Stop Phishing: Websites and Users Working Together 5 February, 2010Posted by paralleldivergence in Internet, Life, My Thoughts, passwords, security.
Tags: cyber-crime, identity fraud, phishing
PHISHING is a worldwide problem. Unscrupulous cyber-criminals, unsuspecting Internet users and apathetic web-service providers: It’s a volatile mix that will always benefit the crook. Hell, if the user is stupid enough to click on a link in an email message and gladly provide their user account details, they deserve what they get!
image courtesy of Financial Services Technology
But often it’s not an email that hooked the poor user. Drive-by websites that drop trojans with keyloggers onto the novice user’s insecure computer are a gold mine for phishers. A steady stream of keystrokes featuring website URLs, usernames and passwords is captured, neatly packaged and emailed off or uploaded directly into a secure database on the other side of the planet. According to Internet Security Vendor McAfee, “there has been a 50% increase in the number of detected so-called “zombie” computers since 2008“. In the four months between January and May 2009, McAfee alone detected 12 million computers that had been hijacked by cyber thieves. Even experienced Internet users have been caught out by logging on via compromised Internet Cafes or using the “free” unprotected wireless at Starbucks.
Clearly, the solution of educating Internet users to be cautious when using the Internet is a solution that is not working. The problem is getting away from us as a society and in 2007 in the U.S. alone, the cost of phishing was calculated to be $3.2 BILLION - that was up from just $2.3 billion the previous year. What it is today, we can only guess, but everybody seems to know somebody who has been a victim.
And it’s not just banks and credit cards that the criminals are phishing for. It’s account details for PayPal, eBay, Facebook, MySpace, Twitter and virtually every email service on the web. Social Networking sites are particularly vulnerable and users are even more unsuspecting when it comes to “sharing” their account information. Their goal? Identity fraud. And since many of the fraudsters are actually located in a foreign country, bringing them to justice is almost impossible.
So if making users more tech-savvy is not the answer, what is?
The vast majority of humans live their entire lives within a reasonably close distance to the place they were born – certainly they stay in the same country more often than not. If they migrate, they choose to stay in the country that becomes their new home. With this fact in mind, it is logical that if an Internet user signed up for a web service of some type in one country, they are unlikely (except in circumstances of overseas trips) to be signing on to that web service from another country. Many of us will NEVER do it.
How hard would it be for EVERY web service provider to identify and record the country where an account was created (or configured after the event), and then match up the country of each new sign-on request with that original country?
How hard would it be for the web service to reject logons if those countries don’t match up?
How hard would it be for the web service provider to alert the user that an attempt to logon to their account was made from another country?
How hard would it be for an extra question to be added to each user’s profile that says “ONLY Allow logon from the following country: [country list]“
How hard would it be for the web service provider to include an option for the user to turn this setting off if the user is travelling?
What are the benefits of this simple solution?
If the cyber criminal is in another country as is often the case, there’ll be an extra hurdle for them to get into your account – even if they do have your username and password. If they happen to be in the same country as you and if they eventually do get caught, then your country’s laws will come into play and real convictions will actually be possible.
Of course, nothing on the Internet is foolproof, but this simple approach can protect those hapless Internet users that are so prevalent (and costly).
Google – Yahoo – Microsoft – Facebook – On-line Banks – eBay - Please take note: You have a responsibility to protect your users from themselves. This is one simple step you can all take so others DO NO EVIL using YOUR services.
What do you think? How can we get web service providers to do this?