In an article released last week on Wired magazine’s website, Bruce Schneier makes an argument for putting more responsibility on financial institutions to prevent phishing and to make it easier for victims of identity theft to clear their names.
Phishing is the term used to describe the sending of a fake email from someone pretending to be your bank or some other business. The email asks you to go to a fake website and log in to perform some urgent task– then the phishers use that login to go to your bank’s website and transfer money, etc.
I couldn’t agree more with the importance of making it easier for victims to repair credit reports and restore money to accounts. But I’m a little less sure about his proposed solution with regards to banks and other financial institutions.
Bruce argues that banks should put up enough barriers to doing business that, "the information a criminal can get from a phishing attack won’t be enough for him to commit fraud — because the companies won’t stand for all those losses."
I would suggest that, short of widespread adoption of standard biometric authentication systems (like fingerprint or retina scanners + standard & secure data formats), it is unlikely that a bank or other business could put up enough checks on information to stop even a moderately determined phisher. If a bank asks for more info before they allow you to transfer money, then the phisher just needs to ask for more information on their fake website.
Bruce accurately predicts, in my opinion, that this will be an ever-escalating war. I think that the right next step for a bank might be statistical analysis of (1) money transfer patterns of single accounts and similar transfers from many accounts, (2) bank account creation patterns (hey, the phishers have to transfer the money *to* somewhere), and (3) login patterns of single and multiple accounts. I, for instance, am not likely to be logging in from another continent and transferring money.
And because these phishing attempts generally happen via email, email providers need to be vigilant in detecting and removing phishing emails– something I think we’ve been good at.