Phishing News

Glenbrook Partners has updated their phishing analysis.  It's a must read for executives concerned about online fraud.

Meanwhile, PassMark has finally unveiled itself with an announcement (and demo) of new countermeasures against phishing attacks.  PassMark was founded by Bill Harris, former CEO of Intuit and PayPal.

The frog and the text in red are PassMarks.

Their solution is similar to Personal Assurance Message (PAM) used in 3D-Secure, the standard underlying Verified-by-Visa and MasterCard SecureCode programs.  PAM works by asking the cardholder to enter a text string during registration (aka enrollment) which is displayed on the PIN entry page.  For the card issuer to find the text string entered by the cardholder, the cardholder must provide a creditcard number to the merchant initiating a 3D-Secure transaction.

In addition to a text string, PassMark uses a picture selected or submitted by the user.  Like 3D-Secure, PassMark needs a way to identify the user.  The user enters their name in the demo, but there are other means although having a client-side component opens up the possibility even more.

While PassMark is not foolproof against phishing, it does minimize the scalability of phishing attacks drastically and provides visible security, an important feature that security experts often overlook or underestimate the importance of.

Re scalability of phishing attacks

Before a phishing attack can be made, user-specific images (aka PassMarks) must be scraped from the PassMark protected site with bogus login attempts.  Sudden spike in failed login attempts alert the site and appropriate defensive actions will be made before the attacker can build a substantial database of PassMarks.  The attacker can't trickle bogus login attempts over time either because PassMark is not displayed unless preliminary weak identification of the user is made (i.e. user name).

As to the defensive measures, one method is to ask the user to select/submit two pictures, one for immediate use and another for when an ongoing phishing attack voids the first picture.  I am sure if PassMark does this though.

Also See: Posts about Phishmarking.