Banks Say, 'Phishing Season Is Over'
A little-known organization of 55 of the world's largest banks has finally become fed up enough with the online thieves known as 'phishers' that the banks are doing something about it.
The group is called Identrus LLC, and it proposes that online banks use so-called digital certificates to identify themselves and their customers on the Internet. But will this by itself be enough to stop the con games?
Financial Institution or Hackers' Piggy Bank?
As I explained in my May 3 column, phishing is an international sport. High-tech criminals, many based in Asian or Eastern European countries, send out millions of e-mails that look exactly like messages from respected Western financial institutions. When end users click the links in these messages, their browsers are directed to phony Web sites that look exactly like online banks, but are designed by hackers to steal their passwords.
Wells Fargo Bank on June 8 became the first bank to announce the widespread adoption of SimpleSign, which is an Identrus solution to one part of this problem:
• Banks As "Certificate Authorities." In the Identrus system, a financial institution becomes its own registration authority for digital certificates. This means it can issue such certificates for itself and also to known customers with whom it has a trusted banking relationship.
• Authenticating a Banking Document. Using Adobe Acrobat version 6, the bank can create PDF (Portable Document Format) files that are "signed" with its digital signature.
• Real-Time Validation. All of the above technology has been available for some time. What's new is that any copy of version 6 of the free Adobe Reader will automatically recognize a PDF file encoded with the Identrus system. Using the Internet, the Reader contacts the certificate authority online to verify that the signature in the document matches the identity of the author. The Identrus system uses worldwide standards, such as X.509 certificates and the Online Certificate Status Protocol (OCSP), so as to interoperate with as many existing banking networks as possible.
• Signed, Sealed and Delivered. The receiving party can digitally "sign" the document, if it's set up with data-entry fields to do so. Once the signed PDF is sent back to the financial institution, Adobe Reader will check the authenticity of that signature online. In this way, contracts and other documents can be guaranteed to be tamper-proof without relying on mere passwords, which can be guessed or stolen.
With heavyweights such as Bank of America, Citicorp, J.P. Morgan Chase and many others supporting Identrus, the sky is the limit from here on out.
The "Identrus Global I.D." program has, so far, been used primarily to ensure the security of business-to-business financial transactions, not consumer online banking. For example, Sixt AG, one of the largest car-rental companies in Europe, uses the system to transact millions of dollars of leasing transactions annually with the Royal Bank of Scotland, entirely replacing paper documents.
But the potential of Identrus to secure the communications between banks, credit-card companies, online auction services and consumers is enormous. With proper education and implementation, end users could receive letters in PDF form from their financial institutions and be certain that the document hadn't come from a "phisher." Financial communications could be conducted in both directions with security. Any data a customer entered into a PDF form could be encrypted before transmission back to the bank, and verified against the customer's own digital certificate upon receipt.
It won't be next week or next month when we'll be able to say that phishing is obsolete and people don't have to watch out for it any more. But the technology is available to put an end to it reasonably soon — if computer users will insist on the proper tools being put into place.
An Executive Tech Update. I wrote in the May 17 installment of Executive Tech that the U.S. government's new Medicare prescription-drug Web site was a great example of how not to build a search engine for consumers.
Reader Charles J. Tarr, an attorney in Santa Rosa, Calif., writes, "A little known law in California — to which pharmacies cringe — is that if you are on Medicare, any pharmacy that accepts Medi-Cal (which is virtually every pharmacy) must sell drugs to a senior at the same price that the State of California pays, which is generally a fraction of the retail price. Not some silly 10 to 20 percent discount. Perhaps other states have such statutes."
Funny, that's one more thing I didn't see at the Medicare site. For being the first to e-mail me a tip that I printed, I'm sending Tarr a gift certificate for a book, CD, or DVD of his choice.