APACS, the UK payments association, said today that 'almost 1 in 3 people don’t have any anti-spyware software on their computer' as it discussed the increasing numbers of phishing attacks in the UK and reminded consumers of the tips to help them avoid falling victim to such crimes. According to APACS, 'phishing has become far more frequent in recent months with the latest APACS data showing more than 10,000 reported phishing incidents in the first quarter of 2008 – up over 200 per cent from the same period last year.'   » Continue Reading

Michael Barrett, PayPal's Chief Information Security Officer, blogs about the progress PayPal has made in dealing with phishing attacks - and shares a paper titled 'A Practical Approach to Managing Phishing' that Michael wrote with his colleague Dan Levy and presented today at the RSA Conference in San Francisco. The secret? There's no one 'silver bullet' - but a multi-layered strategy has made a significant difference for PayPal.

Gartner has announced results from a survey of online US adults finding that $3.2 billion was lost in 2007 from phishing attacks with 3.6 million adults having been affected. According to Gartner, "thieves are increasingly stealing debit card and other bank account credentials to rob accounts — targeting areas where fraud detection is weaker than it is with credit card accounts."   » Continue Reading

Consumer Reports has announced results from its latest "State of the Net" survey concluding that one million U.S. consumers lost more than $7 billion over the last two years to viruses, spyware, and phishing schemes and that consumers face a 1 in 4 chance of succumbing to an online threat and becoming a "cybervictim."

Jeremy Kirk reports for Network World that PayPal is working on persuading email providers to block email messages appearing to come from PayPal that don't contain digital signatures - in an effort to try to reduce phishing attacks.

Cyveillance has announced availability of a report titled “Online Financial Fraud and Identity Theft” (PDF) that highlights the growth of Internet attacks and identifies the industries most at risk.   » Continue Reading

The Anti-Phishing Working Group (APWG), American Bankers Association (ABA) and the Financial Services Technology Consortium (FSTC) have announced joint sponsorship of the inaugural Counter-eCrime Operations Summit (CeCOS), "a conference for counter-ecrime stakeholders focusing on the management of electronic crime events and the work of the professionals charged with engaging these increasingly threatening and costly incidents."   » Continue Reading

In the latest issue of Computerworld, Jaikumar Vijayan interviews Michael Barrett, PayPal's chief information security officer, about how he deals with PayPal's most significant security challenge: phishing attacks. "While we have a great deal of grudging respect for the intelligence and determination of our adversaries, we ultimately want to see them in handcuffs and orange jumpsuits," Barrett says.

Earlier in December, the UK's House of Lords Science and Technology Committee, as part of their investigations into personal Internet security, heard evidence from representatives of APACS, VISA and the FSA. eGov Monitor reports that story - saying that "the witnesses were pressed on what mechanisms the financial industry in the UK had put in place to protect people using online banking and other online financial services." A transcript (PDF) of the oral evidence presented is available online.

VeriSign has announced a suite of new Digital Brand and Fraud Protection services designed to "help organizations detect, prioritize and rapidly respond to suspicious activities on Web sites, blogs, online user communities, and other sources that can damage brand equity and consumer confidence."   » Continue Reading

Gartner reports that, while ecommerce sales have experienced consistent growth, "recent security breaches (online and offline) are having a significant impact on buying patterns of U.S. adults. Due to consumer’s concerns about the security of the Internet, nearly $2 billion in U.S. e-commerce sales will be lost in 2006," according to Gartner.   » Continue Reading

Retailers and charities aren't the only ones expecting to benefit from the upcoming holiday shopping season. With the average shopper expected to spend nearly $800 this year on holiday merchandise, according to the National Retail Federation, thieves are also looking to cash in on the season. Besides stealing money and objects, identity theft is gaining popularity among criminals.   » Continue Reading

Wells Fargo has announced several upgrades to its online security platform "designed to give customers and businesses even more protection in the fight against Internet fraud."   » Continue Reading

Joris Evers reports for CNET News.com that Yahoo! is testing a new "sign-in seal" security feature intended to help prevent phishing attacks from being successful. According to Yahoo!, a "sign-in seal is a secret message or photo that Yahoo! will display on this computer only." The seal, customized by the user can be text-based or an image uploaded by the user. If the user doesn't see their customized sign-in seal on a Yahoo! web site, then it's not a genuine Yahoo! site.

