The rising number of phishing attacks involving the hijacking of the brands of financial institutions poses a genuine threat to the integrity of the financial system. Fortunately, there exist defenses to deter attacks or to render them harmless. Some of these employ technology to foil would-be scammers, and other techniques rely on consumer and employee education. An effective counter-phishing program will utilize both.
The Federal Deposit Insurance Corp. enumerates a four-point program:
- Upgrading existing password-based single-factor customer authentication systems to two-factor authentication.
- Using scanning software to proactively identify and defend against phishing attacks.
- Strengthening educational programs to help consumers avoid online scams, such as phishing, that can lead to account hijacking and other forms of identity theft.
- Placing a continuing emphasis on information sharing among the financial services industry, government, and technology providers.
Account hijacking can be perpetrated in a number of ways. It can also be mitigated through the use of several different technologies. According to the FDIC, “Computer security experts recommend a layered approach to computer security because no single security technique is foolproof or sufficient to prevent identity theft.”
The FDIC enumerates three types of technologies that, implemented at various levels, could be used to mitigate the risk of identity theft generally and account hijacking specifically: scanning tools, E-mail authentication, and two-factor authentication.
Scanning tools help financial institutions identify Web sites that may be pretending to be the financial institution or may be implying that the site has a legitimate relationship with the financial institution when in fact it does not. Although scanning software is not foolproof, it can alert users to potentially fraudulent Web sites that have been set up to perpetrate account-hijacking fraud.
E-mail authentication ensures that each E-mail message originates from the Internet domain from which it claims to come. The inbound E-mail server determines if the sending e-mail server’s IP address matches the IP address that is published in the domain name server (DNS) record. If the addresses match, the E-mail is forwarded to the recipient. If not, it is rejected and the intended recipient never receives it.
Two-factor authentication is significantly more secure than single-factor authentication because the compromise of one factor would not be enough to permit a fraudster to access the system and the additional factor (usually a token or biometric identifier) is extremely difficult to compromise. Almost all the phishing scams in use today could be thwarted by the use of two-factor authentication, according to the FDIC.
Most two-factor authentication systems use shared secrets, tokens (USB token devices, smart cards, or password-generating tokens), or biometrics. Shared secrets are questions that are asked during the authentication process, the answers to which a fraudster would be unlikely to know (e.g., the exact amount of the userâ€™s monthly mortgage payment).
The USB token device plugs directly into a computerâ€™s USB port and therefore does not require the installation of any special hardware on the userâ€™s computer. A USB token usually contains a microprocessor and uses strong encryption to communicate with the various security applications on the userâ€™s computer. Once the USB token is recognized, the user is prompted to enter his or her password (the second authenticating factor) in order to gain access to the computer system. A smart card contains a microprocessor that enables it to store and process data. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. To be used, a smart card must be inserted into a compatible reader attached to the userâ€™s computer. If the smart card is recognized as valid (first factor), the user is prompted to enter his or her password (second factor) to complete the authentication.
A password-generating token produces a unique pass-code (also known as a one-time password [OTP]) each time it is used. The token eliminates the need to memorize passwords and ensures that the same password is never used twice, so stealing a password is useless. The OTP is displayed on a small screen on the token. The user first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The user is authenticated if (1) the regular passwords match and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically generated every 60 secondsâ€”in some systems, every 30 seconds.
Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic. Physiological characteristics are things like fingerprints, iris configuration, and facial structure. Physical characteristics include, for example, the rate and flow of movements, such as the pattern of data entry on a computer keyboard. Keystroke recognition biometrics is generally considered to be the easiest biometric technology to implement and use. No hardware is involved. Software may be installed on the client or host. Because authentication is based on normal keyboard entry, individuals need only type the prescribed text to be authenticated.