Banks, Paypal Fighting Phishing

The banking industry seemed rather slow to recognize and respond to phishing threats. Or if they did recognize the threat that phishing posed to themselves and to their customers, the hardest decision to make was, “how to combat it?” For years and years, authentication meant supplying a username and a password for online account holders. Now banks are providing alternative means to prove to their users that their own websites are authentic, and the bank is who they say they are.

Most of my own banking sites have introduced new technology and authentication techniques that are designed to thwart phishers. The most complex so far is Countrywide, my mortgage company. Countrywide’s website now includes a unique picture icon, like a unicorn, snowflake, kitten, etc, chosen by the user, and a user-supplied codeword that appears on the page prior to prompting for a password to validate Countrywide’s authenticity. The idea is that if I click on a link to Countrywide’s website in an email, as their customer I will know it is really them if I see my unique icon and my codeword displayed.

Another banking site of mine now utilizes an additional challenge to prove their authenticity to users logging in. After providing a username, the website asks me for a pin number. After my pin number is provided, the banking site displays a keyword answer to me that I had previously arranged with the bank during my account creation. Only after I verify that the banking site is genuine do they prompt me for my password.

Paypal announced today that they are moving to RSA tokens for authentication, but you have to pay 5 bucks for it. While this is a good move for Paypal, it seems a little half-hearted when compared to what other companies are doing to fight phishing.

From Infoworld here:

Over the next few months, Ebay will be offering its PayPal users a new tool in the fight against phishers: a $5 security key.

The security key is actually a small electronic device, designed to clip on to a keychain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.

“If you fall for a phishing scam and give away your user name and password…if you used the PayPal Security Key, a third party couldn’t get to your account because they wouldn’t have this dynamic digit,” Bettencourt said.

The Security Key could be an important tool for PayPal, whose Web site is frequently spoofed by phishers looking to steal user account information.

As phishing gets tougher, hackers will have to resort to trojan horse programs that log keystrokes and steal passwords.