(Page 3 of 4)
Consumer education goes only so far, though. Criminals will still try phishing attacks. To prevent those from getting off the ground, retailers can use software and outside services that monitor the Internet to learn whenever a new domain appears to mimic a retailer’s brand, giving the retailer the chance to warn customers of possible phishing e-mails from that domain and to alert government authorities who investigate phishing attacks. In some cases, such domains have been shut down before they were able to launch full-scale phishing attacks, experts say.
Ice.com, for example, uses in-house software to monitor the web for launches of any domains that appear to mimic its brand. In one case when it identified such a domain, which had devised a phony e-mail campaign to offer consumers fraudulent Ice.com coupons, the retailer responded by having its lawyer e-mail a cease-and-desist letter. “That was enough to stop it and the phishing site went down soon after,” Schaff says.
But he admits that the coupon caper turned out to be an easy one to halt. The site was based in the U.S., and Ice was able to simply e-mail an open letter to its IP address.
Not all phishing scams are as easy to stop, experts say, but a new industry of anti-phishing companies has emerged in recent years to identify suspicious new domain names and work with domain registrars and Internet site providers to deactivate phishing sites. The phish detectors also scan Internet chat rooms and other online sources to get tips on planned attacks against brands.
Among the companies offering such services are VeriSign Inc., MarkMonitor, Internet Identity, Brandimensions Inc. and NameProtect Inc. Information gathered in this way can help government agencies, including the F.B.I. and the Secret Service, act against organized cybercrime groups, Jevans says.
Although these monitoring services and enforcement actions are making life harder for phishers, they’re not an end-all to phishing threats, experts say. For one thing, many phishers use Internet servers based outside the U.S., where it can be difficult to get cooperation from registrars and authorities to deactivate phishing sites. In addition, foreign-based phishers often move to new servers frequently to avoid detection, experts say.
Moreover, phishing may be the criminal tactic getting most publicity these days, but it’s only one way criminals are stealing information to support fraudulent web transactions. Other types of attacks, which may work in association with phishing scams, place malicious software onto unsuspecting retailers’ web sites and consumers’ computers. Such software, for example, can turn computers into zombies that are used to send e-mail spam, which can include phishing attacks; or to conduct keylogging to monitor a consumer’s keystrokes in an attempt to steal log-on, password and other personal account information. “There’s no one system that can protect against all kinds of attacks,” Litan says.
Leonard of ScanAlert notes that the PCI security standards imposed by the credit card industry will have a positive effect by forcing merchants to test their web site security infrastructure at least every quarter, and to maintain strict policies about guarding and providing authorized access to customer data. “We demand daily testing for the Hacker Safe certification, but even quarterly would help retailers,” he says. “There are 10-15 new general network vulnerabilities discovered every day.”
In addition to education and technology, experts say that the good guys need to do a better job of cooperating and sharing information and best practices in fighting fraud, a move needed to counteract the practice of the bad guys to quickly share information on fraud techniques and vulnerable web sites. “We share data on suspected criminal activity with other retailers because we’ve found some of the same people hitting us with unauthorized charges also hitting other Internet retailers, especially in our product category,” says Schaff of Ice.com. “If we can get this cooperation to catch on with more Internet retailers, we’ll all be better off.”
In addition to cooperation fostered by the Anti-Phishing Working Group and TRUSTe, the Merchant Risk Council brings retailers together to share war stories and fraud-fighting techniques.
Guarding the door
In spite of efforts to halt crime at the front end through technology, education and industry cooperation, retailers also need to complement systems designed to block phishing and other types of attacks with methods to halt use of stolen information to make online purchases, experts say. Here, too, a new breed of anti-fraud technology is emerging to alert retailers when a would-be purchaser appears to be using stolen account information to complete a transaction.
At Ice.com, a web-based consumer authentication system from IDology Group is helping the retailer identify hundreds of suspect shoppers and interrupt potentially fraudulent transactions before crime can occur.
Before it started using the IDology system, Ice.com had to cancel more than 5% of high-risk orders, but it has since cut that to under 1% with zero chargebacks, Schaff says. “In the past, we had no way of knowing if they were legitimate,” he says. But with IDology’s web-based IDlive identity-checking system, the retailer is now able to verify the identity of nearly all orders, he says. And with only a small handful that still need further checking, Ice.com staff can personally contact customers for verification, he adds.
Ice.com began using the IDlive system several months ago to authenticate the identity of buyers in orders determined by an in-house order management system to be high-risk, such as orders over $200 with different billing and ship-to addresses. It processes about 1,000 orders per month through the IDlive system, which is hosted by IDology, Schaff says.