Taking a burden off banks, Microsoft Corp. will equip its industry-dominating Web browser, Internet Explorer, with a module that bars consumers from phishing sites flagged by three vendors.
Banks' efforts to fight phishing have been hampered by their inability to control consumers' computers.
"We see it as a collective problem, not just a banking problem," said Michael Aldridge, a group product planner for anti-phishing technologies with the Redmond, Wash., company. "We've never seen it as the banks' problem to solve."
Microsoft said Thursday that it will use constantly updated blacklists from Cyota Inc. of New York, Internet Identity of Tacoma, and MarkMonitor Inc. of San Francisco. Mr. Aldridge said it might also sign with other providers.
Last week the protection was made available as an add-on to the MSN toolbar that users can download for use with the current version of Internet Explorer, version 6. Microsoft said it will be integral to version 7 and built into its MSN Hotmail e-mail service and its planned successor, Windows Live Mail, which is now in beta testing.
Though banks have long complained that few consumers adequately protect their home computers, they are reluctant to distribute anti-fraud software to their customers. One reason is that they do not want customers asking banks' customer service representatives for help troubleshooting software problems.
For phishing, criminals build Web sites that look like banks' sites to trick people into revealing personal data that could be used for identity theft.
The Microsoft system uses a blacklist of Web pages that Cyota, Internet Identity, and MarkMonitor have identified as phishing sites. The system also uses a whitelist of known legitimate e-commerce sites, and Microsoft says it can dynamically evaluate unknown sites.
Cyota also provides its data to Netscape Communications Corp., a unit of Time Warner Inc., but Microsoft's browser is much more widely used. Microsoft says 86% of all Internet users are currently using Internet Explorer; in October, 87.4% of visitors to americanbanker.com did so with Internet Explorer; only 0.87% used Netscape's browser.
Cyota also provides data to EarthLink Inc. of Atlanta, which has an anti-phishing toolbar for Web browsers. EarthLink gets data from several other companies too.
EarthLink's software is not perfect. In mid-April it briefly blocked the online banking site of Associated Banc-Corp of Green Bay, Wis. (The incident predates EarthLink's relationship with Cyota, which said it was not involved.)
Mr. Aldridge said that Microsoft has addressed the danger of blocking legitimate sites by letting people override their browsers' decision or completely disable the anti-phishing feature. They can also report such incidents to Microsoft.
"People are concerned about making sure they have control over their own decisions," he said.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said it "is a little unusual for Microsoft to depend on external vendors for a blacklist service." Its doing so may relate to the EarthLink-Associated gaffe, she said.
In a suit brought by Associated, Judge John Shabaz of the U.S. District Court for the Western District of Wisconsin ruled Sept. 13 that EarthLink was not liable because it had relied on information from vendors.
Ms. Litan said that Microsoft probably does not "want to be in the business of blacklisting companies and taking the liability."
Amir Orad, Cyota's executive vice president of marketing, said the court case was a boon for his company because liability concerns could increase his business. "Cyota is liable and is being relied upon to provide high-quality data to Microsoft," he said.
Mr. Orad said that online attacks are getting more sophisticated. "We'll never make the problems disappear; there is no silver bullet here," he said. "But you can raise the bar," and Microsoft's decision does just that, Mr. Orad said.
Ms. Litan said Microsoft's plan is "the solution to phishing attacks: put it in the browser that's being used by 90% of the world."
However, she also said that among criminals the types of attacks that Microsoft's software is designed to combat are becoming less popular than "keystroke loggers and malware and Trojans and hijacking."
Microsoft's entry into anti-phishing software is "long overdue, and it should have been done 18 months ago," Ms. Litan said. "It's just too bad it's too late."
