"There is a new phishing attack out now that everyone should be aware of." Actually, that line can be repeated every few weeks and refers to no specific "new" attack. It doesn't matter what the new attack actually is, but at least the word is getting out that there is a problem.
Security professionals have to figure out what to do about these scams. Generally phishing is successful because the victim believes that they are receiving a message from their bank, vendor, credit card company, etc. The attacks have been enabled because just about all organizations are trying to reduce costs by taking advantage of the Internet. They have taken the cheap way out, and started distributing information, statements and other documents through e-mail.
There are security measures that could be taken and that the general public must get used to. For example, formal communications could include a digital signature. There could be a third party verification process through a trusted source embedded in all formal e-mail communications. If companies do want to continue to make use of e-mail, they have to make better use of available security technologies, but more importantly, they will have to educate their customers on how to use the technologies. This is not easy.
A recent Gartner Group study puts financial losses of phishing attacks at more than $2 billion annually. Let's face it, phishing losses are only going to increase. Has someone looked at the actual costs of what it takes
Companies started moving toward electronic communications when they believed that it was more economical than printing up and mailing millions of pages of statements. Many companies communicate that way, but that was before there was a real cost to sending out these e-mails.
Now there is a cost. As individuals get used to receiving business communications over the Internet, they will continue to believe messages that appear to be formal. Unfortunately, it is clear that criminals are very willing to take advantage of this social phenomenon.
It is time for the business world to start taking a serious look at the losses that they have created through cost cutting measures, and figure out if the losses are larger than the savings, or likely to start approaching those numbers. One solution is for companies to make ISPs better filter out attacks. To this day, it still amazes me how little ISPs do to protect their networks from being used as conduits for attacks.
As I mention in my Winkler Act article, ISPs should be required to better detect when zombie computers [that enable spam and phishing attacks] are sitting on their networks. I know that ISPs are considered a "Publisher" under certain laws. It does not, however, mean that they have to be stupid and let their storage and bandwidth be used by criminals.
Businesses should start working with ISPs to get them to enact stronger misuse and abuse protections. It is clearly the criminals who are at fault. However, until we can completely eradicate them, which is unlikely, we need to require businesses to take protective measures if they want to enjoy the benefits of cost savings by moving to the Internet. We all end up paying for the criminals. I would prefer to pay for a fundamentally more secure system that prevents current and future attacks, instead of just paying for attacks as they occur.
About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.
This was first published in December 2004