Gone phishing

Identity theft is an issue of growing concern to businesses and their customers and, in particular phishing, is rapidly spreading worldwide. This ID theft is putting considerable strain on the mutual trust between online enterprises and their customers – a prerequisite for secure online transactions – which, in turn, can lead to significant financial loss and a decrease in use of online consumer and financial services.

What exactly is ID theft?
Identity theft – sometimes also referred to as identity fraud – is a term used to describe crimes in which someone wrongfully obtains and uses an individual’s personal data in a way that involves fraud or deception. This is usually done for economic gain, allowing a perpetrator to profit at the unwitting victim’s expense.

Fitting ‘phishing' into the picture
2003-2004 saw the rise of phishing – the sending of e-mails with links to websites that are designed to look like those of well-known, legitimate businesses, financial institutions and government agencies. These are sent with the intent to deceive internet users into disclosing personal data such as bank and financial account information, usernames and passwords. When successful in accessing this information, the phishers then use it for criminal purposes, such as identity theft and fraud.

Banks get hit the hardest
Financial institutions remain the most vulnerable and hardest hit victims of phishing and identity theft. According to Anti-Phishing Working Group statistics, the financial services sector is consistently the most targeted industry for phishing attacks, with financial institutions representing 15 of the top 20 organisations targeted by such attacks in 2004.

The identity theft phenomenon is clearly taking a toll on the online banking industry. Financial Insights states in a recent report that nearly 60 percent of consumers in the US are concerned about identity theft, while six percent went as far as switching banks in order to reduce their risk of falling victim to ID theft. Then there is a JupiterResearch study, which found that 27 percent of all online banking customers use less online functionality due to security concerns, and 31 percent of all online users will not bank online at all, as a result of identity theft fears.
The picture is clear: consumers are afraid, and financial organisations must find ways to reassure them that their information and their online transactions are secure – both inside and outside of the organisation.

The threat starts from within
While phishing represents the most significant external risk when it comes to customer data theft, the biggest threat facing organisations in protecting customer information comes from within. In a 2004 survey conducted by the Computer Security Institute, nearly 60 percent of respondents said that internal abuse of network access has occurred within their organisations, the second-largest type of attack on computer systems after viruses. Likewise, a 2004 Michigan State University study revealed that up to 70 percent of all identity theft cases involve employees stealing personal data from their companies.

The problem, in a word – passwords
When it comes to network and internet security, traditional password authentication remains the method of choice for most financial institutions. But, despite its popularity, password authentication is not ideal for banks or their customers. Customers often maintain several user IDs, constantly changing passwords for a variety of online services and applications, and making personal password management unwieldy, not to mention a logistical nightmare. Banks, meanwhile, must allocate significant resources – particularly help desk personnel and IT administrators – to manage password usage.
More importantly, the sharp increase in ID theft and phishing is neutralising the effectiveness of traditional password authentication; customers feel more vulnerable than ever, while banks are being exposed to unprecedented levels of fraud risk.

Password-based authentication poses security problems for banks, not only at the customer level but at all network infrastructure points, starting from within the institution itself. Employees required to handle multiple passwords often either choose easy-to-remember words and numbers, or write them down, thereby increasing the risk that their access credentials will fall into the wrong hands. Without stronger controls on internal networks, applications and data, financial organisations are extremely vulnerable to internal ID theft attacks and losses.

Organisations turning to USB strong authentication
Among the most popular and successful identity theft solutions is strong authentication. Also known as ‘two-factor authentication’, strong authentication involves the use of more than one factor to identify users accessing private networks and applications. According to the US Federal Deposit Insurance Corp. (FDIC), strong authentication “has the potential to eliminate or significantly reduce account hijacking,” and is gaining traction as a legitimate form for safeguarding consumer accounts. A recent JupiterResearch study found that that 38 percent of all online banking customers feel that strong authentication alleviates their privacy and security concerns.

Whether in the form of tokens, smart cards or ATM cards, strong authentication combines ‘something you know’ (a password) with ‘something you have’, (a token) in order to verify a user’s identity. In particular, USB strong authentication tokens with built-in smart card technology are taking banking security to another level. By enabling easy and secure implementation of certificate-based security applications, these tokens provide banks with not only strong authentication, but also the foundation to implement end-to-end security and a range of secure online services to customers.

It will take a balance of new laws, consumer education, aggressive law enforcement and innovative security technology to turn the tide on identity theft and phishing. Aladdin is already seeing tremendous progress in these areas and is providing solutions today to help curb these scourges of the internet economy.