Monday, March 19, 2007

Antiphishing Needs an Overhaul

I was on the site of one of our peer companies yesterday and saw that they are offering a "Fraud Protection" application designed to weed-out potential phishing sites. Consumers, beware. The approach they are using is not 100% reliable, and it is becoming less reliable by the day.

The average phishing site is up for far less than 48 hours, but even that doesn't matter any more - most criminal phishing sites are distributed among multiple domains now - some, across multiple countries - which means that "Fraud Protection" approaches that utilize database lookups simply cannot keep up. This kind of approach is fast losing its effectiveness.

The other problem is that it isn't just the bank's URL that is being compromised - often, the antiphishing program itself is more vulnerable to attack than the site.

We recently met with representatives of a major bank that distributes a free antiphishing technology to their customers. They were shocked when we showed them the ease with which this solution could be compromised. Not only did our "fake" demonstration site look exactly like the real thing, but the site certificates matched, and the bank's antiphishing program gave it a "green light".

We are one of the companies that ships database lookup approaches, and our approach uses one of the leading databases. But we've chosen to go a different way with our next generation of ESP releases. A fresh solution is urgently needed if consumers and business owners are to maintain confidence in online banking and financial transactions. This is why we created VirtualATM.

VirtualATM does not use "reported phishing site" database lookups - it assumes that your computer has already been compromised, and works to create a "secure island", or VirtualATM, from within which you can transact securely. VirtualATM uses our patent-pending technology to take manage the transaction session and ensure that a bank's customers only travel to trusted destinations - and are not redirected anywhere else.

Not only does this approach remove the possibility of phishing attacks, but it mitigates other potentially-harmful attacks as well, including "man-in-the-middle" attacks, keyloggers, and both local and remote DNS poisoning threats ("pharming" attacks).

And then, there's "phidgeting" (phishing widget) attacks. We saw the first example in our labs last week of how easily some of the existing widgets offered by major financial service providers can be compromised, and our prediction is that attacks conducted via "fake" or compromised widgets will soon make web site-based phishing look tame.

Luckily, our engineers made protection against phidgeting a cornerstone of their design. VirtualATM uses our patent-pending service-hardening (antitampering) technology - which makes it the first technology designed to protect consumers from phidgeting attacks.

No comments: