saush

Phishing is probably the most well-known and familiar method used to compromise Internet banking sites. The Gartner Group estimated that the direct phishing-related loss to US banks in 2003 to be $1.2 billion though indirect losses are much higher. The word ‘phishing’ comes from the analogy that Internet scammers are using email lures to ‘fish’ for passwords and financial data from the sea of Internet users[1]. The term was coined around 1996 by crackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users[2].

There are various phishing methods but at a basic level phishing tries to get the Internet user to reveal personal, financial or password information by pretending to be something else. The phisher will usually pretend to be the official website of the bank or organization and tries to persuade by fear, threat or working on the greed of the Internet user, to reveal his personal details.

A typical trick is to send an official looking email or instant message to a bank customer that links to a website that looks like the actual Internet banking application, but is in fact, a replica of it. The replica is designed to steal passwords when the bank customer tries to log into the Internet banking application. The replica can be exactly the same as the original website down to the images that are linked directly from the original website. The only difference could be that any forms submitted from that website would be posted to a different application than expected, which will harvest the personal and confidential information of the bank customer.

Figure 1 – Typical phishing attack

If done well, the bank customer will not even realise that he has been ‘phished’ as the fake application will redirect him to the real application. Phishing is not unique to Internet banking – it is widespread in many Internet-based applications including PayPal and eBay and the information that is phished varies from credit card numbers to bank account numbers to identification numbers such as social security or passport numbers.

Most methods of phishing use some form of diversionary deception that tricks the user to believe that the email or website belongs to the actual organization. Phishers often use misspelled URLs such as or sub-domains. Another common trick uses the @ symbol. In the URL syntax the @ divides the actual URL from a username and password. A casual observer might assume that this is the bank’s website whereas it is actually the scam website, which replicates the bank’s website. A variant of this trick inserts a null or other unprintable character before the @ symbol, which prevents the host information from being displayed at the address bar. These methods have since been closed off in the new browsers. In a simpler trick, some phishers do not even put in a URL, instead they use an IP address, which normal Internet users will not check for its validity.

Table 1 – Common URL deceptions

These methods work for some because links are often (and designed to be) clicked than typed, and there is no correlation between the text on the website and the actual link that it will go to when clicked, other than a small status bar display at the bottom of the browser.

Slightly more sophisticated tricks use Javascript, the client-side scripting language used by many web applications, for various deceptive hiding or camouflage. For example, the phisher might use the onMouseOver event handler to show a fake URL in the status bar. Other tricks with Javascript include using Javascript to close the address bar, while the fake site contains a very similar looking ‘address bar’ that is in fact part of the web page, or even open another smaller browser that completely covers the address bar.

Another related phishing attack is IDN spoofing or a homograph attack[3]. IDN stands for internationalized domain name and is a method that allows characters other than English to be displayed as the domain name of the website. However in some languages the characters look the same as in another English character but in fact represent a different character. For example, газета.ру is the Cyrillic equivalent of gazeta.ru. The Russian letters а,е,р,у are indistinguishable in writing from their English counterparts. Some of the letters (such as a) are close etymologically, while others look similar by sheer coincidence. For instance, Russian letter ? is actually pronounced like English r, but the glyphs of the two letters are identical. This leads to situations where the URL might look the same on the browser but in fact are completely different websites!

Many people make the mistake by assuming that phishing attacks on Internet banking services does not cause harm if no unauthorized transactions or funds transfers occur. Funds transfers is probably the lesser harm done because generally if money is taken from an account, the account owner will likely know relatively quickly and act to stop the transfer or prevent further harm. Also, funds transfers will normally go to another bank account and is often traceable and recoverable.

The greater harm comes in the form of identity theft activities. The phished account might be used for money laundering or other illegal activities. Other information might also be extracted such as credit card information, account and personal information. There is also evidence that ATM cards are falsely reproduced from information ‘phished’ from the unsuspecting victim[4]. The kind of damage and the extent of the damage are not immediately evident and can be dormant for a long period of time, which will make it very difficult to trace and stop these illegal activities. For example, money can be transferred from a larger corporate account that is compromised, to more than one phished accounts, after which ATM card transactions and withdrawals can be made throughout the country or even outside of the country using cross-borders electronic funds transfers facilities such as PLUS or Maestro.

Phishers usually actively target multiple systems and organizations at the same time, and are well organized[5]. There is also evidence that organized crime is getting increasingly active in phishing and a thriving market for phished data trading exists[6]. Amateur phishers who were previously balked by their inability to convert the data to monetary benefits are now able to Phishing was originally predominantly by amateurs and adolescents, but this activity has ‘grown up’ and is considered one of the more dangerous online security threats[7].

[1] From Word Spy at http://www.wordspy.com/words/phishing.asp

[2] From the Anti-Phishing Working Group at http://www.antiphishing.org/word_phish.html

[3] See Evgeniy Gabrilovich and Alex Gontmakher (February 2002). The Homograph Attack. Communications of the ACM 45(2): 128 and Johanson, Eric. The State of Homograph Attacks Rev1.1. The Shmoo Group. URL accessed on August 11, 2005.

[4] See Christopher Abad, The Economy of Phishing : A survey of the operations of the phishing market (2005) at http://www.firstmonday.org/issues/issue10_9/abad/

[5] See The Honeypot Project & Research Alliance, Know Your Enemy: Phishing (2005) at http://www.honeynet.org/papers/phishing/

[6] Id.

[7] See the Anti-Phishing Working Group at http://www.antiphishing.org

The banking industry could be seen as an odd bedfellow when read together with the Internet. Banks are generally known to be conservative, highly sensitive to security, risk-adverse and values stability and reliability. The Internet on the other hand moves at such a high speed that it prompted the term ‘Internet time’ to be coined. The Internet is usually unsecured, mostly uncontrolled by any single authority, often unreliable and generally seems to be the anti-thesis of everything banks symbolises.

So it is surprising to note that Internet banking services today form a large bulk of the activities on the Internet. In a survey done by Eurostat in 2003[1], about 40% of all Internet users in Europe use Internet banking. This is in comparison with email, which leads at 80%.

There could be a number of reasons why Internet banking became successful. Firstly for the customer Internet banking is an incredible innovation that simplifies the process of transacting with the bank. Previously, a bank customer needs to physically appear before a bank teller in a branch during his office working hours (meaning he will either need to sneak out or take some time off). Internet banking on the other hand can be done any time, any where. Convenience is probably the most compelling reason for the bank customer, driving them to adopt this new technology with relish.

For the bank, there are a few evident reasons. As their customers increasingly demand convenience, it is inevitable that the banks need to bow to their wishes and move into this direction or be edged out by their competition. The fear of being left behind alone is a main driver behind many banks’ move to the Internet banking services.

At the same time, Internet banking allows the banks to extend their current market and to reach out to more customers where it could not have been possible without incurring high costs previously. Traditionally banks are limited by their geographical coverage and their operations increase exponentially as their branches are located further and further away. Internet banking on the other hand is without any real boundaries other than the legal and regulatory restrictions that prevent banks to operate in multiple countries without the approval of that country.

However, the most compelling reason for banks to move into Internet banking is probably the allure of a significant cost reduction in providing the banking services. In 1996 Booz-Allen and Hamilton conducted a survey in the US and found that the cost of a full banking transaction over the counter was $1.07 while it was 54 cents via the telephone, 27 cents for an ATM but only 1 cent for Internet banking[2]!

However, as with most things the benefits of Internet banking is a two-edged sword and comes with a different set of risks that were previously not significant to the banks. As the geographical reach of the bank increases through Internet banking, it becomes more challenging to verify their customers and make good credit decisions. The business case for Internet banking services, especially for Internet-only banks, remains unproven[3] as banks struggle with unforeseen operational costs and issues that they were familiar with.

Regulatory issues on Internet banking are mostly unclear at this point in time, which increases the overall risk of doing business on the Internet. For example, much of the existing legislation around the world still treat Internet banking alongside ATM or phone banking. The bank’s liabilities concerning Internet banking are still unclear today as well. In cases of fraud and security breaches, the liabilities of the bank customer and the bank are still a matter of contention. To protect the consumer, most governments tend to shield the bank customers from any negative effects even though bank-customer contracts usually disclaim liability. In any case, any negative issues with a reputed bank’s Internet banking services will usually drag their name and their brand through the mud. For the bigger and more prestigious traditional banks, this poses a tremendous risk in damaging their brand assets.

Most banks do not have significant expertise on Internet technologies or in implementing and maintaining an Internet banking application. Unfortunately it is also true for most organizations – enterprise-level Internet applications are relatively new and sophisticated. One of the most serious risks faced by the banks however is the issue of securing access to the Internet banking services.

The tremendous number of banking transactions that occur daily over a medium that is basically unregulated is an open invitation for criminal and fraudulent activities. In a 2003 survey of financial institutions around the world, 39 percent of respondents said their computer systems had been ‘compromised’ in some way the previous year.[4]