BankInfoSecurity.com Interviews Markus Jakobsson - Part 1 of 2
LINDA MCGLASSON: Hi. I’m Linda McGlasson with BankInfoSecurity.com, and today we’re speaking with Dr. Markus Jakobsson, a Professor at Indiana University about phishing, and some of the research he is doing on it. Dr. Jakobsson is also Associate Director of the Center of Applied Cybersecurity Research, and the founder of RavenWhite, Inc. He is the inventor or co-inventor of more than fifty patents, has served as the Vice President of the International Financial Cryptography Association, and is a Research Fellow of the Anti-Phishing Working Group. Prior to his current position, he was Principal Research Scientist at RSA Laboratories, a member of technical staff at Bell Laboratories, and Adjunct Professor at New York University. He is an Editor of The International Journal of Applied Cryptology, and a Group Editor of the ACM Mobile Computing and Communications Review. His latest book, Phishing and Countermeasures was released last year. He is co-editor and author of upcoming books on crimeware from Symantec, click fraud and cryptographic protocols. He has also served as the Editor of the RSA Cryptobytes for several years. Professor Jakobsson researches fraud, social engineering and phishing, and the prevention of these attacks. He has laid the foundations to the discipline of how to perform experiments to assess risk arising from sociotechnical vulnerabilities in the context of current and potential future user interfaces. He consults to the financial industry and heads the efforts at www.stop-phishing.com. Welcome, Dr. Jakobsson.

MARKUS JAKOBSSON: Thank you, Linda.

LINDA MCGLASSON: I’ll go right ahead into these questions. In your most recent research, The Human Factor and Phishing, you showed the importance of understanding the psychological aspects of phishing. For the banks and credit unions who want to educate and protect their customers, what are some of the most important points they need to know about your findings?

MARKUS JAKOBSSON: I would say that they could hire the most brilliant techies, who know everything about cryptography and network security, to secure their website and make it hacker-proof, they could pay companies like Cyota for quick takedown, and they could hire people like the guys at the Internet Law Group to go after the phishers and bring them to court. These, of course, are good things to do. But, still, the client might fall prey to phishing in large numbers. Why? Well, first of all, having a safe, safe site doesn’t mean that your clients will not be fooled to give out the information at sites impersonating your site. Your client didn’t come to your site to learn about security – they came to pay their bills, and, and that’s their primary thing. Security is a secondary concern to them. And they may not even pay attention to the warning. So, the absence of indicators that they are at the correct site. So, a hacker can deceive them to go to another site. Well, now your basic self-protection doesn’t do much good. And, most people reacting to phishing attacks actually do so within a few hours before takedown really protects them. And, even if it does help to bring a few phishers to court, it still doesn’t undo the damages, so you still need to do more. First of all, it’s really important to realize that security isn’t a matter of using common sense or reacting correctly to attacks. It’s also a matter of deciding the websites and your e-mail downloads in a way that makes the attacks harder. And, most of all, it’s about anticipating the next moves of the attacker. This is not easy, of course. How could you know what they are going to do next. If you could have somebody in-house, or you could work with somebody who specializes in this, who looks at the features, what the vulnerabilities are, and your features and of common phishing countermeasures, and also psychologically, who knows what the average Joe will fall for. For example, most people are now aware of the standard phishing attack, in which, the attacker impersonates their bank, and asks the user to log in within 48 hours. This is not so credible anymore. Recent studies have found that if a client has a voice mail on his or her answering machine if they come home, and the voice mail says to expect an e-mail requesting their password, update request the next day, of course the e-mail would refer to the voice mail, then the user feels very differently. This e-mail, it comes the next day, says “Now you need to log in within 48 hours.” It becomes very credible. So, this might seem like a very complicated attack, of course. You first have to play the voice mail, you have to place a call and get the voice mail on somebody’s answering machine. But, I’m telling you this is not a complicated attack. And it quite spectacularly would increase the yields.

LINDA MCGLASSON: What led you to this research, and why do we need to understand users, and know what they will believe, and what they will not?

