Strong authentication against phishing

How to tackle phishing attacks

As Phishing attacks increase in number and effectiveness, they present a real threat to the online community. Though believed to be the nuisance of large e-banking and e-commerce sites alone, Phishing has expanded its target base. It is now evident that no business is immune from Phishing and its devastating effects. 

Governments, large corporations, and social networking sites have all reported Phishing attacks in the past several years. The Anti-Phishing Working Group (APWG) reported over 125,000 Phishing attacks in the first quarter of 2014, and a total of 525 brands were targeted by phishers. The Payment Services industry sector remains the most targeted.

What is phishing?

Phishing is a method of online fraud that attempts to acquire sensitive information such as personal identity data, usernames, passwords, credit card details and other data by masquerading as a trustworthy entity or a legitimate business in an electronic communication. This criminal mechanism employs both social engineering and technical subterfuge. It often starts with a spoofed email, which directs its recipients to a counterfeit website, where they are then asked to divulge personal information, such as social security data and bank account credentials. Believing they are releasing this information to a legitimate source, they comply, and their information is stolen.

Even more dangerous is “spear Phishing”, a targeted Phishing technique aimed at specific groups, such as employees or customers of a single organization. According to several sources, spear Phishing can be very effective.

Yet another type of spear fishing is “whaling”, which targets high-level executives in a single organization or executives common to other organizations. Executives such as CEOs, CIOs, and PMs can find themselves the targets.


While it is not possible to stop Phishing attempts, it is quite possible to make them ineffective. Three major forms of strong authentication can be used to combat a Phishing attack:

User Authentication
Authentication is a method of virtual identity verification. It is provided via one-time passwords, generated by VASCO’s DIGIPASS authenticators, which are required at each login. Due to their dynamic nature, one-time passwords cannot be reused at a later time if acquired during a Phishing attack.

Host Authentication
This mechanism verifies the authenticity of the website. The authentication code will not be confirmed at a spoofed Phishing site.

Transaction Authentication
e-signature is a method of verifying the authenticity of a transaction or a document, including the person conducting the transaction, the monetary value, and the recipient. The authentication code will not be confirmed in case of a man-in-the-middle attack. e-Signatures guarantee a transaction was not fraudulently altered in transit.

Webinar – How to offer users a secure and convenient mobile banking experience Video – Visual transaction signing (CrontoSign)

Share | |