Stopping spam is an important objective in its own right, but stopping or even eliminating spam will not by itself stop phishing.
Impersonation spam is only a tactic. Phishing gangs also create fake merchant Web sites, sometimes using a domain name that is a common mistyping of a well-known online merchant. Some use a virus to install spyware; others run Internet cafés with hardware key-loggers built into their machines. It is important to focus on the crime and not just ephemeral tactics. The tactics change, but the basic principle remains the same: Trick the user into revealing his access information, and then use it for financial gain.
Stealing credit card numbers is only one part of a complex criminal ecology. The criminals don’t want the card numbers; they want the money. Stolen card numbers are sold wholesale to specialists in turning card numbers to cash, known as carding rings. The carding rings can use the stolen card numbers to buy fencible goods online or create actual forged credit cards and sell them to petty criminals who use them in stores (see Figure 8-1).
Direct losses due to phishing are significant, estimated to be in the region of $1 billion for 2006.[1] Indirect losses are larger still. The primary product of the banking industry is trust. Each phishing attack reduces trust in online banking. The biggest fear of the major banks is that their customers will stop banking online and go back to banking in lines at their local branch. This would mean a return to pre-Internet costs and service levels after customers have grown used to the convenience of 24-hour home banking.
Although the direct losses are large, the amounts made by the criminals are likely to be more modest. Fraud tends to have high overheads; a perpetrator might pocket only $5 of each $100 that is lost by the victim. Money laundering schemes tend to involve large commissions paid at each step in the process. Stolen goods are sold at a fraction of their purchase price to ensure a fast turnover. Large losses do not necessarily mean large profits for the gangs.
A typical phishing attack follows the basic plan shown in Figure 8-2. The perpetrator first sets up a network of anonymous hosts to insulate herself from her criminal communications 
. Next, a capture site 
is established to collect the personal data from the target. The perpetrator then advertises the capture site to the targets 
by sending spam through an anonymous host. If the perpetrator is successful, the target reveals his information to the capture site 
, which forwards it to the perpetrator 
, 
.
There are many variations on the basic theme, but three common elements are always required. Think of them as the three Cs.
Contact—. The perpetrator must initiate contact with the victim.
Capture—. The perpetrator must collect the stolen credentials.
Concealment—. The perpetrator must avoid being identified.
E-mail is likely to remain the favorite method of contact until antispam measures are sufficiently widespread. E-mail allows the criminal to initiate the contact and thus control the timing of the attack. Spyware installed on the user’s machine allows a surreptitious approach but depends on the victim actually visiting his online banking account before the capture network is shut down.
Attacks by telephone are the current emerging trend. Internet telephony, otherwise known as Voice Over IP (VOIP), allows an attacker to make many calls at essentially no cost. Currently, the attack is at the gray-market” stage in the U.S., with allegedly legitimate companies routinely making tens of thousands of calls every day in flagrant disregard of the U.S. Do Not Call list and the prohibition on making commercial calls to mobile telephone numbers.
In the e-mail phishing attack, the capture site is a Web site that mimics the look and feel of the bank or other brand that is being impersonated. In a spyware attack, the success of the attack depends on the capture mechanism being active long enough to capture a sufficiently large number of card numbers.
Most customers now understand that they should ignore e-mail requests for personal details. Fewer customers are on their guard during a telephone call. Many banks use automatic attendant systems that require the customer to enter his credit card number via the telephone keypad, effectively training their customers to respond to this attack.
Criminals can turn more than credit card numbers into profit.
Bank or Brokerage Account—. The most blatant phishing scams ask for account access information for a bank or brokerage account. These scams are usually easy to spot because the banks already know their customer’s usernames and passwords and there is no reason that they would ever send an e-mail asking their customer to enter it.
Credit Card Number—. Phishing scams targeting credit card numbers can be much harder to spot. Any merchant selling his product through spam might be running a phishing scam. Many of the spammers behind the penis potions and other dubious products sold through spam have criminal convictions. One well-known spam kingpin has convictions for cocaine trafficking and money laundering. Other spammers openly sell pirated software. Would you trust a spammer not to sell your credit card number to a carding ring?
Identity Profile—. An identity profile of a phishing target allows the phishing ring to apply for credit in their name. The phishing gang looks for information such as the target’s name, address, date of birth, and social security number. Partial information from one source can be supplemented with information from other sources.