MARKUS JAKOBSSON: Well, let me answer this with a couple of examples. Several financial institutions wish to authenticate themselves to their users, when they send e-mail, for example, so that the users will be less likely to fall for spoofing attacks. So, one very common way is that the financial institution might say the name of the person who receives it, the e-mail, and the four last digits of their bank account number, or credit card number. And, and this is considered, in general, to be secure. But it has a severe flaw. Users, they don’t distinguish between an e-mail that says the first four and the last four digits of their credit card. So, to most users that seems like equally safe. You know, it said something about your credit card number, and that is, of course, personalization. And most consumers don’t know, but of course, everybody in the banking industry knows, that the first four is largely determined by the financial institution. So, a phisher who picks up on this could, you know, send out an e-mail that says, “To,” and the name of the person, and that’s very easy to find out, and then authenticate themselves, supposedly, by saying “The first four digits of your bank account (or credit card) number is the following.” And the user who receives this will automatically believe that this is legitimate because it has an authentication that he or she has gotten used to. The bank has trained them to accept an authentication in this general format. And even if he or she looks at their credit card, and hopefully security-minded people do, it will be accepted. And, so, phishers could actually abuse an apparent security feature, and turn it into a security flaw. And this is something that we need to understand, what the user falls for, in order to understand that the first four numbers is not a good authentication measure. Also, you need to anticipate how your features and your advertisements end up in the hands of the attacker. For example, say that a bank, like Chase, has this alert service, if you, if you sign up for it, and you are a Chase Bank client, then every time you perform a transaction of a certain type, you get an alert, whether by phone, or by e-mail. Let’s use an e-mail case, now. A bank like Chase, really needs to register chase-alerts.com, and alerts-chase.com, and they own these two domains, because if they don’t, these domains will seem incredibly plausible to a user who receives an e-mail appearing to come from Chase, and having these links embedded. For example, assume for a case that Chase did not own these, and I want to register them and I were a phisher, then I could send you an e-mail that would seem incredibly plausible to you, and ask you to follow these links. And as you arrive at the target, of course, it would look like a Chase banking site. And so, this is about the features of the financial institutions. Also, you could consider advertisements. One advertisement could be mounted by phishers, if an attack, to say, “Look, we at Citibank are very proud of our new services, and we know you’re not banking with us, but we would like you to switch. If you switch today, we will match what you put into your account up to the first hundred dollars. And, in order to transfer money, you can follow this link, and just take it directly from you bank.” And this way, of course, what the phisher does is he or she achieves two goals. First of all, he doesn’t need to target Citibank customers. Normally, the phisher has to know who they are targeting, or just be lucky, but here they are targeting everybody, except those who are with Citibank. So they get a much larger portion of the recipients who find it plausible. And second, they, of course, get the account number, or other information that allows them to take money out of the existing account. They’re not trying to establish an account with Citibank, and they’re not worried about credentials that the user gives in order to establish this account. What they want are the credentials on the account from which the user, supposedly, would transfer the funds. So, these are examples of how features, and potential features or advertisements could play into the hands of the attackers.

LINDA MCGLASSON: In your paper, The Human Factor and Phishing, you noted that information security specialists make the mistake of designing security to protect themselves, and why isn’t this sufficient to protect the average consumer? And, what are some of the examples you can give that would illustrate this?

MARKUS JAKOBSSON: There can be several answers to those questions. First of all, security specialists, they apply security day out and day in. They think of nothing else. And, if they get a phishing e-mail, it’s an amusement. My colleagues and I, we pass around phishing e-mails and compare them, and we all have a good laugh. So, security specialists, they will have a warped sense of what will fool people. It’s very easy to start getting used to the level of attacks and being so abnormally paranoid, and able to distinguish attacks that you don’t realize that the average consumer aren’t at the same level. And also, most security specialists are very technology-focused. They are trained as computer scientists, and they understand computers and algorithms, and how that works, but they don’t necessarily understand human psychology. Not like con artists do. Con artists make great phishers. If you could have a con artist turned security specialist, you’ve really got the best of both world. Somebody who knows security and lives and breathes deceit.

LINDA MCGLASSON: So, what are some of the things that people judge e-mails for when determining its authenticity, and what do you think creates trust?

