December 2006 technically was the deadline for compliance with the FFIEC's authentication guidelines for Internet banking. While the industry as a whole is not on schedule, the next criminal element is-with a twist. This time, the crooks are passing themselves off as virtual security guards.
SecureWorks, which has taken down about 50 phishing operations in the past year, says it recently dismantled several phishing schemes which used the dual authentication sign-up process to lure bank customers and credit union members to bogus phishing Web sites.
The crooks scam their victims by directing them to sign up for their bank or credit union's new dual authentication product that's intended to safeguard their online banking activities. The scam directs the institution's customers, via an email, to enter their account number and PIN so they can register for their new dual authentication code and phrase. The email lets them know that such codes and phrases are now required by the government for online banking.
That's not true, of course. While the FFIEC guidance on online banking protections is often regarded as a dual-authentication mandate, it technically doesn't require it. The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Therefore, the guidance requires only that institutions take more vigorous steps to authenticate customers.
More to the point, the feds probably didn't think they'd be played by phishers when the guidance was first issued. But crooks are just as capable of surfing the financial newswires as anyone, and thus, the latest scheme. "We thought this latest phishing scam was extremely clever and quite ironic considering the phishers used the dual authentication guidance, which was developed to protect online banking from fraud, to try to scam their victims," says Erik Petersen, vp of professional services for SecureWorks and director of the firm's phishing takedown services. Petersen says most of the targeted institutions are small to mid-sized firms, and the scams originated in Europe and the Far East.
SecureWorks suggests firms block off email servers from phishing attacks by dropping and filtering fraudulent emails. It also suggest sending emails from the same "from" domain as the institution's Web site and monitor bounces from that address that are send back to the bank's mail server. The managed security services provider also says financial institutions should use transaction-based, rather than session-based, authentication, disable mail relay from email servers and educated customers to never access the bank's Web site from a link provided in an email, but only by typing the actual URL. This will prevent phishers from obtaining customers' personal account information, PINs and Social Security numbers.
