Phishing - whats to be done

A recent Gartner Group study estimated that US banks lost $1.2 billion last year through phishing attacks.  (If you have been on Mars and don’t know what this is - its where you get a fake email apparently from your bank that send you to a site where you are induced to enter your bank password). 

This is not new, the technique is called a Trojan Horse and it has been around as long as there have been computer hackers.  The difference is a business to business fraud has now reached the consumer market and the scale of the problem is frightening. 

I don’t think it is enough to rely on education.  New consumers are being born every day and the concept is sufficiently difficult that a high proportion will switch off when you try and explain it to them. 

So security people are now turning to traditional remedies to a traditional problem.  The fact of the matter is that logins and passwords are no good if you really really want to be secure.  Changing your password every month, and making the password 8 characters of gobblydegook (as demanded by my bank now) won’t help.  In fact that sort of thing only means you can’t commit the password to memory and have to write it down which opens up another security hole. Which reminds me I wrote a very strong letter to my bank at the time to which they never replied.

Unfortunately one you get away from logins and passwords you enter the realm of hardware:

• A gadget that gives you back a one-time password which you transcribe onto the bank login screen (Ughhhh!) - maybe driven by your chip and pin card.
• A token - normally these days a small USB gadget, which you plug into your PC and which confirms you are you.
• A smart card reader in your PC which you put your chip and pin card into - probably also USB these days. 

Once we enter this realm then we also have the possibility of using the chip and pin concept to validate any e-commerce transaction.  This will mean a massive re-write of a lot of e-commerce software but I can see it coming.

About a decade ago I rubbished the concept of SET.  The banks spent millions developing a concept whereby all e-commerce transactions were to be digitally signed using your credit card in a smart-card reader on your PC.  The whole thing was wildly impractical a bit like e-conveyancing now. It didn’t stand a chance.

But maybe I was wrong.  Maybe the SET concept was OK, just ten years too early.  Will I be wrong on e-conveyancing as well?  Unthinkable.