MARKUS JAKOBSSON: This is a topic I have done a lot of user studies on, and the answer is very interesting, or the answers, there are several of them. First of all, the average client of the bank looks at an e-mail and makes sure it looks right. It has to have the logos and it has to have the right general format. And, also, it needs to sound right. Whatever the material is, it needs to be contextually relevant. First of all, it needs to be from their bank. And, so, phishers could either hope that they have people that are with a given bank. And that becomes easier with smaller financial institutions, like credit unions, that are geographically located in a way that could be associated with the domain name to which the phishers send e-mail. For example, if somebody is with Indiana University, they are much more likely to be with Indiana University Credit Union than somebody who is not, and vice versa. And, so, they can increase the yield in this manner. Also, there are actual ways in which phishers can learn whom you are banking with, and this is rather upsetting. I have a small logo on my webpage, it’s called “browser recon.” It allows anybody who runs a website to which they can attract users to look at the browser history of that person’s machine, and determine what places they have been to. And, of course, if you know that somebody’s been to Citibank, you can safely assume that they are a Citibank customer. But, I could even look if they have been to the logout page at Citibank, and then I can tell for sure that they have to be a Citibank customer. Also, you could base it …. That’s somewhat advanced, though, you could maybe place it on IP address. You could figure out what bank somebody is likely to be with, based on their IP address. So, that is the second thing, the context of it, which is also included in the text. If the material that causes people to login somewhere, which is what they call the “mirror,” if it sounds plausible, and if it hasn’t been seen before, it has to have a psychologically appealing and new twist. And then there are minor things like disclaimers. In a study that I have been part of performing, we found that if people are confronted with two e-mails that look the same, but for the fact that one has a legal disclaimer at the bottom, and if you ask people to rate the likely authenticity of these two e-mails, then everybody says that the e-mail with the disclaimer is the most legitimate. And when you ask people why, they would say, “Well, phishers, they don’t need legal disclaimers, and why would they do that?” And the legal disclaimer gives this warm, fuzzy feeling of trust that, of course, is very easily obtained by a phisher the same way. Just put a legal disclaimer onto their e-mail. And, also, people feel much more comfortable if an e-mail has a phone number to which you can call if you have questions. They’re not intending to call, necessarily. But the fact that there is a phone number makes them feel like somebody else would call, and if this was a fraudulent e-mail, it would, of course, be discovered in the process. So, you could have an e-mail sent by a phisher which contains the phone number, whether it is of the legitimate bank, or a number that nobody will pick up, or even a phone number that is controlled by the phisher, where somebody will pick up, and perhaps even ask for your mother’s maiden name. So, phone numbers is another way that phishers can increase their yield. Also, plausible domains. People are much less likely to fall for a phishing attack in which the URL that they are asked to go for is an IP address. People do rely on those also, to some extent. And the yield almost falls in half if there is an IP address, as opposed to a real, normal domain. And registering a plausible-sounding domain, something that has to do with a bank, or whether you put the bank’s name in a subdomain, that really does increase the yield. With one of my students, we performed tests that the value, exactly the degree to which this is the case, to which people find it more plausible. And this is not laboratory experiments, where people know that they are being studied, but these are actually what we call naturalistic studies. Of course, we’re not phishing anybody, we’re not stealing anybody’s credentials. But other than that, it looks just like a real attack. And we could determine that these are the things that people really do look at and do fall for. For example, customer name attacks, when they value an e-mail to determine whether it’s legitimate or not.

LINDA MCGLASSON: So, you’re saying if a consumer sees a padlock on his site, on a website, do they trust it more than one without? And, what are some of the examples you can give, and what is going wrong with SSL certification procedure, and explain to our listeners, what is SSL certification?

