The breach highlights the increasing sensitivity of e-mail. "E-mail addresses have been vulnerable since e-mail addresses were created," says Rohrbaugh, vice president of information security for Intersections Inc.
Rohrbaugh says phishing attacks are increasing and provide the best means for fraudsters to get their hands on consumers' identities -- which inevitably leads to fraud. "Social engineering is a very successful tool for the criminal," he says. "Phishing is more sophisticated." It's come a long way since the early days of "shotgun" phishing. Today's attacks are targeted.
In this interview [transcript below], Rohrbaugh discusses:
- Online security;
- Consumer responsibility for online safety and the protection of personal information;
- E-mail server authentication.
Rohrbaugh is a technologist with more than 20 years of government and private sector experience. Rohrbaugh's security career started in the military and continued under government projects for CSC at NATO, DISA, NMRC as an architect; and ST&E team lead and instructor for information security. After entering the private world and working for Metamor WW, Rohrbaugh started an e-business consulting firm that served the U.S. and Europe. Rohrbaugh then brought his information security experience to the financial sector and joined Intersections, which provides identity theft solutions to financial institutions in North America. Rohrbaugh's main focus is anti-fraud, ID verification (U.S. Patent holder) and security architecture.
Phishing: Social EngineeringTRACY KITTEN: Phishing attack concerns have been heighted by the Epsilon e-mail breach, which is believed to have exposed countless consumer e-mail addresses affiliated with loyalty programs and marketing campaigns. How vulnerable are we to phishing and subsequently ID theft when fraudsters have access to e-mail addresses and affiliations that link those addresses to other information? I'm here today with Tim Rohrbaugh, vice president of Information Security for Intersections Inc. which provides the recovery service for the Identity Theft Assistance Center. Tim, can you give our audience just a general idea about the state of phishing generally?
TIM ROHRBAUGH: Phishing is simply a form of social engineering. Humans have been manipulating other humans for the purposes of gaining confidential information since we first started to communicate. The job of social engineering today is made a little bit easier, because of a lot of our evolved defenses are rendered useless. You can look at a person and make a characterization about whether they are a male or a female if they're in front of you, or maybe you know if they look confident or desperate, and those things are not available to you when you're dealing with e-mail. So, now we have to respond to an e-mail or a text and react in the same way if facing somebody in person. With e-mail, as a communication medium, all we have to look for is a sender's name. The links, which can be covertly hidden within the mail message itself, have to be recognized as legitimate or not -- whether they are leading off some place that you didn't suspect. The other thing to look for is the e-mail time link. Is it in context? Did we just recently read from our financial institution or local government that they would never send an e-mail asking for this information. These are all things that we're trying to evaluate when the e-mail comes in and determine what we're going to do. Today there is still not a good indication that the e-mail is from a verified source. The mail servers in between are trying to do authentication, but it's not fully implemented around the network. The junk mail filters work part of the time, but phishing attacks have changed a little bit.
KITTEN: How have phishing attacks advanced? And when I talk about the advancement of phishing attacks, I'm talking about beyond just phishing links. What other types of techniques are fraudsters using to hijack personal information?
ROHRBAUGH: Phishing attacks used to be launched in a shotgun approach. You get a large mailing list and the send out a mail description or body text which would entice somebody to click a link or respond; but today that approach has changed. They know that you know they're probably getting the same respondents every time, so now they have to work down the food chain to the people who are maybe a little more cautious, so the e-mail has to come from a trusted source. It has to arrive as people expect to see it. it has to have certain details in the message body that add validity. Those things are along the lines of spear phishing, where, in other words, they're focusing on an individual. They're focusing an attack at an individual or a group of individuals. They're even going to SEC filings and focusing on just executives within the company, and the message sometimes appears to come from one person in the company to another.
KITTEN: Phishing can be perpetuated in a number of ways. For instance, by asking consumers to visit a spoofed site that resembles a retailer or bank, as you've noted with some of the spear phishing. They also can deploy malicious software when a consumer clicks on a link and basically hijack the PC. Which is most prevalent?
ROHRBAUGH: Well, it's like this. It's a technique for stealing information, so they're going to do whatever is most successful, and they vary it based on the information that they have. What is the percentage breakdown of trying to get information out of an individual in the mail response versus trying to get them to clink a link and maybe do a malicious code install? Do those percentages or attacks vary? They do, but it actually varies based on who they're going after, what the population is and how much information they have about the individual or the company that they're going after. The thing is, the percentage breakdown is good to know just to see how they're varying their attacks. But in the end, it's all going to happen.
The Link to ID TheftKITTEN: And how concerned should we be about phishing attacks relative to other types of fraud?
ROHRBAUGH: Phishing is a very successful tool for the criminal. Fraud is the result of the phishing attack, so phishing attack, just like breaking into a bank, just like stealing somebody's wallet, may be a crime of opportunity. Those are events, in themselves, but what happens after the attack is the fraud - the taking advantage of or the misuse of the ID or the individual. The phishing leads to fraud.
KITTEN: And then you've kind of answered my next question or at least touched on it, and that is to ask how vulnerable are consumers' identities when it comes to phishing?
ROHRBAUGH: No matter what we tell people, they still send sensitive information across e-mail. They believe, or at least many do, that this is a private communication between the people who are on that e-mail message. With e-mail, it's not like they can lower their voices as if they were in person talking, or move away from other people who are within earshot. They're communicating, most of the time, in clear text between mail servers and there are a lot of people who have an opportunity to reach that message, including the person on the other end who might not be the intended recipient.