Auction Site Account—. Phishing gangs will impersonate any trusted brand that can be used to convince someone to part with his money. Getting access to an online auction account with a high reputation rating allows the phishing gang to place fraudulent auctions.
Some phishing gangs are scavengers, taking any information they can and selling it where they can.
Some phishing attacks try to bully the customer by telling him that there is a security problem with his account, which he must fix urgently or lose access to his account. Figure 8-3 shows a subtler variation on the usual theme; it is designed to counter antiphishing measures in three different ways:
Instead of asking for personal details directly, it announces a new security measure and invites the user to ask for more details.
The message contains a long URL that appears to be an attempt to exploit a buffer overrun bug in a popular Web browser and gain control of the target’s machine.
If the buffer overrun exploit fails, the recipient is directed to the phishing capture site, but only the first time the link in each e-mail is followed. An ISP following up on an abuse report will see what appears to be a legitimate site.
An individual phishing attack has three main phases (see Figure 8-4). First, there is the preparation phase during which the perpetrator sets up his capture sites, registers cousin domain names, and so on. After the attack starts, it will run undetected for some time until discovery. The responder will then attempt to contact the ISP(s) hosting the site(s) for a takedown.
When the phishing epidemic started, most attacks were discovered quickly, almost always within an hour, but often sooner. Shutting down the capture sites took much longer, often days or even weeks. As a result, most early antiphishing measures were concentrated on shortening the time between discovery and takedown.
The perpetrator’s profits depend on keeping as many capture sites up for as long as possible. So, even though takedown is the last step in the process, it is easiest to understand the tactics used by the phishing gangs in the preparation phase if takedown is considered first.
Most modern businesses consider their brand to be one of if not their most important asset. Attacking a well-known brand is a sure way to gain the immediate and focused attention of the owner.
Banks targeted by phishing attacks respond aggressively, calling the ISPs hosting the phishing capture site to demand its removal. When the phishing phenomena first appeared, the phishing gangs would attempt to overwhelm the bank security staff by saturating them with increasing numbers of capture sites and increasing volumes of phishing spam in the hope that the bank might give up.
To meet this challenge, most banks have adopted the tactics of the phishing gangs, outsourcing the task of contacting ISPs to request and if necessary require a capture site to be brought down. A specialist business with a 24-hour security staff on call is more likely to know the right person to contact and how to reach them.
The cat and mouse game continues, 24 hours a day, seven days a week, and in every corner of the globe. We have found capture sites on machines in homes, schools, government offices, and in one case a fish market. The phishing gangs try to locate their capture sites in places that are as hard to contact as possible, choosing time zones where the business day ended long ago and countries where they hope the language barrier will impede the response most. A U.S. bank might face an attack at 5 p.m. Pacific time from capture sites situated in Riga, where the local time is 3 a.m.
The takedown service provides a tactical advantage but not a strategic solution. Like fitting a burglar alarm to a car, a phishing takedown service does not persuade the criminal to give up stealing, but it does encourage him to pick another target. My customer’s immediate needs are met, but the crime continues.
When every new car was fitted with a burglar alarm, the determined criminals learned how to steal cars with alarms. Deployment of tactical measures must be used wisely. If we don’t use the time they buy to deploy a strategic solution, we will eventually run out of tactical options.
As the time interval between discovery and takedown is closed, it becomes increasingly important to discover phishing attacks quickly.
Phishing gangs prefer to impersonate the real domain of their target in their phishing e-mails. A consumer targeted by a phishing attack is much less likely to respond to a letter from [email protected] than [email protected].
Spam lists inevitably contain large numbers of obsolete or nonexistent e-mail addresses. Whenever a million spam messages are sent out, a significant number will bounce back to the purported sender. In theory, the message should be bounced to a specific address defined in the e-mail standard. In practice, however, there are plenty of misconfigured and misprogrammed e-mail systems that will bounce the message to the e-mail server at bizybank.com. This provides an early warning system for the response teams.
The backwash effect of bounced mail depends on the phishing attack attempting to impersonate the real domain name of the bank; the phishing gangs are already avoiding this, and new discovery techniques will be needed.
Many hosted Web mail systems have a feature that allows users to report phishing. At present, this data is mostly used internally by the hosted Web mail service, but the data could in principle be reported to the banks themselves and their antiphishing services.
As methods for takedown and discovery are improved, it becomes interesting to look at prospects for detecting phishing attacks before they are started. Unfortunately, the effectiveness of these techniques typically depends on the phishing gangs not knowing that they are being used, so I can’t describe them here.