MARKUS JAKOBSSON: SSL is a way, a cryptographic technique used to secure the connection between a site and a user who connects to the site, so that nobody could tap into the conversation just by perhaps routing the traffic, and thereby learning what information is found. You don’t want anybody to listen in to the credentials you’ve found. And, SSL has become one of the distinguishing aspects of whether something is a phishing site, or not. Typically, phishing sites don’t have SSL locks on them. But, unfortunately, it’s not, this is not important, because the average consumers, they don’t notice the absence of the lock. It’s studies that I have been part of performing have shown very complicitly that people notice the inclusion of incorrect information, like if you call them “Joe” and their name isn’t Joe, they would immediately notice, but people won’t notice the absence of material. For example, if there is not a lock at the site, then that is not so noticeable as if you have something. And that is, of course, a concern, too. For example, financial institutions like Bank of America, that rely, that rely onsite key, which is a visual mark that people would have to recognize, in order to know that it is the site. So, what it is is that it’s not always that people do notice. And you can even deceive them by saying in an e-mail that because of the Americans With Disabilities Act, we are now changing the image that you are going to see, and here, just below, you will find your current image. And, now, please go to this site, and the phisher would give a new image there, and acknowledge that you agree to this, but first, of course, you need to authenticate, so that we know that it is you. And that is one very bad way. But, back to the SSL. People don’t notice it so much. And, people also don’t notice where a lock is, if there is a lock. For example, the SSL lock should be in the crown portion of the brown, so this gray part around, or in the address bar, depending upon what kind of browser you are using. Many banks actually put it inside the log on. This is to signify what is called a SSL post, which means that once you do press submit, you’ve entered your user name and your password, then you start an SSL session, before the credentials are sent. And, banks used to lock logo inside the content portion, in order to signify that this is the case. But, anybody can put a lock image inside the page. And also, you could use what is called a “favorite icon” attack. If you go to my webpage, for example, you will see a lock in the address bar. And many people might think that this is a SSL lock, but this is just the “fav icon.” This is the small icon that you see, for example, if you go to newyorktimes.com, you will see a small logo that represents The New York Times. And anybody, any site can set this small logo in any way they wish. And the icon said it’s to lock, in particular. But, there also are other ways in which you could put a lock in the corner, or what appears to be the corner. So, you could have, in several browsers a crownless window. And then the content of this window will have material that looks like crown with a lock. So, to anybody looking at this window, it looks like a normal window, whereas in fact, it is a window without the crown, without this gray frame, where the content has a frame, and a lock. But, the biggest problem, really, is that people do not pay attention.

LINDA MCGLASSON: What are some of the educational efforts taking place to change consumers’ reaction to phishing, and how effective is it, in your estimation?

MARKUS JAKOBSSON: Well, banks have to educate their clients to some extent, about phishing and online fraud, and they do it, of course. But this is dry descriptions, and screen shots, and it doesn’t really teach people to understand phishing. And also, it’s not attractive enough that people feel like they want to read it. If anything, it’s a little bit scary and intimidating. And so, first of all, they don’t necessarily target the people who need this information, and second, the presentation doesn’t make it very easily digestible. And it might even be just a couple of screen shots of known attacks, and not quite any instruction of how to spot versions of this, or how to understand the underlying mechanism. Also, popular media has a lot about identity theft. For example, Readers Digest last year carried two stories on identity theft, and what to do. But, these are very short and dry stories. They give a couple of suggestions, like, don’t click on links, and all of these things that we are used to hearing. But, banks do send out e-mails where you do have to click on links. So, it’s hard for the consumer to know what are the good links, and what are the bad links, and it all boils down to understanding what is going on, and that is something that is not very well taught, in my opinion. Similar, the FTC’s educational effort, same thing. It’s somewhat abstract and dry, and it doesn’t really appeal to people in a way that makes them immerse themselves in it. Now, there are people who have realized this, and have tried to change this. For example, Lori Kramer, one of my colleagues at Carnegie Mellon University, she uses video games to teach people about phishing. And this noticed quite improved rates of people’s understanding of what is phishing. First of all, because they managed to present it in a way that is appealing. So, people would sit down and actually participate in this. But also, it manages to become less abstract, and more people can relate to it, and that is, of course, good. Also, I have, as part of my effort, developed a comic strip that, you can see a couple of, you can see two panels of it in the paper that we were talking about, The Human Factor and Phishing, which is available on my webpage. And this material is meant to make it very easy for the average consumer to understand important aspects of phishing and identity theft, and what to do to avoid it. And, in a way that is somewhat easily generalizable. So, it’s not about one particular attack, it’s about what is happening, and how can you understand it, and how could you detect a new version of this?

