Bugwatch: In cyberspace, nobody knows you're a phish

This week Jay Heiser, chief analyst at TruSecure, warns against the increasing threat from email 'phishing' scams designed to separate surfers from their hard earned cash.

The cartoon in which one dog explains to another that on the internet 'nobody knows you're a dog' is easily understood by anybody who has used the internet.

Everything is virtual and all content can potentially be copied, replayed and altered, providing a unique opportunity for hackers.

'Phishing' is a form of social engineering attack that exploits the means to mask an identity on the web. Victims are encouraged to visit phoney websites that spoof those of legitimate organisations, often through a spam email.

Lured to a phishing site, users are asked to enter some sort of exploitable personal information, such as a Pin, password or bank account number.

The majority of active web users have encountered some sort of phishing lure, and more are being trolled past their noses every day.

So far, the lures are not very attractive, and very few surfers have been caught. But the phishers are becoming more prevalent and more skilful, and real people are starting to lose real money.

Phoney websites are nothing new, but they are becoming more common and much more sophisticated. It is no longer just kids engaging in a bit of electronic graffiti or political protest; highly motivated criminals are using web spoofs in the hope of stealing personal information for financial gain.

This year, the fraudsters are honing their ability to deceive. Aiming squarely at the UK retail banking customer they've begun spoofing the sites of major high street banks.

No one can predict how big the problem will become, but it is fair to say that the publicity associated with fake sites is reducing customer confidence in doing business on the web.

Ironically, technical solutions for this problem are already built into web browsers and web servers. When that little padlock icon appears at the bottom of the browser, it means that a Secure Socket Layer session has been set up between the browser and the web server.

By itself, an SSL connection is not sufficient to ensure that a website is genuine. Surfers must take the initiative to verify manually its identity by clicking on the padlock icon, and following several additional steps.

Unfortunately, this process is not the least bit intuitive and is so inconvenient that even security professionals rarely bother to follow it through.

It is a smart, logical solution, but it is also a design that ignores human factors. Even worse, the lack of interest in SSL authentication has resulted in managerial sloppiness.

Many sites have digital certificates that have expired or contain the wrong URL, making it impossible correctly to verify the site's identity.

Hardware tokens have proved to be easier to use. Authentication tokens create a password that is only valid for a limited period of time and can only be used once. Although such devices are expensive to provide and administer, some banks have offered them to customers.

Tokens are a great way to protect passwords from theft, making them normal practice for high-end e-commerce situations.

These devices are not really designed to solve the problem of proving the identity of a server; they are only meant to prove the identity of the user.

They make it difficult or impossible to steal a useful password, so they do protect the user, but they still cannot prevent users from being fooled by spoofed sites.

The need to verify the identify of websites and web users was understood over a decade ago when the first web browsers were being designed. Verification technology was implemented, but unfortunately a practical human interface was never really completed.

It is amazing that we've been able to go for so long without this becoming a problem. But it is now becoming a serious issue, especially when it is putting into question the reputation of leading financial institutions.

Clearly the internet population must be taught how to properly evaluate the digital certificate information made available through SSL, but new technology has to be developed to protect users who can't protect themselves.

My educated guess is that we will live with this problem until the rate of successful phishing attacks becomes alarmingly high and jolts the IT community into action.