Phishing
- Within this section:
- Summary
- Mechanism
- Comment
- Example Mitigations
| Threat Type: Phishing | Threat To: Public Confidence |
| Potential Impact: Medium | Likelihood: High |
Summary
Phishing is persuading people to enter their bank account details or other information which can be used to steal from them or abuse them into a faked official website.
Mechanism
In the most common variation, people receive an email purporting to be from their bank, encouraging them to sign on to the bank's website to verify their status, or to confirm that their account has not been compromised, or some other security-related reason. A link to the webpage is provided in the email.
This link, while superficially similar to the bank's address, is based offshore and is operated by a third party. The webpage at its address may resemble the bank's website is detail, and its cunningly constructed URL can appear to be a bank URL.
Phishers have found a way to include an SSL certificate on their website, so that the user gets to see the padlock icon in the bottom of their browser. [SSL's Credibility as Phishing Defense Is Tested, Netcraft, 8 March 2004. ] Until now banks have advised their clients that this padlock was an indicator of the correct website.
Scams such as this are generally noticed quickly and banks watch for suspicious overseas transfers. To defeat this, phishers generally recruit New Zealand bank account holders beforehand to pass money on in return for a commission. This activity is an offence under New Zealand money laundering laws, but there is little public awareness of this and no-one has been prosecuted so far.
Some of these emails can be very persuasive. In one scam circulating in the US, the recipient is informed that their account is the subject of possible abuse by terrorists. It appears to be from an office of the US Government and cites the Patriot Act, which is security legislation passed after the events of 11th September 2001. The mail requires the account holder to verify their identity by 'signing on' to the account using a bogus web link. [E-mail scam uses anti-terrorism hook, CNN, 26 January 2004.]
Comment
This is a "social engineering" threat more than a technical one. It relies on persuading people to take an action which compromises their security. However, the action appears reasonable, and this disjuncture could cause loss of confidence in the Internet.
Example Mitigations
Using a 'bank.nz' domain name which would only be available to registered banks
More education / awareness
Online banking security improvements, recognising that this would make it harder to use online banking
Greater liability to fall on banks for abuse of online facilities
Prosecution of intermediaries
Direct action to spoil scams by seeding with incorrect information, then watching for logins.
Email filtering at ISPs.
International co-operation at a Law Enforcement level
[ Previous | Next ]
