Phishing (http://en.wikipedia.org/wiki/Phishing) is a kind of fraudulent activity focused on theft of private information. Such crimes are generally based on different methods of Social engineering (http://en.wikipedia.org/wiki/Social_engineering_(computer_security) ). In general, cyberfraudsters create web pages that imitate websites of real financial organizations, banks or other companies, intercept genuine users and direct them to bogus websites that look and feel exactly like original website.
The number of phishing-attacks grows fast in spite of security developing companies efforts to low it. RSASECURITY issues monthly phishing-attacks reports which can be found at company official website http://www.rsasecurity.com/phishing_reports.asp. The big problem is that victims hide the statistics as the fact of successful phishing-attack is a serious threat for the company reputation.
The classic phishing-attack looks as follows. Let’s assume that a fraudster decided to capture confidential data that gives access to the account management zone on X bank website. Fraudster needs to entice a victim to a false website that represents a copy of X bank site. It is done in order to make victim enter his/her private data thinking that he/she is actually using real bank website. As a result fraudster gets full access to victim’s account management.
Protecting yourself from phishing attacks is a difficult task that requires combined approach. It is often necessary to reexamine the existent client work scheme and complicate the authorization process. As a result client is subjected to additional inconvenience and company spends a lot of money to protect itself. That is why companies usually don’t follow this way. Reliable, widespread and cheap verification which is easy to use is the key factor in phishing-attacks prevention. The most effective verification that in fact protects from phishing attacks is automated telephone verification.
There is a couple of Service Providers such as ProveOut.com that offer inexpensive, simple in integration and at the same time effective solution – verification via telephone. Verification is processed instantly without the need for an operator.
Let’s examine what would happen if telephone verification was used in the phishing attack described above. One single step must be added to the authorization procedure at bank’s website: phone call to previously stored customer’s phone number.
As soon as customer enters correct login and password information, bank sends a request with customer’s phone number and a randomly selected code to Service Provider. Service Provider makes a call to user’s phone number, dictates the code passed by the bank to the user and then hangs up. User then enters provided code in corresponding field and proceeds to restricted access area.
For the calls’ processing Service Providers use VoIP technology that allows to keep the cost of a single verification call low. In case call’s cost to specific destinations will be considered to be too high phone verification service can be used selectively e.g. a verification call can be initiated only in case of account operations. Phishing will no longer be effective for such site as an additional security measure is used – automated telephone verification.