A preparation step that can be discussed is detecting registration of “lookalike” or “cousin” domain names such as bizybank-security.com or B1ZYBANK.COM instead of bizybank.com.
Most major brands already use services that pre-empt registration of cousin domains by aggressively registering international variations—likely typographic mistakes and names like theirbank-security.com. Unfortunately, the number of variations is usually large, and the cost of maintaining a large portfolio of registrations soon mounts up. There are approximately two hundred top-level domains, and registering all the variations of just one name in every domain can easily cost $100,000. Brands have to be selective in the domains they choose to register.
Digital Brand Management Services were set up in response to the problems of domain name squatting and trademark violation. Phishing is also a trademark violation, of course; the difference is that the reaction must take place in hours, not days. Providing the necessary faster response is a bit like a weekly news magazine trying to turn into a 24-hour cable news channel. The journalists are still doing the same job of reporting news, but to a much more demanding schedule.
Many brand management services are currently transforming their businesses to provide the necessary faster discovery. The problem with this approach is developing a “fast-track” procedure for challenging a fraudulent domain name registration.
The ICANN Uniform Dispute Resolution Policy (UDRP) was adopted in 1999 to respond to a very different set of problems. Domain name squatters would register names of well-known companies to charge the trademark owners exorbitant sums to get them back. Other companies attempted to obtain domain names they had no legitimate claim to but would like to have by threatening an expensive lawsuit.
The timescales built into the UDRP are designed to support a deliberative, judicial proceeding. At the start of the process, the respondent is allowed 20 days to respond. By the time the UDRP has begun, the phishing attack is long since over.
From time to time, proposals are made to change the UDRP to make it more responsive to phishing attacks. But streamlined procedures designed to optimize response to phishing attacks create their own problems by upsetting the delicate balance of interests that the UDRP is designed to protect. Domain names are too important to accept a process that allows them to be cancelled with no time for thought or objection. Companies cannot build a business on a domain name that might be suddenly suspended without notice or appeal.
The best hope for streamlining the dispute resolution process without upsetting the balance of interests is to concentrate on the period immediately following registration. It is unlikely that a company will have built a substantial business around a domain name that has been registered less than a week.
Concentrating on the initial registration period has benefits for the domain name registrars as well as the brands attacked by the phishing gangs. One of the biggest problems the registrars face is chargebacks—credit card charges that are challenged by the card owner. It is not unusual for up to 30 percent of registration attempts to be backed by a stolen credit card. The registrar is fined for every chargeback, and if the chargeback rate is too high, his merchant account may be cancelled. What the brand name owners and the registrars really need is a better mechanism for trapping the fraudulent registration attempts by flagging domain names that are likely to be fraudulent.
People often propose “user education” as a solution to the phishing problem. This creates a new problem—agreeing on what is meant by user education.
What I consider to be user education is warning people about the scams and the tricks used by the criminals. Others mean telling the customers that they are the ones at fault.
The light bulb and car existed as curiosities for the rich in the nineteenth century. The great engineering achievements of the twentieth century were the ability to turn on a light without having to understand how that generator worked and the ability to drive a car without having to understand more about its internal operation than the need to insert fuel, oil, water, and air in the appropriate receptacles from time to time. We have to vastly improve the quality of the security interface in the Web browsers before we start thinking about blaming the users. And even then we have to keep in mind the fact that there will always be a significant number of Web users whose ability to protect themselves is limited.
Some phishing attacks do not leave telltale signs unless you know exactly how to look for them. I usually know instantly that a message is a scam because I don’t have an account with the bank in question, but it can take five or ten minutes to work out the tricks being used, and I know what I am looking for.
We could teach users how to recognize the tricks used by the phishing gangs, but teaching the computer to look for them is a much simpler and more effective approach. For example, a common phishing tactic is to use a disguised hypertext link. The text of the e-mail might suggest checking your account status at www.bizybank.com/, but under the covers, the e-mail actually links to www.phishing-incorporated.crime/.
The problem with building intelligence into the browser is that the phishing gangs tend to be able to switch to new techniques faster than people update their Web browser. In 1995, a Web browser update was released practically every month; today I use a Web browser that is just having its first major update in four years. Even though a new rivalry appears to be emerging between Web browser providers, it is unlikely to return to the frenetic pace of the late 1990s. The new browser competition is focusing on stability, robustness, and security, an approach that we want to encourage rather than the endless accretion of new features.
