AntiPhishing and Vishing

1
Anti-Phishing and Vishing Strategies
2
Outline

• Introduction
• Identity Theft Defined
• Examples of Identity theft
• Mitigation Strategies, PhishRanger Suite
• FTC and Presidents Task Force on Identity Theft
• What does the future hold?
• Conclusion

3
Introduction
Identity Theft, primarily in the form of Phishing
and Vishing attacks against consumers, is
increasing at an alarming rate. From Main Street
to Wall Street, American consumers and credit
unions are talking about Identity Theft. Each
year millions of Americans and thousands of
credit unions suffer from the financial trauma it
causes. Many credit unions and private sector
businesses have taken proactive steps to protect
sensitive data from thieves, educate consumers
about how to prevent identity theft, assist law
enforcement in apprehending identity thieves, and
assist victims who suffer losses.
4
Identity Theft Defined

• Although Identity theft is defined in many ways,
  it is
• fundamentally the misuse of another individuals
  personal
• information such as SSN, credit card information,
  and debit
• card information.
• The three stages of the Identity Theft Lifecycle
  are
• Identity thieves attempt to acquire a victims
  sensitive information through low-tech or
  high-tech methods.
• The thieves attempt to misuse the information
  that was acquired. This occurs when thieves
  obtain and use credit, brokerage, or banking
  accounts.
• The identity thieves enjoy the benefits of their
  labor while the consumer and/or credit union
  realizes the harm.

5
Examples of Identity Theft
Phishing A serious threat facing credit unions
today is the illegal act of luring unsuspecting
members to visit a Web site posing as their
credit union's Internet Banking Web site. These
sites are often identical reproductions of the
credit union home banking site or are sites
offering to reward the member for completing a
survey. When the customer submits his or her
account information, it falls into the hands of
the hacker. The hacker can now use these login
credentials or card information to access the
member's accounts or use the members credit card.
Confidential information is compromised,
identities stolen, and accounts are plundered.
6
Sample Phishing email
-----Original Message----- From Jack Black
SMTPJack_at_cu.org Sent Wednesday, April 11,
2008 1037 AM To Sue Member Subject Confidentia
l Please Read Immediately! In an attempt to
increase security and protect your sensitive
information, we ask that you log into the site
listed below. Our new security systems require
each member to change their username and password
so your accounts will be fully protected.
http//68.153.63.169/secured.asp Best
regards, Jack Black, Chief Security Officer
7
Phishing Avoidance
First and foremost, Inform your members that you
will never ask for sensitive information via
email! Be aware of suspicious URLs. Always
compare the link in the e-mail to the official
URL of the credit union. In the previous e-mail,
the hacker asks you to click on the following
link and provide username, password, account
information, credit and debit card numbers and
pin numbers. http//68.153.63.169/secured.asp Th
is is not the official credit union URL!
8
Phishing Avoidance and Mitigation

• Currently, the best defense against the classic
  Phishing attack is a three-pronged attack.
• Phishing detection New technology has evolved
  that allows CUDefense to detect many Phishing
  frauds as they are evolving. Programs such as
  PhishPhinder notify the credit union when the
  attack is in its infancy, providing for a much
  more proactive response.
• Phishing takedown Most victims submit their
  information during the first 24 hours of an
  attack. Removing the fraudulent content from the
  web as quickly as possible is paramount.
  Subscribing to the CUDefense PhishRanger takedown
  service, with our industry leading takedown
  times, is critical to the successful mitigation
  of phishing attacks.
• continued

9
Phishing Avoidance and Mitigation
3. Member security awareness As long as members
and consumers continue to give their information
to hackers, this fraud will continue. Credit
unions must develop creative methods for
educating their members to avoid social
engineering scams. Additionally, credit unions
must work together to demand responsibility on
the part of ISPs and telephone providers who are
ultimately as responsible as the hacker for
allowing these frauds to perpetrate on their
watch.
10
Vishing defined
Vishing is a relatively new social engineering
scheme in which a hacker utilizes the telephone,
text messaging or pre-recorded messages to pilfer
the sensitive information of credit union
members. Vishing comes in several forms. The
classic vishing attack occurs when hackers send
tens of thousands of spam text messages informing
the consumer that there is a problem with their
account or that some action on their part is
required. The text message usually includes a
toll-free call back number for the consumer to
use. This number belongs to the hacker.
Uninformed consumers then submit their account
information via telephone to the fraudsters.
11
Vishing defined, cont.
Hackers are now utilizing a new, more
technologically advanced vishing scam. This scam
involves the spoofing of a telephone number.
Spoofing occurs when the hacker cloaks his
actual phone number so that it appears to the
consumer as some other valid telephone number.
In this scam, the hacker spoofs his true number
and then uses a dialing application to directly
call thousands of consumers. If the victim
answers the phone, either a recording or a live
person representing themselves as credit union
personnel informs the consumer that there is a
problem with their account and that they must
submit their sensitive data to mitigate the
issue. This scam is extremely dangerous as there
is currently no quick method to track the origin
of the phone call in order to shut down the scam.
12
Vishing Mitigation

• Battling vishing is difficult and time consuming.
  Following this three-pronged attack will help
  minimize financial loss and public relations
  damage.
• Subscribe to a Vishing takedown service. Vishing
  takedown, such as that offered by CUDefense,
  quickly determines the authoritative agency with
  ultimate control over the phone number and has
  the ability to disable the number.
• Member Awareness. As long as members and
  consumers continue to give their information to
  hackers, this fraud will continue. Credit unions
  must develop creative methods for educating their
  members to avoid social engineering scams.
• Credit unions must work together and with law
  enforcement and government officials to demand
  responsibility on the part of ISPs and telephone
  providers who are ultimately as responsible as
  the hacker for allowing these frauds to
  perpetrate on their watch.

13
Presidents Task Force on Identity Theft

• The Presidents Task Force on Identity Theft was
  established by Executive Order on May 10, 2006.
  Recognizing the heavy financial and emotional
  burden placed on victims, and the severe burden
  it places on the economy, President Bush called
  for a coordinated approach among government
  agencies to combat this crime.
• The Presidents charge was to craft a strategic
  plan aiming to make the federal governments
  efforts more effective and efficient in the areas
  of identity theft awareness, prevention,
  detection, and prosecution.
• Important milestones and links and contacts re
  Task Force on Identity Theft.
• www.ftc.gov/os/2006/09/060919idtheftfactsheet.pdf
• www.idtheft.gov/reports/IDTreport2008.pdf
• JoAnn Johnson, National Credit Union Association,
  member of Identity Theft Task Force.

14
Presidents Task Force on Identity Theft

• The Presidents Task Force on Identity theft
  created a strategic plan that focuses on four key
  areas
• Data protection -keeping consumer data out of the
  hands of criminals.
• Avoiding data misuse -making it harder for
  criminals to exploit consumer data.
• Victim assistance -making it easier for victims
  to detect and recover from identity theft.
• Deterrence -increasing prosecution and punishment
  of perpetrators.

15
What does the future hold?
As the economy worsens and more people find
themselves in dire straits, Identity Theft
attempts will surely increase. Just as crimes
against property increase in times of recession,
so will Identity theft. We will continue to find
ourselves in a reactive mode until we tackle this
issue head-on. With the assistance of the credit
union community, CUDefense, law enforcement, the
Presidents Task Force, and by increasing security
awareness measures for the general public, we can
eradicate or severely weaken the hacking
communities grip on identity theft.