Enterprise tools

Ideally, enterprises should also look for tools that scan in combination with authentication so that logon credentials are not allowed until the integrity check is completed.

Toolsets like these would go a long way towards quelling concerns among financial services companies that man-in-the-middle attacks can bypass stronger authentication by taking over accounts during authenticated sessions, Rapp says. But he's not convinced they can totally block man-in-the-middle attacks.

"These phishing packages contain rootkits, which can turn off the security and make it look to a scanner like it's all up to snuff when really it's infected with malware," he says.

The final authentication piece needed, says Sally Steward, vice president of strategy for TriCipher, is a way to follow up on authentication by working with the financial institutions' fraud-detection systems. That way, should a criminal somehow slip past all these front-end defences, open new accounts and transfer funds in a way that's suspect, the system could follow up by logging the event and alerting investigators.

As with every other information security problem to arise since the beginning of IP networking, protecting online commerce from the phishing blight calls for education and layered security. But we also need to look forward to new standards, technologies and frameworks to deal with increasingly sophisticated problems, Sachs and others say.

"The bad guys are ahead of our best defences at this moment in time," Rapp adds. The gap isn't going to be as easy to close as it has been in the past. But I urge everyone doing financial business on the Internet to at least start out with multifactor authentication to make it that much more difficult for the criminals to get at our consumers' financial data."

Fighting back

While automated phishing attacks are on the rise, phishes that still use e-mail and instant message lures and fake logon sites still abound. Below is an update about how companies are responding and what users should be aware of.

Closed e-mail: Two years ago, eBay started sending restricted e-mail to its customers. Last year, financial services began following suit. For example, Wachovia Bank now uses a closed, authenticated e-mail system as its only way to message customers. And eBay uses its internal "my messages" mail to educate consumers by putting security messages around the frames, an eBay spokeswoman says.

Education: In addition to "practicing safe computing" by not clicking links and staying away from questionable Web sites, users should now update their security tools everyday. And they shouldn't trust the little closed SSL locks anymore. NetCraft researchers found forged SSL certificates in 450 separate phish sites last year. Users need to also be wary of any solicitations, not just from eBay and financial services. Last year, phishers forged brands from the the Internet Crime Complaint Centre, numerous security vendors and several authoritative, nonfinancial companies.

Enforcement: Microsoft, spearheading Digital PhishNet, took down 4744 phishing sites in 2005 and filed 117 lawsuits against phishers. In February, Microsoft announced the Global Phishing Enforcement Initiative, which will coordinate efforts in monitoring for domain offences, phish takedowns, partnerships with law enforcement and worldwide investigations. In March, Castlecops and Sunbelt Software announced the Phishing Incident Reporting and Termination Squad to focus solely on terminating phish sites.

Identity services: Some organizations are taking the unusual step of buying proactive identity-protection services for their employees, says Todd Davis, CEO of LifeLock. "Fifty-one percent of identity theft occurs in the workplace. It takes an employee on average 177 hours to reclaim an identity," Davis says. "For $70 per year per employee, businesses realize this is a good investment to keep their employees productive."

Spam: Service providers have made improvements at filtering spam and authenticating e-mail through adoption of the Sender Policy Framework and Sender ID. Symantec reported a 13 percent reduction in spam mail last year, from 63 percent of all traffic in 2004 to 50 percent in 2005.

Toolbars: Microsoft announced Phishing Filter and SmartScreen e-mail scanner and browser toolbar that scan URLs against blacklists in Microsoft browsers and e-mail services and programs. They also look for basic indicators of a phish, such as addresses that don't resolve correctly.