The Real Phishing Threat – Your Customer Data
By John Jaser
Are you frightened by phishing attacks? Given the media attention and frequency of e-mails claiming that your Paypal account has been compromised (even if you don’t have a Paypal account!), the hairs on your neck are probably at full attention right now.
Let’s peel away the hype and examine the most critical factor in every phishing attack: the e-mail invitation to your customers to share their debit card numbers and PINs with fraudulent protectors of financial information.
The vast majority of the time, the intended victim has no relationship with the community bank or credit union represented by the phish. In fact, attacks against small to medium-sized financial institutions whose customers largely reside within the same state are far more likely to fail than succeed.
In order for the attack to be effective, perpetrators need to harvest e-mail addresses of real account-holders at the targeted institutions. Without that list, the phishers are limited to the same list-generating techniques used by spammers: random address generation, hijacking of computerized address books, and scraping the Internet and newsgroups for addresses.
For spammers, these methods actually produce results since there is a trifling chance that at least one person would be interested in the merchandise. The potential buyer need not have any pre-existing relationship with the spammer in order to buy the goods. That’s not the case with phishing.
A recent simultaneous phishing attack against community banks in Connecticut, Pennsylvania and Georgia generated 750 e-mails and netted a mere 93 visitors. Of those 93, only 29 came from the same state as the bank. The number of responses was still less (22), and many came from people investigating the attack.
More significant than the paltry response was the strange spread of the phishing e-mails. Some landed in South Korea, others in a state of Connecticut employee’s mailbox. Surely, this attack was a random broadcast at best. The result was a rapid takedown of the site that pumped out the phishing e-mails as well as the fraudulent bank sites.
IF IT LOOKS LIKE A PHISH …
Enough people recognize phishing e-mails these days so that banks will receive alerts within minutes of a phish. If the bank pays attention to these warnings, the attack can be shut down in a couple of hours. In this case, the phish was cooked in two hours and 15 minutes.
Reflecting on this incident, it becomes apparent that our challenge as bankers is not only with the phish, but with the e-mail list used by the phishers. For that reason, financial institutions need to be relentless in securing their information assets.
Consider the highest profile data breaches. Most have occurred outside the walls of financial institutions. A courier loses a data tape. A data server gets hacked. A “listening” routine on an Internet server quietly accumulates your customers’ account numbers and e-mail addresses. Shortly thereafter, a more targeted phish hits your customer base, and this time, the response rate and the damage are significant.
Today’s financial institution needs to regard every database as a key asset and every person and computer that touches that information as a potential risk.
LEAVE NO DATA UNTURNED
• How does information get to the server? Is it collected and transmitted in a secure manner? Can you prove it?
• How is the information stored on the server? Is it encrypted? Is it backed up? Who has access to the backup information?
• Is your backup off-site? How does the information get there? Who has access to the off-site location? Who monitors that site to ensure that no one compromises the information?
• Does anyone scan your production servers (on-site or off!) for exploits, back doors and other vulnerabilities? There are thousands of compromised servers on the Internet – yours should never be among them!
Should you worry about the current state of phishing? Yes – for two reasons: First, every breach is material, even if it’s only one unwitting response out of 750 blind phishing attempts. Dollars and reputation can be lost all too quickly. Second, there will eventually be a phishing attack using high-quality data. Your financial institution needs to use all means available to prevent that from happening.
John Jaser is an Internet services manager for Avon, Conn.-based COCC Inc. (www.cocc.com), a 38-year-old firm specializing in outsourced information technology and support and an NJBA Service Corp. sponsoring company. He can be reached via e-mail at email@example.com. This article originally appeared in the Feb. 13, 2006, issue of Banker & Tradesman.