It came to the fore in 2003 and has since assumed threatening dimensions. We take a closer look at the technologies that can help you tackle phishing!

The past few years have seen many organisations suffer significant losses because of phishing. This has prompted a host of preventive and remedial measures. Banks are monitoring referring sites in order to determine referrals coming from known fraudulent sites, and are teaming up with security firms who update blacklists of hacker websites on a real-time basis. Banks use the referred party’s IP number to determine if a client using a regular PC has been the target (or victim) of a phishing attack. Referred persons from known fraudulent websites may even be redirected to a message screen requesting urgent attention.

If in spite of these precautions, a client does become the victim of a successful phishing attack, the bank often has no other option but to move fast to seal the account that has been affected.

Encryption and user authentication

As phishing gains momentum, a number of solutions are being evolved to tackle it, both for individual as well as corporate users. Financial organisations are most at risk from phishing. In India, firewalls, 128-bit SSL technology, Verisign digital certificates and two-level passwords are just some of the technologies that banks such as ICICI use to protect their customers who avail their online banking services.

Here’s a closer look at some of them:

SSL technology: Most financial organisations use SSL or Secure Sockets Layer technology to scramble and then reassemble user passwords. SSL 128 – the most-favoured commercial convention—uses 128-bit or the highest level of encryption to transmit information. However, while SSL encryption encrypts a password, it does not help to prove the authenticity of the website, which is the application or entity you are communicating with. A phisher could embed an https website in an e-mail that actually links to a simple http site, or replicate a secure website with minor differences in the website address and lure innocent victims.

Site-to-user authentication: Site-to-user authentication is a visible technology that utilises your shared secret image or phrase to assure you of a website’s authenticity. If you are a Yahoo! Mail subscriber, you would have noticed an invite on its log-in page to customise your sign-in process. What this entails is that every time you open the Yahoo! log-in page, you see a sign-in seal – either a code word or photograph that only you know. This helps you to be certain that the page you are using to log in is truly Yahoo! and not a hackers’ website.

However, this authentication is computer-specific—which means that any sign you create is associated with the PC you create it on. Hence, it is not of much use to protect persons using multiple computers.