As the introduction of new browser platforms slackened, companies such as Google and Yahoo have offered “toolbars” that add features such as an improved search capability. Some of these toolbars offer antispyware and antiphishing features. A toolbar need not even be visible to the user to be providing an effective protection against common phishing attacks.
The toolbar approach allows antiphishing protection to be deployed without waiting for the next major browser release, but the release schedule is still too slow to defeat the most persistent phishing gangs. The problem is similar to that of stopping spam. Local rules can be used very effectively to stop a large proportion of attacks, but only until the attackers develop countermeasures. To provide a robust solution, it is necessary to combine local rules with an external information source providing up-to-date intelligence.
The combination of local rules and external intelligence is very powerful. Reliance on external intelligence alone requires a major commitment of resources to provide information in a reliable and trustworthy manner. Reliance on local rules alone is vulnerable to countermeasures. Support for both provides the power of external intelligence with only limited additional cost. The attacker has much less incentive to develop countermeasures to defeat the local rules because he knows that the external intelligence is capable of keeping up with his countermeasure.
External intelligence is a good thing, but how is it to be found? One source of information for such a service would be the antiphishing takedown services.
One of the big problems with the takedown service approach is that it depends on reaching one of a small number of individuals responsible for the server causing a problem. This is usually fast but sometimes very slow. If it is impossible to reach a responsible person, the takedown service has to walk up the chain of responsibility, calling the ISP that provides its Internet service, the backbone carrier through which it connects and local law enforcement. If all else fails, there are other measures that can be taken, but they cannot be applied on a large scale.
Rather than rely on reaching a small number of individuals, a better approach would be some sort of service that delivers information that can be used to block active phishing sites to a Web browser: a network gateway appliance or e-mail filtering service. The information service would be similar to the old-style spam blacklists but considerably narrower in scope. Such a service would allow for a “virtual takedown” of phishing and spyware sites before the responsible ISP could be contacted.
Stealing credentials is only one-half of the phishing crime. To make a profit, the criminal must turn his stolen credentials into money without being caught. This is by far the most difficult and complex part of the criminal value chain, because the only way for the criminal to profit from his crime is if money or valuable goods are making their way toward the carding ring. The old law enforcement maxim “follow the money” works.
One of the ways that phishing gangs have been turning stolen credit card numbers into cash is to create fake ATM cards. Until recently, this has been possible using low-cost equipment readily available through the Internet. This is the criminal’s ideal means of turning a stolen card number into cash. ATMs are numerous, provide 24 hours of service, and are frequently situated in locations that make any surveillance attempt easy to detect.
In response, most banks now use additional information (called the CVV code) that is encoded on the magnetic stripe in the card but does not appear on the card itself. This means that the phishing gangs must obtain more information than a consumer tricked into entering his details into a Web page is able to supply. There is also a second number called the CVV2 code, which appears on the back of the card but not on the magnetic stripe. This is used to detect a forged card created using a recording of the magnetic stripe.
These codes were introduced by the credit card companies in the mid 1990s after a spate of incidents in which carding rings used credit card receipts recovered from garbage to create fake cards. Most credit card transactions use the CVV code as part of the authentication process. The same is increasingly true of ATM transactions, although making any changes to the financial services networks is difficult and time consuming, particularly when they affect multiple banks.
It is a bit like treating a bear for a toothache without using anesthetic. In principle, the process of removing the decay and replacing it with a filling is no different from the same operation performed on a human. In practice, we must account for the likelihood of objections from the bear.
The introduction of CVV codes led to the carding gangs using handheld magnetic swipe card readers to skim a credit card when it was being used for a legitimate transaction such as paying for the bill in a restaurant. Some of the skimming devices are so small that they easily fit into the palm of the hand.
Carding gangs have also been known to create fake ATM machines to steal credit card numbers, or more subtly, attach a camouflaged card reader to an existing ATM. The gangs will sometimes include a wireless video camera to observe the customer entering his PIN number if they don’t have a means of extracting the PIN from the card.
Making a forged credit card is time consuming, and the person using it in person runs a significant risk of being caught. A forgery created using data obtained by phishing will lack the CVV code and is therefore likely to be detected. Carding gangs who make forged credit cards are much more likely to use data obtained from skimming or a fake ATM than from phishing.