LINDA MCGLASSON: In anticipating threats, you and others have been on the forefront of “thinking a step ahead” all the time. What are some of the things that you would recommend we, as banks and credit unions, do to strategically stem phishing attacks?

MARKUS JAKOBSSON: Well, first of all, you need to understand trends in vulnerabilities, not only technical, but human, too. And the human vulnerability is to actually change over time, as people are educated, and as new technology is introduced and penetrating the marketplace. And also, you need to understand trends in countermeasures. For example, if we, for a moment, hypothesized that the takedown becomes very, very efficient and fast, then what will happen? That means that phishers will not be able to keep their sites up for very long, and so most of their potential victims who do click on the link will be taken to the site that no longer exists, and of course, that is a great disadvantage to the phisher, and they wouldn’t want that to happen. So, the natural reaction to this would be for the phishers to have many sites. For an attack with a million potential victims, the phisher actually could have a million different sites, and each person who gets an e-mail would be taken to a new site, especially designed for them. Of course, this is not difficult, if you have the machines, you just zap the material on there. But, what it would mean is that when the financial institution initiates the takedown, that takedown of the site that they are aware of, whether it is from the honey pot or from the bank, or one of their clients, they are not doing a takedown of any of the others, because these would be unrelated domains and sites. And one very big concern of mine is that this is very easy to do. One of the easiest ways to do this is to compromise consumer routers, the access points that almost everybody has in their home. A Netgear router or a Linksys router. And on these compromised machines, which actually are pretty full-fledged computers, there you host content. So, say that an attacker might actually compromise a million of these. That means now he could point other people, a million people, potential victims of an attack of his to these million different access points. Takedown will be worthless. Takedown is not going to work when the banks can’t get all of them. And then you might ask, “How could this happen? How could an attacker compromise a million routers?” A couple of papers that I have been a co-author of have shown that this is terrifyingly easy. Firmware is a kind of software that is running on these machines, which, Firmware is a kind of software that doesn’t disappear when you switch the machine off and then power it up again. It’s a little bit like an operating system, in that it remains. The firmware can be replaced on a router. And in small experiments, we have seen that about half of consumer routers out there are vulnerable to this attack. Meaning, if I were to manage to get access to, by being close enough to a million routers, then 500,000 of these, I could compromise. But it gets worse, actually. These router firmware, you could think of it as router malware, actually could propagate from router to router. In a densely populated area, you could actually see more than one router at the same time. If you live in an apartment complex, you will see that it’s not only yours that you can connect to, but you can connect to many others. So, imagine an attacker that compromises one of these routers, and then, as part of the compromise task, this router will sniff for other routers which it can compromise and spread the malware onto those, and it will propagate in a, maybe, epidemic manner, if there is enough connectivity here. And after it has propagated, all of those machines now, all of these routers are owned, in a sense, by the attacker. He could do whatever he wishes. And in particular, he could host material on them, phishing sites. So, that’s the kind of, if you hypothesize the takedown becomes fast, you’d have to be afraid of a scenario like this. Also, you would have to be afraid that keyloggers would become more common, and this is a threat that becomes very viable through games, and what is called mods, and screensavers, and other user-installed material. And, also, it’s called metamorphic viruses. These are just viruses that are difficult for anti-virus software to detect because it changes shape all of the time, and so the signature files that the anti-virus companies produce aren’t likely to actually defend very well against it. Also, you can see as a third approach, if takedown becomes very fast, is that the phisher will just say, “Well, I’ll do it through the phone, instead. I’ll do phone phishing,” or what some people refer to as Vhishing that comes from voice mail, phishing. And that is also the likely reaction if phishing becomes spectacularly successful, well, they just avoid e-mail.

LINDA MCGLASSON: That’s some very, very intriguing comments you just made on the ways that these guys will be approaching phishing. My next question is going back to something that you had mentioned earlier, about domain names. Do you recommend financial institutions also take the domain names that match existing or future potential services or features of the institution or its competitors? And what about how they should handle institutions that are merging, and possible misuse of domain names in that case?