RSA Security has announced that its technology currently protects more than 20 million registered users with its live online banking authentication technology and that it has signed agreements with -- and begun implementations at -- major financial institutions representing approximately an additional 40 million online bankers. RSA also announced the launch of the RSA Adaptive Authentication 5.8 solution integrating RSA Security and legacy Cyota and PassMark technologies. According to RSA, "the new version also comprises a wide range of deployment plans, including a rapid deployment option that is designed to enable the implementation of a fully-operational account protection system in less than 30 days -- with no integration work or code changes required."   » Continue Reading

Barclays has announced it is launching a "new online anti-fraud initiative and becoming the first bank to offer free anti-virus software to its customers. Customers will also be offered an innovative text message service notifying them of new payees on their online account, helping to cut occurrences of fraud attacks."   » Continue Reading

RSA Security has announced that it has acquired PassMark Security, a privately held company based in Menlo Park, that "delivers robust software-based authentication to millions of users worldwide, through some of the largest consumer-facing financial institutions."   » Continue Reading

The Anti-Phishing Working Group is holding its Spring General Meeting next Tuesday, April 18, in Chicago. The focus of this meeting will be on eCrime: next-generation phishing, crimeware and email authentication. The meeting agenda is available online.

Australia-based Fraud Management Technologies has announced FraudAlert, a new software or hosted solution designed to reduce the rate of increasingly sophisticated online fraud while protecting the convenience and ease of use of online banking and retailing.   » Continue Reading

Rich Miller posts on the Netcraft weblog that phishing e-mails sent yesterday targeting customers of Chase Bank and eBay were directed to sites hosted on IP addresses assigned to The China Construction Bank (CCB) Shanghai Branch. "This is the first instance we have seen of one bank's infrastructure being used to attack another institution," he says.   » Continue Reading

Phishing is already passé among global cybercriminals - according to Tom Zeller Jr.'s article "Cyberthieves Silently Copy as You Type" in Monday's New York Times.   » Continue Reading

Bruce Schneier recently linked to this detailed analysis of a recent Verified by Visa phishing attack. As he said, it's a great example of how the sophistication of these attacks is ever-increasing. This particular attack combined several features -- all designed to improve the chances of enticing a cardholder to hand over important card information.

Gregg Keizer reports for Information Week on Charles Schwab's announcement yesterday that the online broker will provide a guarantee against any and all losses from unauthorized account access. Called the Schwab Security Guarantee, it is an effort intended to help calm customer concerns about phishing and identity theft.   » Continue Reading

Joseph Pellicciotti reports for the Northwest Indiana Times on a new presentation available online from the FDIC. Titled "Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams", the presentation is designed to educate consumers about the steps they can take to protect themselves from identity theft and what they can do if they've become victims.

Melissa Campbell writes for the Alaska Journal of Commerce about online banking, phishing and the protection of personal information.   » Continue Reading

Bank of America has announced that it made available SiteKey, an online banking security feature that helps prevent fraud and identity theft, to bank customers in the Northeast in December.   » Continue Reading

The World Wide Web Consortium (W3C) has announced a new workshop "Toward a More Secure Web -- W3C Workshop on Transparency and Usability of Web Authentication" to be held at Citigroup in New York City in March 2006.   » Continue Reading

Bank of America and EarthLink have announced a new toolbar intended to help protect consumers from fraud and identity theft.   » Continue Reading

Korea.net reports on action being taken by the government in South Korea "to oblige financial institutions to compensate consumers for virtually all financial losses from hackers' intrusions into online financial accounts and personal data starting September next year. "   » Continue Reading

RSA Security has announced entering into a definitive agreement to acquire Cyota, Inc. for total consideration of $145 million.   » Continue Reading

Certegy and PassMark Security have announced plans to offer PassMark's two-factor, two-way authentication system with Certegy's Internet Banking, Cash Management and Bill Pay system.

The Liberty Alliance Project has announced the formation of a new Strong Authentication Expert Group focused on developing open specifications for interoperable strong authentication.

"The lack of strong authentication in the online space is demonstrably one of the most significant causes of identity theft," said Michael Barrett, co- chair of the Liberty Alliance Identity Theft Prevention Group, and VP Security/Utility Strategy at American Express.

"The recent FFIEC guidance on strong authentication will likely change how organizations manage online identity threats, but initiatives for addressing these issues need to be coordinated via agreed industry standards -- and that's where the Liberty Alliance has a strong track record of fast delivery."

The Anti-Phishing Working Group and SRI International have announced the availability of a new report titled "Online Identity Theft: Technology, Chokepoints and Countermeasures" (PDF) mapping the spectrum of current and future technology solutions to company phishing schemes.   » Continue Reading

O'Reilly has published an excerpt by authors Robert Miller and Min Wu from O'Reilly's new book Security & Usability. The article provides a great overview of phishing attacks, the techniques that phishers use, various defenses against attacks, and what the future might bring in term of controlling phishing.

The ideal defense against phishing might be an intelligent security assistant that can perceive and understand a message in the same way the user does so that it can directly compare the user's probable mental model against the real implementation and detect discrepancies.

PassMark Security has announced Version 2.0 of its Two-Factor Two-Way Authentication system incorporating neural network technology and a policy engine for customer authentication decisions.   » Continue Reading

TowerGroup has announced new research examining the impact that phishing attacks may be having on fraud perpetrated at ATMs and debit POS locations that concludes that losses from fraud due to phishing runs about $81 million annually in the US.   » Continue Reading

Wachovia announced today that it has begun notifying online customers that it will only communicate account information to them through its Secure Message Center.   » Continue Reading

Carrie Kirby reports for the San Francisco Chronicle on the work of Stanford professors John Mitchell and Dan Boneh on anti-phishing solutions.

Professor John Mitchell and Associate Professor Dan Boneh have attacked the phishing problem from two angles: helping e-mail users avoid fake sites and preventing thieves from getting other peoples' passwords in their digital clutches. Now they're working on stopping Trojan horse software, spread through viruses, that can steal passwords right off a computer as they are typed.

Ethan Preston comments on the recent guidance (.doc) issued by the Office of the Comptroller of the Currency regarding countermeasures against phishing attacks.

I wonder how many banks comply with these measures, even this late in the game. In particular, analyzing web logs seems like an very good way to identify phishing websites early on, but I suspect relatively few banks (or any other commercial entities) do so.

And if litigation were to follow a successful phishing attack, it seems to me that a bank's failure to comply with the OCC's guidance here would be a strong indicator of negligence.

Bill Brubaker writes for the Washington Post about Bank of America's new SiteKey online authentication system.   » Continue Reading

AP Business writer Paul Nowell takes a look at Bank of America's new SiteKey service provided by PassMark Security.

Bank of America spokeswoman Betty Riess said the bank looked at tokens and other options with focus groups before choosing SiteKey.

"We found this provides the right balance of added security and convenience," she said. "We found consumers did not want to have to get another device like a token to do their online banking."

The Office of the Comproller of the Currency (OCC) today issued new guidance to banks on how to respond to incidents of web site spoofing incidents.

The bulletin addresses procedures banks can implement to mitigate the risks to themselves and their customers by detecting and responding to Web- site spoofing. It also identifies the types of information banks can provide to law enforcement authorities to assist in investigating illegal activities.