Criminals were stealing credit card numbers long before the Internet was invented. The Internet allows the phishing gangs to steal very large numbers of credit card numbers. There would be no point in doing this unless the carding gangs had found a way to turn large numbers of credit cards numbers into cash.
The solution that the gangs have found is to use mules, the package reshippers and money movers mentioned in Chapter 1, “Motive.” Some are dupes; many are willing accomplices. In either case, the recruit is in for a nasty shock when he discovers that his real job is to be the person who gets caught.
The fraud detection schemes put in place by the banks, brokerages, and card associations are accountability based: They don’t prevent fraud, but they make it much more likely that the perpetrators will suffer consequences.
The carding gangs circumvent the accountability schemes by recruiting mules to take the consequences while they take most of the money. The mules don’t get to wear smart uniforms or carve out the inside of a volcano like Blöfeld’s minions in You Only Live Twice, but they are just as expendable.
When the mules get caught, they face the probability of prison time. They are also likely to be required to repay all the money that they have transferred out of their account. The transfers of stolen money into their account will be cancelled, but not the transfers out of the account. The recruit is usually left with a huge debt.
Some gangs even use the personal information they obtained while recruiting to perform an identity theft on the mule after he has stopped working for them.
The recruits receive a triple-whammy: prosecution, debt, and ruined credit.
The carding gangs behave in ways that should make their employees suspicious. All contact is through e-mail; the gangs avoid accepting mail or making a telephone call that could be traced. Despite this peculiar behavior, some carding mules are genuinely fooled; they only realize that what they thought was their great new job has gotten them involved in organized crime when the police knock on their door. Others understand that they are involved in something “dodgy” but don’t realize that they are risking jail and bankruptcy.
Some carding rings use a “chocolate and flowers” approach. The carder finds a lonely heart online, befriends her, and after gaining her trust, asks if she could forward a package to him as a favor.
Bank phishing is an attack against a trusted brand. Online auction fraud applies the same principle but targets a reputation feedback score, the brand of a private individual rather than the brand of a well known bank.
I discovered a fraudulent auction placed by a criminal gang a few weeks after Motorola launched its RAZR phone.
The seller had 39 positive feedback responses with no complaints, apparently a trustworthy vendor. Looking more closely, this was the first time the seller was selling something; in the previous auctions, he had always been the buyer. This is not necessarily proof of fraud—everyone has to start sometime—but most people do not begin their career dealing in cell phones, and those who do are unlikely to be able to offer a model so hard to get that the established dealers had not received their stock yet. And if they were a genuine dealer, they would certainly want to receive close to the $499 list price for a model with such high demand rather than offer it brand new for $160.
The seller’s profile said that he lived in the U.S., but the cell phone was being offered priced in Australian dollars, and the description of the goods stated they were being shipped from Eastern Europe.
Suspicious, I contacted the seller and received a rapid reply that confirmed my suspicions (see Figure 8-5). Not only had the price jumped up (although still a good deal), but the seller was now proposing to sell the phone direct, avoiding the auctioneer completely, and wanted to be paid by wire transfer rather than the payment mechanism supported by the auction house, which would be guarded by fraud protection measures. This would allow the “seller” to collect his payment from the wire transfer office, and there would be no way to catch him after he left the building.
If carding is stopped, there will be no demand for phished credit card numbers. The first step in stopping carding is to make as many people as possible aware of how the carding gangs work, and that anyone who gets involved in one of their schemes is going to find out that it’s the job from hell.
The next step is to do what law enforcement has always done when investigating serious financial crimes: Follow the money.
The activities of carding mules leave a distinctive pattern if we learn how to look for it. Whenever a package reshipper is recruited, he will suddenly start to receive deliveries of goods bought using a large number of credit cards, all with different billing addresses. This is a pattern of activity that the businesses that support Internet payments can look for and investigate.
Sting operations are already proving effective in tracking the activities of phishing gangs. The phishing gangs are given active credit card numbers with spending limits carefully chosen to allow enforcement by the FBI. Each time one of the cards is used, the alarm bells go off.
Schemes of this type have the potential to provide a process that law enforcement can apply repeatedly with a success rate that is both measurable and predictable.
It would be interesting to take the process a stage further and infiltrate the carding operations with undercover money movers and package reshippers. The most productive approach to this type of investigation would be a collaboration between law enforcement who have the powers to do this type of work and the businesses involved in Internet commerce, the merchants who sell the merchandise, the payment services that process the payments, and the shippers who transport the packages. Similar collaborations between law enforcement and banks have led to arrests in money laundering cases; it is time to apply the same techniques in this field.
