Stopping Phishing

Banks are tired of phishers fooling their customers into revealing information so the phishers can mimick identities and steal money. Last year banks and other financial instituations banded together to do something about phishing. The first phase of this initiative involved

“… educating customers, outfitting customer desktop PCs with anti-spam-protection software, and working with law-enforcement authorities and Internet service providers to identify and stop phishing attacks while they’re in progress.”
Phishing Expedition Set To Enter Second Phase,   Oct. 29, 2004  By Steven Marlin InformationWeek

There’s a report out now on Phase I, Financial Services Technology Consortium Counter-Phishing Initiative: Phase I. Several reports, actually, ranging from definitions of terms (it wasn’t even clear before what phishing was) to categorizing vendors solutions according to an FSTC Phishing Attack Lifecycle and Solutions Categorization.

Many of the FSTC recommendations sound like good risk management in general, for example:

“ Ensure that phishing preparedness plans (staff responsibilities, incident response plans, procedures, etc.) are appropriate, frequently reviewed, and updated as necessary. FSTC’s Phishing Life Cycle Model and Attack Taxonomy can be used to structure concrete planning activities and assess adequacy.”

The first of the next steps FSTC will be investigating illustrates a basic feature of this work:

“Investigate and adopt better mutual authentication practices.”

Although the FSTC report says that institutions acting alone can do these things, it’s not clear that that is possible for something that is mutual.  As the report also says, the industry acting as a whole can do these things.

In other words, collective action is needed for an aggregate threat.