CAN STRONG AUTHENTICATION SORT OUT PHISHING AND FRAUD?
Organized criminals have realised (precisely because they are
organized) that phishing and identity theft can be carried out
over an extended period, by piecing together snippets of
information from separate attacks for a final sting. For
example, logging on using an authentication token will
neutralize password stealers, but the very presence of a token
authentication request can make an ideal trigger for spyware,
especially if its goal is to build up a pattern of your on-line
behaviour by monitoring your financial transactions.
This paper traces the recent evolution of malware techniques
in response to technological changes in our security regimes,
and proves once again the old cliche that the price of freedom
is eternal vigilance. The Bad Guys are out to get us, and if they
can turn our defences against us, even in the slightest way,
then they surely will.
Q. Can strong authentication sort out phishing and fraud?
A. No.
Q. Hmm. That makes for a rather short paper, don’t you think?
A. Yes.
Q. Could you go into a little more detail?
A. These days, a lot of phishing is orchestrated, or at least
assisted, by malicious code somewhere in the network. This
means that solving the problem of malware is effectively a
necessary part of solving the problems of phishing and fraud.
(When we say ‘fraud’ in this paper, we mean on-line fraud
against users conducting business via their PCs. We do not
mean other sorts of financial fraud such as credit card abuse or
kiting.)
But solving the malware problem is hard – indeed, it is
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24