Anything that can be done to make the carding gangs suspicious of and distrustful of the mules they recruit adds to their cost of doing business. The higher the cost of doing business, the less attractive the crime becomes. Let the carding gang receiving a shipment wonder whether the packages contain the digital cameras and computers they ordered or another GPS homing device and a couple of bricks to make up the weight like the last one.
Phishing is a tactic; bank fraud is the goal. We have identified responses that are effective against specific phishing tactics such as the e-mail lure.
All we need to do to stop phishing is to establish a condition where another form of bank fraud is more profitable to the perpetrators. To stop bank fraud, we must apply these techniques across the whole Internet infrastructure and not just the parts that the criminals target today.
To succeed, we must understand that although no bank likes to lose money, it is the indirect losses due to Internet crime rather than the direct loss that most are worried about. In particular, the bankers I work with ask me for ways to
Reduce calls to customer service centers
Justifiably restore confidence in Internet security
Reduce the profits made by the perpetrators
The last point is particularly important; many banks are quite prepared to spend $2 to recover a $1 fraud loss. Equally important is the fact that no banker has ever demanded an antiphishing solution that is guaranteed to be 100 percent effective. Banks are in the business of risk management; they do not demand a perfect solution.
Disrupting attacks in progress increases costs and lowers rewards for the attacker. Even modest efforts to disrupt attacks in progress can result in disproportionate benefits as attackers switch to more profitable targets.
Detect planning for attacks—. The ideal outcome is to stop an attack before it has started by detecting tell-tale signs of planning, such as registering domain names or running a Web crawler on target Web sites.
Block contact mechanism—. Most phishing attacks involve a large number of contact attempts made in a short period of time. If the contact attempts can be detected and characterized as such, it might be possible to cause further contact attempts to be blocked.
Takedown capture sites—. The longer a capture site is active, the more credentials the attacker can steal and the greater his profit. Contacting the ISP hosting the capture site and persuading him to take it down reduces losses.
Block capture sites—. Getting an ISP to take down a capture site can take too long. Circulating blacklists of active phishing sites allows attempts to access the sites to be blocked in the browser or in the network infrastructure until the capture site itself is taken down.
Phishing is generally presented as a problem caused by the Internet, but the real root cause is the inadequate authentication mechanisms used by the banks, credit card systems, brokerages, and so on. Strengthening both infrastructures to make it harder to steal credentials is necessary.
Prevent platform compromise—. Spyware is only possible because the software platforms we use have flaws. Web browsers, e-mail clients, and operating systems are all written in ways that allow them to be compromised. In addition to making these platforms resistant to attack, we must reduce the propagation of the attacks themselves.
Prevent impersonation of trusted party—. E-mail phishing is effective because e-mail allows the attacker to easily impersonate a party that the target already trusts. Preventing such impersonation through strong authentication infrastructure is essential.
Use theft-resistant credentials—. Phishing is credential theft. Phishing becomes impossible if it is not practical or possible to steal a usable credential, as the strong authentication technologies such as One Time Password tokens (OTP) and smartcard described in Chapter 14, “Secure Identity.” are designed to ensure.
Even if the credential is stolen, all is not lost. The (direct) loss occurs only when the credential is used successfully.
Fraud intelligence networks—. To use a credential, the criminal must in most cases use a compromised machine. Because the number of compromised machines is finite, the same machines are used in attack after attack. Sharing of fraud intelligence data allows compromised machines to be identified more rapidly, allowing use of stolen credentials and possible man-in-the-middle attacks to be detected.
Multilevel security—. Any access to an online bank account is a potential confidentiality compromise, but only specific types of behavior (transfers out of the account, adding a new payee, and so on) result in a profit to the attacker. Two-level access schemes, in which a password is sufficient to read the account but a second password or a stronger means of authentication is required to perform riskier operations, provide greater security when it is required.
Risk management—. For decades, credit card companies have used risk scoring systems that detect suspicious behavior. Modern computing and network infrastructure allows risk management systems to be tailored to the individual account holder, detecting patterns of activity that are unusual for the particular customer.
The objective is to steal the money.
Impersonation spam is only one tactic.
Phishing and carding are processes.
The details change, but the basic elements are constant.
We must focus on disrupting the process.
Tactical and Strategic approaches must be balanced.
Tactical approaches have immediate benefit and commercial potential.
Strategic approaches change the environment.