Phishing: Competing on Security

the uk today is one of the main attack targets by phishing organized crime groups, globally.

globally, phishing damages will amount to about two billions usd in 2006. not counting risk management measures such as preventative measures, counter-measures, incident response and pr damages.

in most cases. phishing is caused by the fault of the users, either by entering the wrong web page, not keeping their computers secure or falling for cheap scams. often this is due to lack of awareness or ability in the realm of internet use rather than incompetence by the users.
still, these attacks are aimed at the banks and the financial institutions themselves, just because they are done in a distributed fashion on the micro level, attacking multiple users rather than on one centralized point (the web page) does not change that.

in britain, by law, the risk of phishing is on the banks alone. any damages caused by phishing attacks are to be reimbursed completely. in other countries the risk is on the clients alone, a combination of both bank and client, or no legislation exists yet.
in all these countries the banks mostly offer complete assurance and/or completely reimburse clients regardless, as protecting the web channel for banking (being the cheapest one) is very important to them. this is about maintaining the effectiveness and trust of the populace in ecommerce.

in very rare cases, banks choose to manage their risk differently and they abandon the web channel, likely due to very low usage. banks are often short-term sighted with their risk management compared to the current revenue loss vs. gain when it comes to technological risks. the acceptable risk in the banking world changes constantly and what could have been prevented years ago was very smartly managed, but not fine-tuned for the technology risks involved.
still, in realms other than technology, such as economics, their way of risk assessment seems to work to a great extent.

in today’s world, phishing has become a risk to be reckoned with under any risk management methodology, with some banks losing as much as several million usd a day during massive attacks.

what this caused is for banks to have to find ways to maintain the cheap and efficient web channel, while maintaining their pr toward their clients (the clients confidence in the bank), yet still finding a way to cut their losses.

this is not what we are discussing here, though.

the more a bank losses and tries to add security measures, the more its competition is going to reduce security measures and allow clients a more easy and functional web channel.

the problem with that strategy though, is that two weeks to a year later, the direct competition is going to be under attack. the competition made the wrong risk assessment decision as its revenue was not hurt the year before. the original bank’s attack has reached saturation that will last for a few months to a year, staying in lower yet maintained levels of damage. this will turn and change constantly from that point on.

this wheel keeps turning.

banks need to realize they need to work together on matters of security, compare notes and share intelligence. the risk exists, and because you have it easy now – know that you are about to be targeted. this is a fact. take it into consideration.

competing on security is the worst thing banks can do. illegal activity today is no longer a shame when it hurts you, it is a test that shows how well you deal with it in comparison to others. you can’t deal with it alone.

with phishing the banks have the potential benefit of learning from the lessons of countries that suffered from these attacks before, such as the uk.

considering that the technology used for phishing and the ways to mitigate the risk keep changing, there is no better way to manage this risk.

i am very doubtful many of them will until they are already targeted. once targetted they will waste 2-4 years learning this simple truth. they have so far, wherever phishing went.

sharing information is to your benefit. withholding it will cost you.

the question remains, how does the sharing happen, and how is it done safely? that is a discussion for another time.

gadi evron,
ge@beyondsecurity.com.

Share