This week's eAlert from the American Bankers Association reports on the FDIC's recent ID Theft Symposium held in Los Angeles that included the release of a supplement to the agency's recent study, "Putting an End to Account-Hijacking Theft."   » Continue Reading

Gartner this morning announced results of a survey of 5,000 US adults that concludes that "increasing reports of lost consumer data files and disclosures of unauthorized access to sensitive personal data are taking a toll on consumers' confidence in online commerce."

"While online banking customers continue to access bank accounts over the Internet, they are changing their usage patterns," said Avivah Litan, vice president and research director at Gartner.

"Nearly 30 percent of the online bankers say that online attacks have influenced their online banking activities. Over three-quarters of this group log in less frequently, and nearly 14 percent of them have stopped paying bills via online banking."

Lee Gomes reports for the Wall St. Journal on inside the world of phishers and phishing attacks.

Phishers, not surprisingly, are savvy about their targets. For instance, it wasn't just a coincidence that Washington Mutual was a phisher favorite. Mr. Abad says it was widely known in the phishing underground that a flaw in the communications between the bank's ATM machines and its mainframe computers made it especially easy to manufacture fake Washington Mutual ATM cards.

Joe Morgan reports for the UK's Times of London on a recent phishing attack against customers of Barclays Bank.

Internet fraudsters are using an audacious double bluff to rob people of their cash: spam e-mails give warning of the risks of responding to unsolicited mail that asks customers to disclose internet banking log-in details — before inviting would-be victims to do just that.

Bank of America announced today that it has launched its new SiteKey fraud and identity theft protection service for the bank's customers in Tennessee.

Using SiteKey is like getting a safe deposit box that takes two keys to open. Before the customer and the bank agree to open the box together, they confirm each other's identity.

"SiteKey helps you know it's us and we know it's you," said Sanjay Gupta, e-Commerce executive. "It's a free way to increase your online security, and it's easy because you don't need extra hardware or other equipment."

Bank of America announced in late May that it was partnering with PassMark Security to deliver the SiteKey service.

Yodlee and PassMark Security have announced a strategic alliance to enable PassMark's two-factor/two-way authentication to operate with all of Yodlee's aggregation services.

"Millions of consumers have come to rely on Yodlee's aggregation technology to manage their finances online," said Louie Gasparini, CTO at PassMark Security.

"By working together, PassMark and Yodlee can ensure that consumers, and the financial providers who offer these services, can enjoy their use with renewed confidence that the strengthened security will guard against phishing and other forms of online fraud."

Bank of America this morning announced the launch of a new protection service called SiteKey that helps confirm a customer's identification online.

Bank customers can sign up for the service for free. Customers pick an image, write a brief phrase and select three challenge questions. The customer and the bank can pass that information securely back and forth to confirm each other’s identity.   » Continue Reading

First Data Corp. has released the results of an independent nationwide survey of consumers that found that 6.8 percent of adults have been victimized by identity theft and 43.4 percent of adults have received a phishing contact.

"This new survey confirms that identity theft and phishing are national threats, and that consumers need help to fight back," said Debra Janssen, president, First Data Debit Services.

"Close to 5 percent of phishing attempts are successful, despite significant efforts by the financial community to raise awareness and educate consumers about phishing. It's clear that more remains to be done," Janssen said.

Kevin Delaney reports for the Wall St. Journal on the newest forms of attacks on online consumers to steal their online identities.   » Continue Reading

Joe Morgan reports for the UK's Times Online on actions taken by four of Britain's biggest banks to slow down intra-bank payments to help combat security breaches stemming from phishing attacks.

This week Barclays introduced a one-day delay for transfers. A spokeswoman said: “This delay enables us to carry out checks that seek to prevent fraud.” Halifax also introduced delays in the processing of payments this week, as have Royal Bank of Scotland and NatWest.

Carrie Kirby reports for the San Francisco Chronicle on the online underworld where private personal information is quickly and easily sold over the Internet.

