HOW TO HARPOON A CYBER SHARK

[Anonymous]

How To Harpoon A Cyber Shark

New technology could thwart ‘phish’ e-mails that seek consumers’ private data

The corporate battle against cybercrime is
unending. And phishing — bogus e-mails designed to trick consumers into
coughing up personal info — is among the most insidious of foes. Just ask
Ambika Gadre, director of security and threat prevention at IronPort Systems
Inc., an e-mail security firm. Gadre and her team, relying in part on a
promising new authentication technology from Yahoo! Inc.  called DomainKeys,
spot an ever rising tide of bogus e-mails slinking across the Web. “Phishing is
so damaging,” says Gadre.

With the phish epidemic starting to sap
confidence in online commerce, e-tailers and banks alike are scrambling to beef
up defenses. Amazon.com Inc.is expected to begin testing an IronPort system soon
that verifies if e-mail pitches sent to consumers under its name are real. Bank
of America Corp. is rolling out technology that helps customers ensure they have
reached the bank’s real site — rather than a fake one set up by the phishers to
capture their user IDs and passwords. And the anti-phishing effort got a big
boost June 1, when Yahoo! and Cisco Systems Inc. announced plans to merge
competing technologies — clearing the way for a DomainKeys technical
standard.

It’s a counterattack against phishing that may at last have
teeth. “When evil folks with malicious intent send an e-mail that purports to be
from BusinessWeek.com, we’ll know,” says Andrew R. Spillane, an exec in the
e-mail unit of Yahoo!, which rolled out the technology last year.

The key
to countering phishing, say experts, is making sure consumers know which e-mails
are real and which are not. Since last year, many banks, e-commerce sites, and
others who send e-mail have relied on a free software developed by Microsoft
Corp. and others called Sender ID. The technology uses the coordinates of
Web-connected PCs and servers, known as IP addresses, to trace the origins of
e-mail. Some 750,000 company domain names around the world have been registered
under Sender ID, according to Microsoft. Trouble is, say security analysts, the
bad guys can route phish through many servers to disguise who originally sent
them. “Sender ID is the first step,” says Ryan Hamlin, Microsoft’s general
manager of technology care and safety. “But it’s not the end game.”

CODED SIGNATURE 
Enter DomainKeys — a more robust
authentication technology. Here’s how it works: When a bank or e-commerce firm
sends out e-mail, the mailing contains a signature that corresponds to a unique
code allocated to the sender. When an e-mail firm or an ISP receives a message
to transmit to its users, it can check to see if the signature on the e-mail
matches that of the bank or e-commerce site it claims to be from. If it does,
the person getting the e-mail will be told it’s legit. If not, the ISP will warn
the customer not to open it.

That’s not the only way banks are beefing up
Internet security. Some are putting in place technology that helps online
customers ensure they are visiting the real Web site, as well as keep fraudsters
out. Bank of America’s SiteKey system shows online customers a picture when they
visit its site. If the image they’ve chosen doesn’t pop up, they will know
they’ve reached a bogus site. And if fraudsters try to access a customer’s BofA
account from an unrecognized PC, they will have to answer a predetermined
question.

Still, such technologies face hurdles. With Yahoo! and Cisco
just agreeing on common standards for DomainKeys, many companies may resist
investing in the technology until the kinks are worked out. Price is another
issue. Both Yahoo!’s and Cisco’s products can be downloaded for free online. But
an e-mail security system with DomainKeys for a mass e-mailer costs $500,000, on
average, says IronPort. For a big company, that’s not much to stymie forged
e-mails that can damage reputations and clog up millions of e-mail accounts. But
smaller businesses may hesitate to upgrade until the price drops. With consumers
increasingly wary about buying and banking online, however, they may have little
choice.

[Author]

June 6, 2005 at 10:19 AM