Phishing, Account Hijacking Myths Exposed

Share Article

One of the challenges facing internet users today is the growing problem of account hijacking, also called Â?phishingÂ?.

One of the challenges facing internet users today is the growing problem of account hijacking, also called “phishing”. Phishing is the fastest growing type of identity theft and is the type most common on the internet. Typically, phishers use e-mails or other means to lure victims to counterfeit websites where they are tricked into divulging financial and other confidential data such as credit card numbers, account IDs, passwords, and social security numbers. Consumer and business losses in 2004 resulting from phishing are estimated to exceed five billion ($5,000,000,000) US dollars.

Another of the challenges facing internet users today is debunking the many myths regarding phishing.

PHISHING MYTHS

Myth:

“My bank account is insured by the FDIC, so I will get my money back if it is stolen by phishers”.

Truth:

Many consumers mistakenly assume that if their bank account is insured by the Federal Deposit Insurance Corporation, they will be reimbursed for losses due to fraud or theft. In fact, FDIC deposit insurance only protects bank accounts up to $100,000 if the bank or savings institution FAILS, not if the funds are simply stolen. Like mutual funds, investments, and safe deposit boxes, losses due to fraud and theft are NOT covered under FDIC deposit insurance. Some banks elect to cover such losses out of their own pockets or they may purchase a form of insurance called a banker’s blanket bond from which they may cover the losses. Other banks offer no reimbursement of any kind to their customers. If you want to know whether or not your bank account is protected against loss due to phishing or account hijacking, you must inquire at your individual bank and don’t believe the ill-informed teller who says, “oh yes, it is covered under our FDIC insurance”. For additional information on what is and is not covered by FDIC insurance, you can read the FDIC brochure, “Insured or Not Insured” found on the FDIC website: http://www.fdic.gov/consumers/consumer/information/fdiciorn.html

Myth:

“As long as I don’t open any unknown email, I can’t become a victim of phishing”.

Truth:

While it is true that most phishing scams involve the use of fraudulent email (called “spoof” email), this is not always the case. The fastest growing form of identity theft on the internet, growing at an even faster rate than traditional phishing, is a type of theft called “pharming”. Pharming is the exploitation of vulnerabilities in DNS servers, machines responsible for resolving internet names into their real addresses. Phishers exploit these vulnerabilities to redirect their victim’s browser away from the desired website to their own malicious website. This can be accomplished without relying on a victim clicking the link in a spoof email. In the most insidious form of pharming, an attacker infects the victim’s computer with auto-redirection software, typically through a virus, a file downloaded from a questionable website, or even from scripts hidden on a malicious webpage. The victim is then quietly redirected to the phisher’s fraudulent website every time they type the authentic website address into their browser’s address bar or select it from their browser’s “favorites” menu. Using pharming in conjunction with URL masking techniques (substituting the actual fraudulent website address in the browser address bar with an apparent valid website address), the victim has no way of realizing they are not visiting the authentic webpage, but are, instead, visiting a phishing website.

Myth:

“My firewall and anti-virus software will protect me from phishing websites”.

Truth:

In fact, firewall and anti-virus software offers very little protection against phishing. They may help in preventing you from inadvertently downloading or becoming infected with pharming auto-redirection software, but they offer no protection against you being tricked into visiting a phishing website.

Myth:

“I’m too smart to be fooled or caught by a phishing scam”.

Truth:

The Federal Trade Commission reported in December of 2004 that almost 2 million U.S. adult Internet users experienced some form of phishing fraud during the 12 months ending April 2004, equivalent to 10% of all the U.S. households with a computer. The Anti-Phishing Working Group reports 2625 new phishing websites were spawned in February 2005 alone and phishing attacks grew by 4000% between 2004 and 2005. Statistically, more people became a victim of phishing last year in the United States than filed for bankruptcy or graduated from high school. More people became a victim of phishing last year in the United States than are serving in all branches of the United States armed forces combined. (Source: US Census Bureau http://www.census.gov).

Myth:

“There are plenty of anti-phishing solutions available. I read about new products being announced almost daily.”

Truth:

Until recently, there have been few solutions to combat phishing. Internet Service Providers (ISPs) and other companies have experimented with various forms of "filtering" or "blocking" software or hardware to try and shut down phishing webpages before they reach consumers. Software companies have spent enormous sums of money attempting to develop software or browser-based solutions.

On Dec 14, 2004, the U.S. Federal Deposit Insurance Corporation (the FDIC) published a study presenting their findings on how the financial industry and its regulators could mitigate the risks associated with Phishing. In this report, the FDIC identified two root causes for the problem of phishing; 1) user authentication by the financial services industry for remote customer access is insufficiently strong, and 2) the internet lacks website authentication capabilities. Virtually all of the anti-phishing “solutions” recently announced in the press fail these two FDIC tests. Some simply lookup IP or other domain “whois” records and calculate risk. Some rely on databases of blacklisted websites and selectively permit or block access based on company-defined filtering rules. Others enhance an existing weak login process with additional layers of images, audio recordings, or other user-supplied information. Strictly speaking, none of these approaches are actually using approved strong authentication methods to authenticate the websites themselves, the root causes of phishing.

In fact, of all the anti-phishing solutions recently announced in the press, the only one that actually employs an approved strong authentication method to authenticate the website itself is PhishCops by Sestus Data Corporation. PhishCops uses algorithms approved by the U.S. Dept of Commerce for use in authenticating sensitive data and applies these algorithms to proactively authenticate websites using a 100% web-based approach. It does not rely on any database of ‘blacklisted’ phishing websites, filtering rules, additional login process layers, or on potentially fraudulent ‘whois’ or IP records.

PhishCops is patent-pending and Sestus Data Corporation reports that they are negotiating with a number of “significant” financial entities regarding implementation at this time. Launch of the product as an online service is scheduled to begin later this year and will be free for users and fee-based for businesses. The company has been accepting reduced-fee early-signup requests from online businesses for several weeks and will begin permitting users to register online shortly. In addition to being free for users, PhishCops user accounts will be completely anonymous and users will not be required to disclose any personal information during registration, not even their name or email address. Once registered, a user’s PhishCops User ID will be valid at all participating websites.

Sestus Data Contact Info:

Media Relations, Sestus Data

info@sestusdata.com

Fax: (866) 621-1885

http://www.sestusdata.com

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Media Contact
Visit website