Discuss: Anti-Phishing Techniques - Protection Measures
by Jose Varghese, CISSP, GSEC, GCIH, CBCP, BS7799 LA
Nice article! It is indeed a good collection of all the problems related to phishing. The only problem though is that a solution hasn't been identified which means that there is no silver bullet to prevent phishing attacks. It has to be a combination of multiple solutions and a key one being User Education.
I expected more from you guys.
1. OTP is not valid for 60 seconds, only the password in the token changes every 60 seconds. there's a big difference. the time frame is usually several minutes.
2. an attack against OTP has been launched succesfuly a month ago. lookup citibank otp phishing, it should come up.
3. personalized pages are a very good option, but only if you use something in the users OS as a pre-identifier, otherwise you're back to the above mentioned attack.
3. seperate passwords is a good idea, and it works well in germany, but it is costly and can be attacked by a man-in-the-middle attack as well.
4.personalized email seems nice, but won't work. try and get the mindset of those that fall for phishing. they are AFRAID. that is why they fall for it. it can be with typos and old logos and they'll fall for it. it the psychological effect. so personalized email will not help.
today the only good solution, (cost effectiveness) is statistical analysis of transactions and logins (what RSA call adaptive authentication)
It is true that analysis of transactions patterns can be useful.This is useful to prevent usage of phished credentials by attacker though it doesnot prevent phishing itself.
I agree transaction passwords can also be phished if you can trick the user to give it away. How about using OTP for transacation password also.? Use OTP like a RSA SecurID token or Vasco Digipass as both login password and transaction password. No transaction analysis or statistics or complex risk engine etc. User has to supply OTP as login and also for every transaction.
Technically this is breakable(though very tough), but will definitely increase the complexity of the attacks.
OTP for transaction is an old technique and very useful. banks in germany have been using it for years (they call it TAN - transaction number) and it is done via cards.
the fact is that the problem lies in the connectivity among systems. you rely on the users' system although you know the system is flawed and the users have no awareness.
so no matter what solution you'll bring that will be managed by the user and trusted by you it will always be quite easily hackable. put the defences near your system, where you can control them.
that is why statistical analysis is better (although one can come up with ideas about how to try and defeat such a mechanism).
I'm not into preventing phishing. I couldn't care less. it's the consequences I'm trying to avoid. you can have my account ID. if it won't let you in, what do I care and is it phishing at all?
How has been your practical experience with statistical analysis? How much time does it take to learn the user behaviour ? Are there false positives which result in user complaints?
it's nice article.but there is no absolute solution for the phishing.its better if u give perfect counter attack technique for phishing.