MARKUS JAKOBSSON: This is a good question. Let me answer this by two examples. Some time ago, Bank One was acquired by Chase. And this became a very vulnerable time to clients of Bank One, because they weren’t quite aware of what Chase looked like, and what the form of logging into Chase was. Nor were they, they weren’t so sure about the URLs and all other aspects of online banking, either. So, say that a phisher would register a domain like bankonebecomeschase.com. Most people would find that rather plausible, I would argue. And so, then you take advantage of the fact that people are vulnerable, at the same time as you have an opening to use a new domain name that wasn’t very meaningful before. Another thing that you could do is, if you are bank, apart from registering these in advance, would be to look at attacks that are occurring and targeting other financial institutions. For example, there was an attack that many refer to as the Chase Rewards attack last spring, in which a lot of people got e-mails, saying “Dear Chase customer, we would like to know how you like our services, and please fill this survey, and you’ll get $20 for the effort,” and then it was increased to $50, and yet later to $100. And if the user took time to answer the survey, which was not of any interest at all to the phisher, they would get this reward. And of course, the way in which they would get the reward would be to log in. So, this was just a psychologically complicated way of getting to the user credentials. Now, what happened was that phishers realized that this was rather successful, but that there were other banks, as well, that they could target. And, only some months later, you started seeing it on Washington Mutual. Now, as soon as that happened, I went out and registered wamu-rewards.com. This is something Washington Mutual should have done. They should have done it the moment they saw the Chase attacks, many of which were performed using domains like chaserewards, or similar. They should have taken every domain in which they saw in the Chase attacks, and they should have registered the same domain, principally stopping the attacker from using those, if they were to turn to Washington Mutual. And, by the way, if anybody is listening to this, and you do work for Washington Mutual, I would be quite happy to transfer this domain to you. But, I need to know that I’ve transferred it to you, of course. And, so you should practically look at what could happen to you, based on what is happening to others, and what could happen to you because of your particular situation.

LINDA MCGLASSON: That is just amazing. You also, I think, in your paper noted one phishing group actually used two letter “V”s, standing side by side, to phish Wachovia. And the two “V”s looked like the “W.”

MARKUS JAKOBSSON: Yeah.

LINDA MCGLASSON: It’s something that banks should really be looking at, and it’s not just the big guys, either. It’s some of the mid to smaller size asset banks and credit unions that should be observing, and closely watching the domain names around their domain name, or offshoots of it. Going on to another question. It’s been estimated that more than 10% of all networked computers run botnet software. And I’ll let Dr. JAKOBSSON explain what botnet software is. And an even larger amount are still affected by various forms of malware. What would you recommend to institutions on how to battle these things that are happening?

MARKUS JAKOBSSON: Well, first of all botnet is a type of malware that is remotely controlled by an attacker. When I spoke of the attacks that could be used, that could be performed, using consumer access points and routers, what I really described was a botnet. It’s a large number of machines that are controlled by the attacker, and which perform tasks on behalf of the attacker. And these are also used for what is called distributed denial of service and they are used for spam, but they could also be used be used to host phishing pages and other things. And, so more than 10% of all computers, it has been estimated, do have botnet software. And that is, of course, quite worrisome. What we need to do is to notice if any one particular computer does, or, not only with botnet software, but with malware in general. And one good way of knowing that is, of course, if you make everybody use anti-virus software, then the anti-virus software will catch this, but not everybody does use anti-virus software, and it’s sometimes misconfigured, and also, it’s not bulletproof. It only takes care of known threats, and it can’t take care of threats that just started to occur until the anti-virus company updates the, what’s called the signature files. So, there is one way in which you could counter this threat. It’s referred to as remote harm detection. It’s a way to remotely, from the financial institution, scan the machine of a person who comes there. It doesn’t need executables, and you certainly don’t want your clients to have to download executables, because it trains them to do very dangerous things. But, just by arriving at your webpage, being there, we will scan certain aspects of your computer, and in particular, the browser history of the client, to see if they have been to bad places, or places that signify having been corrupted. And, so that is one way of detecting whether a machine has been compromised. And if you know that it has, then you know, of course, not to trust anything that comes from that machine. It could also host a keylogger, and it is a machine that is dangerous, in some sense, and you need to flag it.

LINDA MCGLASSON: And, going onto our next to the last question. How can banks and credit unions anticipate threats from strengths and weaknesses? And, do you have any examples that you can give to illustrate this?

