Are You Being Phished?

Internet banking is getting more popular in India, and with this

the threat of expected losses due to phishing is increasing. The most targeted

industry sector for phishing attacks continues to be financial services.

According to the Anti-Phishing Working Group (APWG) this sector averaged 81% of

all hijacked brands in March, with 9 out of 12 new brands falling in this

category. According to CyberSource Corp, which processes financial

transactions, Internet frauds, in general, cost merchants $2.6 bn in 2004-$700

mn more than in 2003.

Unlike Phishing, in the case of Pharming, most victims, even the

clever ones, might have no idea that they are being scammed, until it's too

late. Though DNS attack tactics used by pharmers have been around for a while,

the rise in internet banking, online shopping and electronic bill payment has

created a wide potential profit zone for criminals eager to get hold of login

information and credit card and bank account numbers.

Especially after Citibank became phishers' favorite brand,

customers have become more aware of possible cyber swindling. In late 2004

pharmers attempted to exploit a known vulnerability in firewalls redirecting

Google, eBay and Amazon visitors to sham sites.

Most private and international banks have already setup elaborate

Internet banking infrastructure and nationalized banks are also moving fast to

keep pace with changing times. India till date has been relatively safe from

unruly Internet movements due to relatively low levels of PC penetration and

skeptical users. It is over time that the security drive for Banks has started.

style='width:55.0%;mso-cellspacing:.7pt;mso-table-anchor-vertical:paragraph;

mso-table-anchor-horizontal:column;mso-table-left:right;mso-table-top:middle'>

style='font-size:10.0pt;font-family:Verdana;mso-bidi-font-family:Arial; color:white'>Consumers Beware!

- In a position where you have given out your debit, credit or ATM card information, report the theft of this information to the card issuer as quickly as possible. Many companies have toll-free numbers and 24-hour services to deal with such emergencies. - If you have given out your bank account information, report the theft to the bank ASAP. Review bill statements carefully after the loss. - If you have downloaded a virus or Trojan, install or update the anti-virus and personal firewall software. Fix the system and change the password again. Check your other accounts too. - Don't tap into a wi-fi network unless you know to whom it belongs. style='font-size:8.0pt;font-family:Arial;color:black'>

According to CN Ram, Head-IT, HDFC "The use of digital

certificates puts a safety check on transactions. Though using private digital

certificates is cumbersome and expensive for individual customers, they are

used for corporate customer accounts, operating on both the client and the

bank's site. HDFC's corporate customers are also protected with SAP safeguards

that use server-to-server authentication for any transaction to take place

seamlessly."

Punjab National Bank, which according to the2005 DQ-IDC Mega

Spenders survey, had taken the top slot in IT spending, has appropriate safeguards

built in. According to KS Bajwa, GM-IT "We have to constantly review our

products and ensure that adequate security measures are in place. We get

Information Security audit (including penetration testing) done from external

auditors at periodic intervals.

style='width:55.0%;mso-cellspacing:.7pt;mso-table-anchor-vertical:paragraph;

mso-table-anchor-horizontal:column;mso-table-left:right;mso-table-top:middle'>

style='font-size:10.0pt;font-family:Verdana;mso-bidi-font-family:Arial; color:white'>Phishing and Pharming Murky Waters style='font-size:8.0pt;font-family:Arial;color:black'>

Phishing is derived from “fishing”-a social engineering attack attempting to trick users into revealing personal information like passwords and credit card numbers.  E-mails masquerading as official messages from banks are typical tools used by phishers. Phishing scams hooked unwary Internet users one by one to divulge data. But pharming threatens to reel-in entire schools of victims. Pharming (from farming) exploits the DNS-the Internet system that translates a computer name into an Internet Protocol (IP) address. A computer with a compromised host file will go to the wrong website even if the user types the correct URL. More alarming is DNS poisoning where the Domain Name System directory is 'poisoned' and can cause large groups of users to be herded to fraudulent look-alike sites. style='font-size:8.0pt;font-family:Arial;color:black'> Trends: Web site phishing trends suggest that there has been a dramatic increase in the volume of phishing based malicious code attacks designed to run on a machine and log keystrokes when connection is made to predetermined websites. The keylogger sends that information to a remote location for the purpose of identity theft. A new variation of the scam is wi-fishing, where crooks set up wi-fi networks in public places so people can get wireless broadband connections, ostensibly for free. Criminals can henceforth track keystrokes and passwords.

PNB's web servers are provided with Digital Certificates and are

SSL enabled. Customers are forced to change the passwords at periodic intervals

and a virtual keyboard feature has been provided for Internet Banking login,

whereby the customer uses mouse clicks instead of typing using the keyboard.

This minimizes the risk of keyboard grabbing.

Some financial services companies whose users are the prime

targets of phishing and pharming scams, are experimenting with

"multi-factor authentication" logins, including ways like single-use

passwords and automatic telephone callbacks confirming that a transaction is

about to take place. PNB too is contemplating the possibility of providing 2

factor authentication mechanisms, which would use smart cards, I Keys and

tokens.

As per RBI guidelines on Internet banking, security issues include

questions of adopting internationally accepted state-of-the-art minimum

technology standards for access control, encryption/decryption (minimum key

length), firewalls, verification of digital signature, and Public Key

Infrastructure (PKI).

The ifs and buts



According to an SBI spokesperson, India is still relatively

safe from such attacks because identity thefts are dreaded in countries like

the US, because of the widespread use of Social Security Numbers. Moreover,

since most of the sites are hosted, pharmers are more interested in dollars

rather than Indian rupees.

Once the Multi-Purpose Identity Card (MNIC) Project of the Indian

government is rolled out nationally, it may not be long before India goes the

US way, in terms of higher phishing and pharming risks. Cyber Laws in India

also have a long way to go before they become stringent enough to tackle such

crimes.

Companies like Trend Micro, Symantec and McAfee are the global

players offering e-safety solutions to individuals and corporates.

Niraj Kaushik, Country Manager, India and SAARC, Trend Micro says,

"Though Pharming is more lucrative for pharmers, it is all the more

difficult to attempt. Safety solutions are implemented at Gateways, which keep

a track of the email and browsing exchange. According to IDC, 67% of desktops

are infected by spyware."

Invariably, all the banks that Dataquest contacted expressed the

utmost need for consumer education on Internet banking. Most banks advice

clients to be alert and not to divulge their user IDs and passwords in pop-ups.

Security is indeed the last word. According to Neeraj B Bhai, CTO,

IDBI, Internet banking is not a one-time activity. The bank has to persuade its

customers to use the service to achieve cost advantage. In this case, data

security needs to be very thorough." The SBI spokesperson sums it all,

"Banks that cannot provide such security should not be in the

business."

Source: Dataquest