While there currently seems to be a nice lull in new widespread
vulnerabilities and viruses, we can't say the same for phishing scams, which are still on the rise.While phishing may appear to be a threat that primarily affects individual users, it also poses a major problem for businesses, both directly and indirectly. The goal of most phishing attacks is to obtain personal information from an individual.
However, some scams are beginning to target business credit information — companies are often a better target because they have more money. Businesses are accustomed to paying an invoice when they get it without doing much research. In fact, this is an old scam: Just mail out a bunch of invoices using a professional-sounding name, and many companies will just send a check. This means that even seemingly harmless information about billing cycles and sample invoices can pose a threat.
As phishing increases, consumers are becoming more leery about giving out personal information online, which negatively affects confidence in online buying — just as companies are turning to the Internet for an increasingly significant proportion of their sales. This change in attitude is having a measurable impact. According to Forrester Research, 600,000 online banking users in the UK have turned their backs on online banking due to the phishing threat.
And according to BBC, 90 percent of American computer users have changed their online habits due to a fear of spyware. This includes changing browsers, dropping file-sharing software, and even avoiding some Web sites.
Given that number, how can this fail to affect online sales? Any way you look at it, this can't be good news for companies.
In an effort to fight back, California recently became the first state to actually make phishing a crime that you can sue over. On September 30, 2005, Governor Arnold Schwarzenegger signed the nation's first anti-phishing bill. As hard as it may be to believe, until the new law went into effect, there was little or nothing you could do about phishing — even if you caught someone red-handed trying to steal your personal information.
The California Anti-Phishing Act of 2005 finally made it a civil offence to take any action to induce people to disclose personal data by falsely representing themselves as doing so for a business. The law included fines of $2,500 for each violation, and it lets victims sue for actual damage or $500,000 per violation, whichever is greater.
But the new California law is too narrow in its definition of phishing, and it doesn't apply to malware-based phishing. In addition, it poses little if any concern for any attacker not based in the state. However, it may trigger action in other states, in much the same was as other pioneering California privacy laws have.
US Senator Patrick Leahy introduced a similar bill to Congress in February 2005, but the proposal has received little attention. Leahy's proposed bill would make it a federal crime even to create a fake business site that spoofs a legitimate business or to attempt to obtain personal information via email. The bill provides specific protection for parody sites and includes other First Amendment protection.
And while the number of new security vulnerabilities and serious virus threats has remained very low recently, two-thirds of companies have suffered "significant" financial costs associated with IT failures in the last year, according to ZDNet UK sister site ZDNet UK sister site silicon.com. One-third suffered damage due to direct phishing and hacking attacks.
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles.
Talkback
An innovative technique, designed by a psychologist in conjunction with an information-security expert, was recently introduced to help companies prevent their customers and employees from falling prey to phishing, pharming, identity theft, and online fraud.
The system, Identity Cues, which leverages a unique combination of psychology and technology to make obvious to users whether they are communicating with an organization's legitimate online presence or with a phony site set up by a criminal, has already begun to impress technical experts with its powerful, yet straightforward, approach.
A recent research-analyst report:
http://www.ovum.com/go/content/c,57016
Editorial from the editor-in-chief of Network World (As he put it "Sometimes the easiest answers are the best") --> http://www.networkworld.com/columnists/2005/062705edit.html
Short Article -->
http://www.net4now.com/isp_news/news_article.asp?News_ID=3160
Our Website --> http://www.greenarmor.com
Identity Cues offers major advantages over earlier anti-phishing offerings from usability, security, implementation, and maintenance standpoints. For example, there are no extra steps during the login process, and, even if people do not make a conscious effort to use the anti-phishing/anti-pharming system, the system can still be effective at protecting them. Users don't have to download/install any software, carry any security devices, register for any services, or memorize any extra secrets.