BankInfoSecurity.com Interviews Markus Jakobsson

By Linda McGlasson, January 29, 2007.
BankInfoSecurity.com Interviews Markus Jakobsson

L

See Also: Rethinking Endpoint Security

INDA MCGLASSON: Hi. I'm Linda McGlasson with BankInfoSecurity.com, and today we're speaking with Dr. Markus Jakobsson, a Professor at Indiana University about phishing, and some of the research he is doing on it. Dr. Jakobsson is also Associate Director of the Center of Applied Cybersecurity Research, and the founder of RavenWhite, Inc. He is the inventor or co-inventor of more than fifty patents, has served as the Vice President of the International Financial Cryptography Association, and is a Research Fellow of the Anti-Phishing Working Group. Prior to his current position, he was Principal Research Scientist at RSA Laboratories, a member of technical staff at Bell Laboratories, and Adjunct Professor at New York University. He is an Editor of The International Journal of Applied Cryptology, and a Group Editor of the ACM Mobile Computing and Communications Review. His latest book, Phishing and Countermeasures was released last year. He is co-editor and author of upcoming books on crimeware from Symantec, click fraud and cryptographic protocols. He has also served as the Editor of the RSA Cryptobytes for several years. Professor Jakobsson researches fraud, social engineering and phishing, and the prevention of these attacks. He has laid the foundations to the discipline of how to perform experiments to assess risk arising from sociotechnical vulnerabilities in the context of current and potential future user interfaces. He consults to the financial industry and heads the efforts at www.stop-phishing.com. Welcome, Dr. Jakobsson.

MARKUS JAKOBSSON: Thank you, Linda.

LINDA MCGLASSON: I'll go right ahead into these questions. In your most recent research, The Human Factor and Phishing, you showed the importance of understanding the psychological aspects of phishing. For the banks and credit unions who want to educate and protect their customers, what are some of the most important points they need to know about your findings?

MARKUS JAKOBSSON: I would say that they could hire the most brilliant techies, who know everything about cryptography and network security, to secure their website and make it hacker-proof, they could pay companies like Cyota for quick takedown, and they could hire people like the guys at the Internet Law Group to go after the phishers and bring them to court. These, of course, are good things to do. But, still, the client might fall prey to phishing in large numbers. Why? Well, first of all, having a safe, safe site doesn't mean that your clients will not be fooled to give out the information at sites impersonating your site. Your client didn't come to your site to learn about security - they came to pay their bills, and, and that's their primary thing. Security is a secondary concern to them. And they may not even pay attention to the warning. So, the absence of indicators that they are at the correct site. So, a hacker can deceive them to go to another site. Well, now your basic self-protection doesn't do much good. And, most people reacting to phishing attacks actually do so within a few hours before takedown really protects them. And, even if it does help to bring a few phishers to court, it still doesn't undo the damages, so you still need to do more. First of all, it's really important to realize that security isn't a matter of using common sense or reacting correctly to attacks. It's also a matter of deciding the websites and your e-mail downloads in a way that makes the attacks harder. And, most of all, it's about anticipating the next moves of the attacker. This is not easy, of course. How could you know what they are going to do next. If you could have somebody in-house, or you could work with somebody who specializes in this, who looks at the features, what the vulnerabilities are, and your features and of common phishing countermeasures, and also psychologically, who knows what the average Joe will fall for. For example, most people are now aware of the standard phishing attack, in which, the attacker impersonates their bank, and asks the user to log in within 48 hours. This is not so credible anymore. Recent studies have found that if a client has a voice mail on his or her answering machine if they come home, and the voice mail says to expect an e-mail requesting their password, update request the next day, of course the e-mail would refer to the voice mail, then the user feels very differently. This e-mail, it comes the next day, says "Now you need to log in within 48 hours." It becomes very credible. So, this might seem like a very complicated attack, of course. You first have to play the voice mail, you have to place a call and get the voice mail on somebody's answering machine. But, I'm telling you this is not a complicated attack. And it quite spectacularly would increase the yields.

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Sony Exec Steps Down After Breach

In the aftermath of the Sony Pictures Entertainment cyber-attack in late November 2014, Amy Pascal,...

Latest Tweets and Mentions

ARTICLE Sony Exec Steps Down After Breach

In the aftermath of the Sony Pictures Entertainment cyber-attack in late November 2014, Amy Pascal,...

The ISMG Network