Executive summary

As phishing attacks increase in number and effectiveness, they present a real threat to the online community. Though believed to be the nuisance of large e-banking and e-commerce sites alone, phishing has expanded its target base. It is now evident that no business is immune from phishing and its devastating effects.

Governments, large corporations, and social networking sites have all reported phishing attacks in the past several years. The Anti-Phishing Working Group (APWG) reported over 47,000 phishing attacks in the first half of 2008 alone targeted at over 26,000 unique domain names.

What is phishing?

Phishing is a method of online fraud that attempts to acquire sensitive information such as usernames, passwords, credit card details and other data by masquerading as a trustworthy entity in an electronic communication. It is often propagated via email. Recipients are directed to a spoofed website, where they are then asked to divulge personal information, such as credit card details, social security data, passwords and bank account numbers. Believing they are releasing this information to a legitimate source, they comply, and their information is stolen.

Even more dangerous is “spear phishing”, a targeted phishing technique aimed at specific groups, such as employees or customers of a single organization. According to several sources, spear phishing can be very effective.

Yet another type of spear fishing is “whaling”, which targets high-level executives in a single organization or executives common to other organizations. Executives such as CEOs, CIOs, and PMs can find themselves the targets.

Goal:

While it is not possible to stop phishing attempts, it is quite possible to make them ineffective. Three major forms of strong authentication can be used to combat a phishing attack:

User Authentication
Authentication is a method of virtual identity verification. It is provided via one-time passwords, generated by VASCO’s DIGIPASS authenticators, which are required at each login. Due to their dynamic nature, one-time passwords cannot be reused at a later time if acquired during a phishing attack.

Host Authentication
This mechanism verifies the authenticity of the website. The authentication code will not be confirmed at a spoofed phishing site.

Transaction Authentication
e-Signature is a method of verifying the authenticity of a transaction or a document, including the person conducting the transaction, the monetary value, and the recipient. The authentication code will not be confirmed in case of a man-in-the-middle attack. e-Signatures guarantee a transaction was not fraudulently altered in transit.

Components:

Client products:

• VASCO DIGIPASS

Server products:

• VACMAN Controller
• IDENTIKEY