Banking, phishing and the suspension of disbelief

It has become all too easy, too often, for the user to be told to take full responsibility for the security of many on-line transactions. There is no doubt that user-alertness and care are among the most important aids to computer security, but the truth of this does not relieve companies conducting business on the internet from taking their share of the responsibility and doing the best they can to protect their customers from making mistakes. In the case of banks it is in their own best interests to move as many customers as possible out of expensive high street branches and into much cheaper-to-run internet banking. But customers need to feel there an equivalent level of security, and this demands that the banks make a much better effort than they have so far.

The demos that we describe in the article "You can't Bank on Security" do not expose banks and customers to any new methods. It is not as if we have discovered a new hole in Internet Explorer that allows immediate access to users' data, and are now telling the world without giving Microsoft the chance to fix the problem, thereby leaving users open to attack. These basic vulnerabilities have been known for several years, and phishers have been using similar methods throughout that time.

One would have hoped that the web developers at the banks would also be familiar with these vulnerabilities, and would have taken the trouble to code their pages in order to negate them. It seems that this is far from being the case. Of course, there would be many other steps involved in staging a real and successful attack. Phishing is a form of con-trick using modern technology and the internet. For any con-trick to stand a chance of being successful, the trickster needs at first to be believable, to seem to be or to represent something that he is not.

For phishing attacks to be successful, they have to seem to come from trustworthy companies: banks, building societies, known on-line vendors, and so forth. After all, some banks and vendors do have offers from time to time that are worth investigating and do send out emails promoting them – the job of a phishing trickster is to appear genuine in this respect. It should be born in mind that it is generally expected that phishing tricksters are becoming more sophisticated in their attempts, and tending more towards targeted attacks.

Ideally, all users would recognise phishing emails for what they are, and would never click on links they contain. But, failing that, there are many clues that a user should use to judge the validity of a site to which such a link might take them. This is exactly where the banks and similar organisations can help. The tricksters' job is very much easier if they are able to use real web pages from the bank in question, use its same URL, and even use the same security certificate. It is the all too common ease with which these things can be done that our tests demonstrate.

If these possibilities are taken away from phishing tricksters, their job is made much more difficult. They will no doubt still try to con users, but their potential believability in posing as some bank or similar organisation will be considerably reduced. It is very much part of the responsibilities of the banks drastically to reduce these possibilities, and in fact, not much effort would be required on their part. We trust that our frame spoofing and cross site scripting demonstrations will fail very soon to work.

Edward Henning.