The credit card numbers, bank account numbers, eBay accounts and other data sold there are stolen in corporate security breaches like the one at ChoicePoint, through offline crime like old-fashioned pickpocketing, and through scams known as "phishing" attacks, in which criminals trick people into revealing account information with slick-looking fake e-mails.

In a related story, Kirby reports on the latest kinds of phishing attacks.

Dan Ilett reports for ZDNet UK that APACS believes that online banking customers are waking up to the threats of online phishing attacks.   » Continue Reading

Brian McWilliams, author of Spam Kings, writes for the O'Reilly Network about how list brokers are currently buying and selling private information on millions of people, including their home address, telephone number, date of birth, internet protocol (IP) address, and prescription history.   » Continue Reading

Melissa Allison reports in a major article in the Seattle Times about phishing attacks.

"Most banks spend more on washing windows than on money lost to phishing," said Jim Bruene, editor of the Online Banking Report, a Seattle-based newsletter. "But it is a huge issue in consumer confidence and the ability of a bank to market online and deal with a customer on the Internet."

The BBC reported today that police in London have foiled one of the biggest attempted bank thefts in Britain.

The investigation was started last October after it was discovered that computer hackers had gained access to Sumitomo Mitsui bank's computer system in London. They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards.

The Guardian also reports the story:

"The rise of keyloggers poses a real threat to companies and this may be the first time we have evidence of organised criminals using the equipment to attack a bank," Alan MacDonagh, managing director of the fraud consultancy Hibis Europe told the Financial Times.

Netcraft is reporting several incidents of online banking sites being hit recently by clever cross-site phishing attacks.

One surprising facet of hosting frauds on banking sites is that banks to date have tended to be significantly slower than hosting companies to react to fraudsters using their sites. Fraudsters have benefited from the longevity of frauds hosted on banking sites as well as their plausibility.

Jeremy Wagstaff also writes about the issue on his weblog.

Amanda Hodge reports in the Weekend Australian on keystroke logging attacks against online banking customers.

There's little chance the true cost of internet fraud to banks – in stolen funds and the many millions spent staying ahead of increasingly sophisticated hacking scams – will be made public. To reveal the full cost and extent would shatter fragile consumer confidence in a system that is proving increasingly vulnerable to crime.

The Anti-Phishing Working Group is reporting that phishing attacks against smaller financial institutions are escalating.

"Overall, the survey and recent field reports tell us that phishers are using advanced crimeware to commandeer larger arrays of Internet technologies and at the same time using them to attack smaller institutions than have been targeted," said APWG Chairman David Jevans.

Jevans added, "It could mean the counter-phishing systems that big banks have deployed are effective and the phishers are moving onto softer targets. It could mean the phishers have enough resources to target institutions in which the probabilities of getting a hit on a broad spam-based attack is relatively low."

WholeSecurity has announced the launch of the Phish Report Network, a global anti-phishing aggregation service. Initial participants in the new business service include Microsoft, eBay, PayPal, and Visa.

PassMark Security has announced that the Stanford Federal Credit Union has implemented its Two-Factor Two-Way Authentication System.

"We chose PassMark because it is simple. Online members have always had to prove their identities to us. But with the explosion of 'phishing' attacks, online service providers should have to prove their identities to the consumer. PassMarks give us an effective way to do so, one that's easy for our members to understand and to use," said SFCU President, John Davis.

The Anti-Phishing Working Group has reported the results of its analysis of phishing attacks reported during December. The full report is available online (PDF).

Matt Hines reports for CNET News.com on the latest phishing attack statistics.

In a recent interview with CNET News.com, Mike Cunningham, senior vice president of fraud management at Chase Card Services, a division of financial services giant JPMorgan Chase, said that despite the proliferation of phishing schemes aimed at companies in his industry, consumers have yet to grow reluctant to conduct their business online.

