Saturday, October 11, 2008

Fun Times for Phishing

The credit crisis is doing interesting things to computer crime. One might have predicted that a background of banks crashing, closing access to depositors and being bailed out would be seventh heaven for phishing emails, with uses failing to distinguish real reassuring emails from fake ones in the confusion. And so it has transpired - with Chase, Wachovia and Bank of America among the most popular targets with scammers, according to the US's watchdog, the FTC.

But of course what are you phishing FOR? As credit dries up, the old standby of stealing personal id so as to apply for limitless amounts of credit loses its efficacy. Soon, the days of easy credit cards will be gone. So instead, phishing attacks have switched from ID theft to to faking credentials to allow withdrawals from existing accounts. This is interesting - surely such attacks should be more visible than plain old ID theft? Would this not be a good time to look at banking security and supervision with a view to automatedly spotting upsurges in microwithdrawals from multiple accounts?

The HL recently reiterated its call for banks to be legally held liable for phishing losses to bank accountholders. At the moment, despite the lack of mandatory control, banks usually, though not universally , pay up. As margins tighten and liquidity disappears, and as phishing attacks mount (already up 180% in the UK from January to June 08 compared to the same period in 2007, according to Apacs) it will grow ever more tempting for banks to find ways to get out of reimbursing phishing losses eg by claiming that users failed to take adequate security steps. Considering the imbalance in technical knowledge and control between banks and users, this must be resisted. Phishing liability needs to be put on a legal basis, and soon.

1 comment:

Anonymous said...

Ivan Pearce has just done a series of podcasts on phishing and the anti-laundering regs for CPDcast.com