Phishing Among Phriends

By Ravi Ganesan

Phishers have hit the online world because, as bank robber Willie Sutton famously said, “that’s where the money is.” While all online enterprises are threatened, no sector has been harder hit, with more to lose, than financial services. And within the financial services sector, your friendly neighborhood credit union is emerging as the most tender of targets.

Credit unions and their members have a special trust relationship not found in larger banks. Unfortunately, in today’s world this is being turned into a liability. It can actually make unsuspecting folks even more vulnerable to phishing and other fraud than they might be in a larger institution, because they see credit unions as a particularly trusted source. Further, because credit unions are often smaller than their for-profit counterparts, they have more to lose financially if members start bailing because of security breaches.

Not to mention the harmful impact to their reputation.

The first step in protecting against phishing is to understand more about how phishers work. Phishers are most commonly known for using e-mail to fool your members. Newer attacks include “malware” that logs keystrokes or changes the site the browser goes to when the credit union’s URL is typed in.

Others phishers lure end users to a proxy site and play “man in the middle”—meaning that all traffic, including login and password information—goes through the fake site. The phisher is after two things: to steal identity data they can use to apply for a fake credit card (to get money) or to steal a password so they can log on as that user (again, to get money).

A recent Information Week article reported a 633 percent increase in attacks aimed at small and midsized banks and credit unions since January 2005. An immediate and easy-to-implement first step to protect against phishing is to stop including links back to your site in any e-mail communications with customers and let them know what’s behind the policy change. Even so, many users will still be fooled. A lot of time, money and effort have gone into building trust in your brand; don’t let the phishers ruin that equity.

Here’s what you can do now, before major damage occurs:

• End-User Training. Ideally we’d all like to keep users from going to phishing sites in the first place, but let’s face facts. That user sees your brand and trusts it. That’s why phishing works. So, start training your members now to be wary of e-mail that looks like it came from your institution, but has grammatical or other errors. Tell them now—early and often—that you would never e-mail them asking for their password, credit card number, ATM card number and PIN or Social Security number. Tell them that if they do receive an e-mail asking for that information, it is by definition a fraudulent attack. The message should be deleted immediately and definitely is not to be opened. In many cases, opening up an e-mail is all a user has to do to enable Trojans and other malware to install on his or her computer.
  
• Use Stronger Authentication. If your member does get lured to a phishing site, make what the phisher gets useless. You’d never leave a vault open for anyone to enter—treat your online services the same way. Using just a password is like securing your vault with a bicycle chain. Also, you need different locks for different things: The front door on one of your branches should have a different lock than the vault. Look for an authentication system that understands this, allowing you to balance the strength of security with cost and usability. Strong authentication often has a bad reputation for poor usability, but much has changed in the last five years.
  New solutions are nearly invisible to users, and the uptick in downloads for anti-virus, anti-spyware and other applications indicate consumers are becoming more security aware.
  
• Check Transactions for Fraud. Even after you’ve done all you can to keep the bad guys out, it’s worth using fraud detection software to gauge the risk of a particular transaction. Good fraud prevention software will complement strong authentication by providing another layer of security—such as requiring the user to answer a series of secret questions that only they know the answer to—when it identifies a suspicious-looking transaction..
  
• Kill the FUD. As critical as it is for credit unions to fight phishing attacks, it is just as important to eliminate any  FUD (fear, uncertainty and doubt) members, employees or business partners may be experiencing. Use common sense in thinking through which measures will help with which part of the problem. When working with security solutions providers, have them partner with you not just on implementing their technology but on helping you to clearly communicate how the technology fits into your overall online security strategy. Take the time to ask a lot of questions and get educated on the differences between various types of authentication, what real-world scenarios each flavor of authentication would work best in, and why.

As a final note, user education will not keep some people from falling for these scams, and the scams won’t go away as long as the phishers make money. However, there are practical, affordable and manageable measures you can take to protect the brand that is so important to your institution and your membership. Your members have always felt as though you protect them better and care about them more than a huge multi-national bank does or would—and there’s absolutely no reason for that not to continue.

Ravi Ganesan is the founder & CEO of TriCipher Inc. He can be reached at 650-372-1300 or via e-mail at ravi@tricipher.com.