MARKUS JAKOBSSON: I’ll give you a couple of examples. One is to say that there is better detection of spoof messages, say that software in general, or people in general, become better at detecting if it’s spoofed or not. You’ll see more similar name attacks. These are attacks that rely on names that somehow, mentally, to the user, relates to the brand that is being impersonated. For example, I mentioned the potential phishing attack, in which it could say, “Switch to Citibank, and you’ll get $50,” or something like that. An attack that would relate to this would, might correspond to a domain name which is switched to citi.com. And so, if you have better detection of these, these types of attacks are probably going to increase. When people become aware of IP addresses more, and get more afraid of them, you will see this. Also, if I register a domain like organchase, it sounds like a ridiculous domain. Say organchase.com. I could actually use what’s called a subdomain, this is the text that comes before the domain name on the webpage. If I use JPM as a subdomain, what it would look like when you look at the URL is jpm.organchase.com, which most people will read like, “jpmorganchase,” and it could look legitimate. So, you get these wacko looking domains that are effective. So, banks should not only register what looks similar, like you mentioned, instead of “W”, you could register something with two “V”s, and not only what psychologically is related, like switchtociti, but they should also register things that are kind of subsets of this, like morganchase.com.

LINDA MCGLASSON: And, finally, our last question with you, Dr. JAKOBSSON, do you have any best practices that you would like to share with all the financial institutions out there, that they should be following, to fight the phishers?

MARKUS JAKOBSSON: Yes. Not only to focus on the technical aspects, like SSL and takedown, but to consider the human factor, too, both when you are designing e-mail templates, and when you design the sites. And also, you must track vulnerabilities among clients. For example, using what is called takehome. Takehome is an alternative to takedown. Takedown, of course, blocks the site. Takehome redirects traffic to a given URL, to a site controlled by the legitimate brand. So, if, instead of blocking access to a phishing site, the financial institution could just demand that the ISP forwards traffic. And so, anybody who is a potential victim and comes to the site, could be taken to the financial institution, where, first of all, the financial institution, if they use cookies, or something like that, would be able to determine who was it, so they get the demographics. And this is not to punish people, this is to understand the risks. And, second, they could display educational material there. They could say, “You have arrived at this site, because of the following actions. You clicked on an e-mail that looked like such and such.” And then they could show something, for example, like the comic I described, that describes, what do phishers do? How do you avoid phishing? And so you turn defeat into educational opportunity. And most of all, if you do educate users, you must do that in a way that does not intimidate them. First of all, you don’t want to scare them away, of course, but you also don’t want to make them turn the other way, and say, “This is just too creepy to be true.”

LINDA MCGLASSON: Actually, I have just thought of one last, final question for you, and it is regarding the most recent news that broke, I believe last Friday, on the phishing attack at the Swedish Bank Nordea. What is your opinion of what happened, and maybe you can explain to our audience your thoughts on it?

MARKUS JAKOBSSON: Well, this was a very well-organized attack, in which a large number of users were phished, and it is believed it was the Russian mob that stands behind the crime. Technically speaking, in fact, logically speaking, there is nothing particular about the attack. It was spectacularly efficient, in that it extracted about, around a million dollars from users, from clients, which was later reimbursed by this bank. But, then again, that might just be because of openness that we, that we learn about this, and it looks so spectacular. There might be other banks that face similar kinds of attacks every once in awhile. But, what is really special about the attack is that it highlights the problem, not that it changes the way things are done, or that they used a new technique, or anything. It’s just a very successful attack.

LINDA MCGLASSON: Okay. Dr. JAKOBSSON, I’d like to thank you so much for your time today. And we will look forward to hearing more from you in the future, as new mitigation techniques are developed. Our listeners can look for Dr. JAKOBSSON’s book, Phishing and Countermeasures, Understanding the Increasing Problem of Electronic Identity Theft, published by Wiley Publishers, and it is available on Amazon. I’m Linda McGlasson, and this is another interview on the BankInfoSecurity.com broadcast series. Tune in soon for the next interview in our series with information security experts, cyberluminaries, and top financial institution leaders. So long until then.




Around the Network