Phishing is a very serious problem that we face. Popular banks are often the biggest targets. What methods can a bank website use to protect its self from phishing attacks? What security systems should someone use to protect themselves? Why do these methods work?
6 Answers
I am assuming that the bank wants to protect its customers from phishing. (Not its employees; that's a different problem, and if you want to know about that, you should ask that one separately in a different question.)
The bank should take several steps:
Avoid emailing out links to the site. Go clobber the marketing team and get them to quit doing that.
Don't rely too much on passwords. Use machine authentication, too. For instance, you might use a secure persistent cookie, a Flash cookie, or some kind of fingerprinting of the user's browser and machine. Passwords are inherently insecure against phishing. The advantage of machine registration is that it authenticates the user's browser with a secret the user doesn't know. If the user doesn't know the secret, the user can't be tricked into revealing it. With the combination of machine authentication plus a password, the machine authentication does most of the authentication work, and the password just enables one to distinguish between the user and their roommate/spouse/child/etc.
- Don't rely upon challenge questions to authenticate the user when the user logs in from a new computer. Studies have shown that phishing sites can capture the answers to challenge questions, just like they do passwords. Consider other methods of registering a new machine, e.g., email-based authentication.
Use back-end fraud detection methods, to detect malicious use of a stolen password. You can look at whether this is a type of transaction the user has performed before, to a payee they have transacted with before, whether the amount is large or not, whether the user IP address and geographic location and browser fingerprinting looks like one that has been seen before, and many other statistical measures.
Participate in anti-phishing working groups. Work to take down phishing sites quickly. Support use of phishing blacklists in users' browser. If a user logs in with a browser that is so old that it doesn't support a phishing blacklist, give the user a message that encourages them to upgrade their browser and gives them an easy link to do so.
- Participate in anti-fraud working groups, and pressure the banking community to shut down global banks that facilitate online crime. A recent study found that just 3 banks accounted for monetization of 95% of spam; if those 3 banks were shut down or cracked down on spammers, we might see a huge decrease in spam. There is reason to believe that a similar phenomenom may hold for other elements of the underground economy, too. Making cybercrime less profitable will benefit bank security across the board (not just in phishing), so is a promising angle.
Use site-wide SSL for the entire site and your entire online presence. Buy an EV cert. This gives users an extra cue (the green glow) that may help some alert users notice when they are under attack.
Enable Strict Transport Security (HSTS). This tells browsers to only connect to you via HTTPS. Paypal uses it. You should too. It is supported in recent versions of Firefox and Chrome.
Don't put padlock icons on your pages (e.g., positioned next to login forms), or otherwise spoof chrome elements in the content of your page. When you do that, you are training users in a way that makes phishing attacks easier.
Digitally sign all email sent to customers. There is some reason to believe that most customers have software that can check these signatures, and the signatures won't cause problems for the software that doesn't check the signature. (Thanks to @AviD for this suggestion.)
Don't use SSNs for authentication anywhere in your business. Make it less valuable for phishers to steal SSNs and other personal information.
- 98,420
- 30
- 267
- 572
-
2Nice list. It would help to separate out those suggestions that help individual banks from those that really need wider support from the industry before most individuals learn to be suspicious of the practice in general. E.g. if a user's last bank frequently sent out links to their site, or challenged the user for their security questions, the user will probably still be susceptible to such attacks even if their new bank rarely does either. – nealmcb May 22 '11 at 20:06
-
1Very nice. One addition / change I would make, wrt emails they send out - digitally signed emails are well supported by almost all current email clients, no reason not to use them. – AviD May 31 '11 at 12:01
This is what i'd do:
- have a team of security staff to ensure all software is up to date/patched and configured correctly (the size of this team depends on the size of the organisation)
- do not allow any employee access to anything remotely dangerous unless they need it
- for those employees who do need access, think about exactly what they need (eg: in a bank, do not allow a low level employee to make transactions involving large amounts of money)
- do not give anyone who's technologically challenged access. Fire or train existing employees if you must
- if someone important like your CEO/executive is challenged, don't give him access to the network - make all his actions go through someone who understands basic security
- keep good logs of every important event on the network, it will be helpful when trying to minimise damages after a successful attack occurs
With regard to training employees about security, just asking them to read white-papers is not enough. You need to really teach them the basics of how a hacker gains access to a network, and if they don't or are unable to learn it then you should either fire them, or take away their access to anything that needs security.
- 703
- 1
- 6
- 11
The solution to phishing is most basic: Use strong mutual authentication. Cleartext passwords over unilaterally authenticated SSL do not provide this. Essentially, phishing detaches the two authentication steps, thus breaking the mutual authentication.