KITTEN: And what does this Epsilon breach tell us about the vulnerability of e-mail addresses themselves?
Protecting E-Mail AddressesROHRBAUGH: E-mail addresses have been vulnerable since e-mail addresses were created. The first viruses, what did they do? They went in and took your contact list and then forwarded an e-mail to that list, or they sent your entire contact list to a central warehouse where they would be used for subsequent attacks. Unfortunately, the element, the data element itself, the e-mail address, is public in nature and so the real key is being able to use that e-mail address in context. So, if I just send a mass e-mailing to every other name on an e-mail claiming to be from a financial institution, some of these people will have a relationship with that financial institution and some won't. So, it's wasted communication from the criminal standpoint. If they can target the e-mail message to the e-mail and know that the recipient has a relationship with this company and maybe even know what products they buy and know what prior communication they had with this company, they'll have a higher success rate from the phishing attack.
KITTEN: And how protected should e-mail addresses be, when it comes to ensuring online security and protection of identity? We've learned from the Epsilon breach that e-mail addresses have historically not been deemed sensitive. How should that change?
ROHRBAUGH: That's kind of tricky, because my peers, the information security folks, have the right to force security controls down through their vendors when it comes to credit card data and other sensitive information. E-mail addresses are not usually connected to that, and so the real key is, 'Who has the incentive to get this right?' And the e-mailers really do, because they want to increase their effectiveness to the mobile phones, so they need to have more data. So, first they need to react. There are organizations out there that are putting together best practices and e-mail addresses in association with the companies. These lists are important to protect, so self-regulation needs to happen. But then also we need to drive the security requirements down to these vendors.
KITTEN: Now, it's been said that privacy online is a bit of a misnomer, that it's impossible for consumers to be guaranteed privacy with any online function; you've touched on this as well. How would you respond to that statement, beyond what you've already shared?
ROHRBAUGH: I believe anonymity is a right when anyone is online, but when transacting high trust transactions, such as financial institutions, government support, e-commerce, your request for anonymity needs to be set aside and you need to establish a relationship. You need to prove you are who you say you are so that the transaction can go forward. You can maintain anonymity in other cases, but it's a lot of work and that's really what it comes down to. The tools aren't necessarily there to make it easy, but it can be done today.
KITTEN: And what industries do you see as being the most vulnerable to phishing? Which industries do you see creating the most vulnerability for consumers, when it comes to phishing attacks?
ROHRBAUGH: The more that a company or industry puts trust in a communication with the consumer -- in other words, represents that e-mail is a form of communication where you can have high trust communication transactions -- then they're going to make the consumer vulnerable to these types of attacks. What a lot of companies have done over the last couple of years is to make sure they communicate with consumers and tell they will alert them of changes. This is a good alert mechanism; but with respect to e-mail, we're never going to ask you for your account names, passwords. We will never request you to go to other sites, third parties. What we may do is request that you come back to our site and come to a message area and look at the details. So, it really comes down to what they've established as being appropriate for e-mail and what's not.
Consumer Protection and ResponsibilityKITTEN: I've heard some industry experts talk about secure e-mail. Could you talk a little about measures or controls financial institutions, in particular, as well as other industries such as healthcare should take to ensure that they're not inadvertently exposing consumers to phishing? Would using something like secure e-mail be the answer?
ROHRBAUGH: I think the first step in all of this is to deal with authentication, and if you look at some of the other organizations like the Online Trust Alliance, which has done a report card, we see a lot of positive movement. We're talking about 50 percent of leading businesses that have adopted mechanisms for mail-server-to-mail-server authentication. Seventy-seven percent of Internet retailers, hundreds of retailers, have implemented e-mail authentication. That's step one in the process. That's mail server to mail server, but it needs to really go all the way down so that the consumer gets a visual indication, other keys that help them determine whether the e-mail is appropriate or not, whether it's coming from a trusted source. Unfortunately, if we look at examples like browsers, where you may be using Fire Fox and have to click four times to accept a certificate, which is usually deemed inappropriate or suspect, consumers just click through those things. So, it's a behavioral change by consumers, too. They need to be cautious.
KITTEN: You've talked about consumer education, and when it comes to financial institutions, I know that a number have been working on consumer education campaigns. But if a breach does occur, if a consumer's identity is comprised by a phishing attack, how much responsibility should a banking institution or some other entity bear?
ROHRBAUGH: The real key is, does the institution know about the attack? Unfortunately, the phishing attack is between the criminal, or the criminal's tools, and the consumers. The financial institution is outside this communication scheme. If it's using the financial institutions' mail servers or misconfiguration of their mail serves, that's one argument that they are responsible for. If it's outside of that, then it's the consumers and the consumers who are responsible, and I think really what we need to do as an industry is put together the correct tools, the visual indications, the notices, and let them react to it as they should.
KITTEN: Tim, what final thoughts would you like to share with our audience about the state of phishing attacks and online security, generally?
ROHRBAUGH: Online security, generally, has made huge improvements over the last couple of years, and it's focused on very specific data elements. But, unfortunately, what's happening is that the problem is not going away. It's getting worse, and it's mainly because the persona that we've created for ourselves -- being digitized. More and more, we're transacting in this disassociated, non face-to-face world, and people need to be very cautious and they need to be critical of communication. They need to limit what information goes out instead of just sharing everything.