the company’s website address.
Phishing - a way of stealing Internet users’ identities online - is becoming more and more sophisticated, according to Susan Potgieter, general manager of the SABRIC (South African Banking Risk Information Centre) commercial crime office. At one point phishing e-mails were easy to spot because they often contained ‘red flag’ phrases or spelling errors. Nearly all legitimate e-mail messages from companies to their customers contain an item of information that is not readily available to phishers.
However, in the early days many even started to begin filling in the form (me included! Come on, who hasn‘t?) as the scam was framed in such a way, that it was asking logical questions that we were used to being asked over telephone banking. To use a bit of jargon (sorry!), the ‘mental model’ was already in place.
Potgieter, who has studied international trends in phishing, said usually these e-mails used the pretexts of security alerts from banks and consumer education — information that a client would expect to receive from their bank. These messages were all aimed at duping consumers into going onto fake websites.
But we all know about it now ... right? Well it’s still growing ... fast.
But we all know about it now ... right? Well it’s still growing ... fast.
Moreover, Potgieter warns “As many clients have become alerted to the fact that they should never expect to receive an e-mail of this kind from their bank, a newer generation of phishing e-mails, for instance promising clients financial rewards such as savings on banking fees, is emerging. All this means that perpetrators of this scam are making it more challenging for an ordinary bank client to detect”. Just like old-fashioned confidence tricks, if a hustler can be convincing on a reliability and trustworthy basis, it’s possible to slip under the net – no matter how obvious the fundamentals are. However, this old-fashioned scam is now adopting *new* business techniques - a strategy is devised and a campaign is launched.
According to the website howstuffworks.com, this is how phishing works from start to finish:
Planning: phishers decide which business to target and work out how to get e-mail addresses for the customers. They often use the same mass-mailing and address collection techniques as spammers. Although a very small percentage of people get conned into disclosing their personal details - phishing is a numbers game and relies on involving huge numbers of people so even that small percentage adds up to something meaningful.
Setup: the criminals create ways of delivering the messages and collecting the data. Most often this involves e-mail addresses and a web page.
Attack: this is the part ordinary people see the most: a fake e-mail is sent out.
Collection: phishers record the information victims enter on the fake web page.
Identity theft and fraud: the phishers use the
information gathered to commit fraud, like making illegal purchases.
Identity theft and fraud: the phishers use the
information gathered to commit fraud, like making illegal purchases.
For anyone who has found it difficult to have a purchase delivered to their business address, you may ask how is it possible to benefit from illegal purchases? Sabric says, the first step for phishers is to create a bank account into which fraudulently obtained money can be deposited. Phishing is so fast - and their websites are often shut down so quickly — that there would be no time to create a bank account after the money had been stolen.
There are several ways of acquiring a bank account, both fraudulently and legally. One such method is for criminals to persuade someone from off the street to open a bank account in their name.
There are several ways of acquiring a bank account, both fraudulently and legally. One such method is for criminals to persuade someone from off the street to open a bank account in their name.
Other methods include:
- Opening a bank account using a stolen identity document
- Offering someone a job, and as the ‘employer’, opening a bank account on behalf of the ‘worker’, using the innocent party’s recognised ID number. At this point, it is quite logical not to share the PIN number and card because he has deposited an opening balance for the individual.
Another thriving business is when genuine account holders ‘rent’ their account to criminals in return for a cut - but they can run the risk of being charged with money laundering if they are caught.
‘Top Down’ approaches, such as more stringent issuance of ID documents, and tighter security systems in banks, the use of false documents to open accounts has become much more difficult. Matched with ‘Bottom Up’ approaches to deal with the growing number of reported phishing incidents, might include user training, public awareness, and technical security measures.
Glossary:
Phishing — a site (the phishing site) that looks like a website you know and trust (for example, your bank’s website). The criminal sends you an e-mail, which appears to come from a legitimate company or organisation, inviting you to visit the phishing website. This site asks you to enter your logon details (for example, your online banking username and password), so that the criminal can grab them. The criminal can then use your credentials to log on to a genuine website and conduct fraudulent transactions.
Pharming — directs your browser to a fraudulent site each time you type the address of a genuine website into your browser’s address bar. This is accomplished by various techniques, such as infecting your desktop with malware (software designed to infiltrate your computer’s security system) or by compromising the servers in your Internet service provider’s network. When you try to access the fraudulent site, it will grab your logon credentials. A criminal can then use your details to log on to the real website and perform
fraudulent transactions.
fraudulent transactions.
Keylogging — malicious software that secretly installs itself on your computer. The keylogger records your keystrokes and sends this information to an online criminal.
Man in the middle — an advanced variation of phishing and pharming. You sign on to a genuine website and transact, unaware that all the information exchanged between your computer and the website is being sent to a criminal who
can view your private information and can alter transactions. For example, if
you request to transfer money to a payee, the criminal can change the payee’s
identity and have the money transferred to a different account.
can view your private information and can alter transactions. For example, if
you request to transfer money to a payee, the criminal can change the payee’s
identity and have the money transferred to a different account.
Man in the browser — malware that resides inside your browser in the form of an add-on (such as a toolbar). The malware controls everything that happens inside your browser. It can read sensitive information, such as your sign-in
credentials, and pass it on to a criminal. It can also generate transactions on
your behalf, such as transferring money from your account.
credentials, and pass it on to a criminal. It can also generate transactions on
your behalf, such as transferring money from your account.
Screen capturing — malware that takes pictures of your computer screen and sends them to a criminal. The screen shots can include bank account details and the logon credentials using an interactive keypad.
Session hijacking — malware that steals information while
you are on a website and sends it to a criminal. The criminal can use this to
take over your session on the website and to bypass the authentication process
required to log on to the site. Typical security software consists of a
database of malicious software and hostile websites that is used to detect and
remove threats from your computer.
__________________________________________
Session hijacking — malware that steals information while
you are on a website and sends it to a criminal. The criminal can use this to
take over your session on the website and to bypass the authentication process
required to log on to the site. Typical security software consists of a
database of malicious software and hostile websites that is used to detect and
remove threats from your computer.
__________________________________________
Online sources:
computer.howstuffworks.com/phishing.htm
Print Sources:
27 Jun 2010. Sunday Times of Johannesburg. Eamon Ryan
Image Sources:
http://cache-thumb1.pressdisplay.com/pressdisplay/docserver/getimage.aspx?regionguid=5a8f1943-c3cf-43f9-aebd-8a33b63d1451&scale=340&file=11072010062700000000001001®ionKey=TXfNfvMI0A72wV%2b4trv2qQ%3d%3d
http://userserve-ak.last.fm/serve/_/25990515/Howstuffworkscom+1220881601184stuffyoushouldkno.jpg
Direct Quotes:
Ms Susan Coetsee, General Manager:
Commercial Crime Office, SABRIC (South African Banking Risk Information
Centre)
Commercial Crime Office, SABRIC (South African Banking Risk Information
Centre)
Views: 129
Comment
Videos
© 2012 Created by Diane Chojnowski.
You need to be a member of HFI Connect to add comments!
Join HFI Connect