A simple improvement can be secure password-based authentication using PAKE protocols, such as SRP.
Another improvement that also tackles most social engineering-based attacks is to use multi-factor authentication: You can call someone and convince them to give them your secret, but try telling them to also send them their USB token. This is much harder, it does not scale well, and is more risky due to physical interaction with the victim. It is also harder for social engineering since it is not a simple spontaneous action for the victim and it feels very wrong to remove that token from your key chain and send it somewhere.
What is left then is that people try stealing personal data and credit card info. What is needed here are proper identity identicators on the client side ("This website is bank.com"), secure payment systems and most importantly common sense.
So, why is nobody doing that? People say cost and usability is the problem. But most financial institutions noticed by now that multi-factor is needed, although they tend to deploy incompatible and often vulnerable solutions. The Web crowd also finally noticed that passwords don't really scale well, so now we got password managers and federal ID. The first has rather similar restrictions as a proper smartcard-based solutions and the second one is still vulnerable. The problem is, people don't like PKI. It's too complex, too unfamiliar, even though IE and Firefox have pretty good support by now. We need systems like Skype and Jabber, where the PKI is silently bootstrapped in the background and authorization is basically done with key continuity management. And replace X509 with SPKI, to reduce procedural and implementation bugs.
- 3,536
- 14
- 14
Really, the best defence is awareness training - it has some effect but is by no means foolproof. The two big problems are:
1 - end users forget their teaching and still click on links
2 - some banks still have marketing teams who send out emails with links
The bigger global banks have got very good at phishing site takedowns, so at least this forces the attackers to use a lot more effort to get phish attacks out.
Have a look at this previous question on phishing for some more info.
update Targeted phishing, or spearfishing, is a very successful tactic for attackers, as they personalise the emails to such a level that most individuals believe they are from a trusted source. Currently the effort involved means it is still the higher value targets that are attacked, however attacks such as the recent PSN hack have provided attackers with useful information to carry out this attack on a large scale.
- 61,367
- 12
- 115
- 320
-
2Awareness training has been shown in the literature multiple times to not work. I do not suggest spending money on this -- and if a regulatory standard or compliance initiative suggest that budget be placed in this area, then I would ignore the advice and seek compensating or alternate controls. – atdre May 20 '11 at 16:43
-
Actually it does work pretty well, and we've proved that, but not for long periods, and you can't use the same training over again - it just gets ignored. – Rory Alsop May 20 '11 at 17:28
-
2"But but but ... I didn't click on any phishing e-mails, I just wanted to see the dancing hampsters, and it looked safe, it was From: my buddy Joe in the next cubicle, and he wouldn't do that!" I have yet to see a different reaction from a phished user, trainings or no trainings. Users will do *anything* to see hampsters; if the malware wanted them to compile a kernel and put it on a bootable USB stick, I'm convinced they'd do it, even when they otherwise can't learn to print from the default printer. (Bitter? Me? BTW *proved* - do you have a link to a study, or is it not public?) – Piskvor left the building May 22 '11 at 18:33
-
2@Piskvor - you get a plus one just for the hamsters. Did you see the recent Facebook phish that actually required users to copy and paste javascript into their browser bar? The study was actually internal with a couple of our clients - global banks - and it came out with some lovely graphs of stupidity/time showing the impact of various types of activity. tl;dr repeating the same type of training had lower effect every time, but varying online, video, roleplay, classroom etc worked pretty well. – Rory Alsop May 22 '11 at 19:28
-
2Yup, that's exactly what I mean; next station: bookmarklets (only one browser warning dialog, and no keyboard interaction required). Thankfully, IE9 and NoScript for FF have mitigation measures (see @EricLaw's blog: http://blogs.msdn.com/b/ieinternals/archive/2011/05/19/socially-engineered-xss-attacks-and-pasting-javascript-in-the-address-bar-in-ie9.aspx ). A graph of stupidity over time, that sure is interesting :D Pity it's not available; oh well. – Piskvor left the building May 22 '11 at 19:46
I do not believe that awareness training works.
The best way to combat phishing is to whitelist email addresses and web application content/behavior that can be accessed by users.
There are many ways to stop phishing that uses malware. What kind of phishing attacks are you interested in and maybe I can provide some additional advice?
- 18,885
- 6
- 58
- 107
On top of the suggestions given, I would also suggest getting help from MSS providers. There are few MSS providers out there that provides subscription based service that helps organization detect phishing and brand name abuse online.
An extra eye would definitely be helpful in cases like these.
- 383
- 1
- 3
- 10