Cybersecurity: Are You Safe?

  By Lindsay Edmonds Wickman —

The Rise of Phishing

Fred Cate, a distinguished professor at the Indiana University School of Law and director of the Center for Applied Cybersecurity Research, said the development of phishing often is traced back to the early days of America Online (AOL), when the company charged for access by the hour. At that time, phishers would try to steal customers’ account numbers.

But today the game has changed. Between Jan. 1, 2008, and June 30, 2008, there were at least 47,324 phishing attacks, according to the Anti-Phishing Working Group’s Global Phishing Survey. Further, phishing now targets bank-account holders and customers of online payment services.

“Phishing is something old and it’s something new in that phishing is just a con game. And con games are based on building your trust, so the more the e-mail is spoofed to look like an e-mail from your bank, the more likely you are to click on those links,” Kaiser said.

Phishers also have become more sophisticated in their attacks, using current events to lure individuals to react.

“The recent global financial crisis [has] caused a lot of confusion,” said Paul Wood, senior security analyst at MessageLabs, a provider of integrated messaging and Web-security services. “The bad guys can capitalize on that confusion. Recently, there have been a number of [phony] messages from banks [involved in mergers] to encourage people to verify their identity. That kind of activity has increased sharply in recent weeks.”

Wood believes phishing flourishes partly because users are not as aware of threats as they should be. “If somebody were to knock on your door and ask to come into your house and check your electricity, you might be immediately suspicious. [You might ask] for some identification to phone [the company] they claim to be from,” Wood said.

“But when you’re online, it’s very difficult to try and think in that way or to actually do any of those things. We’re willing to give out a lot of information about ourselves when perhaps we should be a bit more cautious and guarded.”

It’s important for individuals and companies to have the core defenses — patches, anti-spyware, anti-virus and firewalls — but it doesn’t matter how secure your computer is if you make a mistake.

“In many ways, the biggest challenge is not technological; it’s behavioral,” Cate said. “For example, we’ve known that good passwords were a key part of security. Yet we have a lot of trouble getting people to use them and not write them down. You can have the most secure system in the world, but if a user unwittingly grants an outsider access through a phishing e-mail, you’re in trouble.”

But it’s difficult for users to be knowledgeable about Internet security if no one teaches them, said Kaiser. Parents need to teach their children, schools need to teach their students and workplaces need to teach their employees.

“Our goal is to make cybersecurity second nature — and that means we want to see education integrated into every phase of life,” he said. “In order to get people to be safe on the Internet, we have to teach them good habits, and we have to reinforce those habits all along the way.”

He recommends that people ask themselves three questions whenever they’re using the Internet: Who is asking me for this information? What are they asking for? And why would they need this?

But there’s only so much we can do, Gligor said.

“New technologies enable new adversarial behaviors. The security [mechanisms] developed for the adversary in the mid to late ’90s might not be sufficient for an adversary in 2009,” he said.

Ultimately, it’s a trade-off. To have the freedom that we have on the Internet, we have to give up some security.

“Can you ever have total safety? No, but you can come very close,” Kaiser said. “I’m going to go back to my car analogy. If you follow the rules of the road, if you don’t drink and drive, if you buckle your seatbelt, if you follow a few safety parameters, you can be safe most of the time. However, there will still be occasional accidents, and I think that’s probably acceptable in exchange for what you get, which is the freedom to go pretty much anywhere you want, anytime you want.” 

– Lindsay Edmonds Wickman, lwickman@certmag.com