"I don't believe customers are avoiding the online channel because of (phishing), I think they're becoming more wary and figuring out what sort of things banks will or will not send you via e-mail," Cunningham said. "We haven't seen any decline in use of online channels and, in fact, that business continues to grow."

Brian Krebs writes in the Washington Post about the growth in online phishing attacks.

Cyota has released the results of it second annual Financial Institution Online Fraud Survey conducted during November 2004.   » Continue Reading

Internet Retailer reports on how some phishers are using Visa's Verified by Visa program as bait in phishing attacks.

Because the security program has been widely publicized by Visa, phishing scams have begun targeting Visa cardholders to encourage them to sign up for it. Fraud experts say they have seen phishing e-mail with Visa logos that request recipients to submit their credit card account information and other data, such as the 3-digit card verification numbers designed to protect against fraud in card-not-present transactions.

The Motley Fool reports on eBay's implementation, rolled out over the weekend, of its My Messages in-box.

Pitched to eBay members over the weekend as the place "where you can be assured you'll receive only secure messages directly from eBay" the company promises more administrative content and functionality with the service as the year ages along.

Cyota has announced that it has closed a new $7.25 million financing round led by Bessemer Venture Partners.   » Continue Reading

The Federal Deposit Insurance Corporation (FDIC) today released the results of a study titled Putting an End to Account-Hijacking Identity Theft (PDF). Among the study's recommendations, the first was that financial institutions should upgrade existing password-based single-factor customer authentication systems to two-factor authentication.

The American Bankers Association has issued a warning to consumers to be on the lookout for phishing emails.

Rich Smith reports from Motley Fool on phishing attacks that exploit weaknesses in online banking web sites.

Tower Group has announced new research results that conclude that financial losses worldwide due to phishing attacks are estimated to total $137 million in 2004, lower than most other estimates of these losses. But even though the losses may be less than other industry estimates, their concerns about the potential loss in consumer confidence are serious.   » Continue Reading

Cyota has announced some key results from several months of experience with its anti-phishing service.

Entrust has introduced IdentityGuard, a very lightweight (paper based) approach to two factor user authentication.

With Entrust IdentityGuard, users continue to employ their current user name and password, but are also provided with a second physical form of authentication based on an assortment of characters in a row/column format printed on a card. A user must successfully complete a coordinate challenge to demonstrate that they are in possession of the appropriate card.

The Anti-Phishing Working Group has announced the availability of its October report (PDF). The report indicates that phishers are increasingly using compromised broadband-connected PC's to host phishing sites.

Separately, an article in ComputerWeekly.com reports that UK banks are looking at trials of web browser toolbars designed to counter phishing.

Also, MailFrontier has an online quiz you can take to test how good you are at identifying phishing emails.

IBM executive Sean Rush writes about phishing in a op-ed piece for the Boston globe.

Brian Krebs continues his series in the Washington Post about the impact that phishing attacks are having.

The Motley Fool's Elizabeth Brokamp writes about her personal experience with a phishing attack.

Vnunet.com's Daniel Thomas interviews RSA Security CEO Art Coviello.

Devices such as SecureID have a lot of marketing potential. If you think about the credit card industry, first everyone wanted a credit card. Then they wanted a gold card and then a platinum one, but now there's a black card. The same thing can be done with two-factor devices.

Washington Post writer Brian Krebs reports on the effects of phishing attacks in the first of a two-part series on phishing.

"Basically every piece of personal data about me had been compromised," Jackson said. "It's pretty simple to get another credit card number and [e-mail] address and switch banks, but what do you do when these guys know the stuff that doesn't change?"

The BBC reports that a phishing attack against NatWest has resulted in the bank suspending some of its online banking functions.

Heise Online reports on testing by the Fraunhofer Institute of German bank websites and their protection against phishing attacks.

Cyota reports its anti-phishing command center is seeing a surge in new phishing attacks against financial institutions not previously targeted.   » Continue Reading