A couple of years ago, we witnessed the birth of a new type of Internet related fraud scheme, nicknamed “Phishing”. Fraudsters fish for the naïve end user’s static PIN code, bank account information or credit card number +expiration date. Once they have obtained that crucial secret information, they fish your bank account dry or they go shopping at your expense, using your credit card information. The right technology, such as VASCO’s Digipass strong user authentication, and thoroughly informing the general public can reduce their catch.

When a fraudster goes phishing, he typically uses the following scheme. To catch its victims’ static Pin codes or credit card information, he sends an e-mail blast to a database, while pretending to be the victim’s bank.

The e-mail contains a URL leading to a website that looks like identical to the web site of the financial institution where the end user has a bank account.. Many variations to that theme have been developed since, with the fraudster posing as his potential victims’ brokers, e-commerce companies, travel agencies,…

Phishing is only the tip of the iceberg.
Other high-tech fraud schemes have been developed recently, such as:

• Pharming: luring victims towards a site with a URL named slightly different than the bank’s corporate site;

• Man-in-the-middle attack: a online robber is hiding on the Internet to hijack an online transaction;

• Trojan Horse: spyware on your computer is sending your login details to a hacker.

Solutions to prevent online fraud schemes are twofold.

1. Informing the Public
The first part of the solution is to create awareness about the existence of fraud schemes. This is a task for governments, financial institutions, specialized organizations, media and security companies all over the world. Whereas this partly helps for phishing and pharming, it does not prevent man-in-the-middle attacks. But, at least, it will make people more careful, and responsible, about the kind of crucial information they sometimes share online with strangers.

2. Strong User Authentication
Static passwords are just not suited to be used on an open channel such as the Internet. The solution is the use of technology that calculates e-signatures for secure transactions and one-time passwords for secure login.

There are several different modes in which VASCO’s VACMAN and Digipass strong authentication can be used. Some of the most important functionalities are:
1. Time based one-time passwords
2. e-Signature Functionality
3. Host/website authentication

The ‘basic’ application, time based one-time passwords, puts the fraudster under extreme time pressure, making it impossible to work in batch. This way, the perspective of a profitable scheme melts like ice in the sun.

Digipass e-signatures and host/website authentication make all above mentioned fraud schemes virtually impossible. Even if a man-in-the-middle gets hold of a digital signature used by a end user to do a transaction, he can’t re-use it. The transaction data cannot be altered, or the bank will refuse to execute the transaction. Recycling of signatures is impossible. A new digital signature is required for every transaction

Host/website authentication allows the end-user to check the authenticity of the website he is visiting, by authenticating his bank. Again, the phisherman’s net will be empty.

Conclusion:
Phishers, pharmers, men-in-the-middle and Trojans take advantage of the use of static secure information on the Internet. Although 100% security does not exist, we can securely state that the combination of an informed public and the use of strong authentication is a simple and cost effective answer to online fraud schemes.

About VASCO: VASCO is the number one supplier of strong authentication and e-signature solutions and services. VASCO has established itself as the world’s leading software company specialized in Internet Security, with a customer base of over 5,300 companies in more than 100 countries, including close to 850 international financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and e-government.

Copyright © 2004 American Electronics Association.  All rights reserved.