Forget that spam e-mail urging you to visit a special Web site to input your personal data and verify your bank account. That
is so last-year when it comes to phish attempts. Today's phishers are getting more sophisticated, using man-in-the-middle
tactics that are virtually undetectable by either the user or the legitimate Web site, until it's too late.
 Related linksLinda Musthaler is a Principal Analyst with Essential Solutions Corp. You can write to her at mailto:LMusthaler@essential-iws.com. Get more of Linda's views here.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations
more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define
and fulfill the potential of IT.
An article in Secure Computing describes an attempt to usurp account data from PayPal customers by inserting a phishing site
between the user and the legitimate PayPal site. Since the phishing page communicates with both the user and PayPal, neither
party realizes there is a site in the middle stealing confidential information. Citibank was also the victim of such a scheme this past summer. Experts predict this is the wave of the future for phishing.
Perhaps the most alarming aspect of this new tactic is that it is designed to circumvent even multi-factor user authentication
schemes. For example, if you suspect a fake site is asking for your information, you might enter bogus information when prompted
for your user ID, password, or a token-generated key. Because the phishing site is communicating with the real site, the bogus
authentication information returns an error, just as it would if you entered it straight into the real site. This might confuse
you or cause you to think that the phishing site is the real thing, leading you to give your valid identity information to
a bad site.
For many security solutions, the lock is at the front door of a network or an application. But what happens if someone gets
past the front door? Typically, he has free access to do whatever a legitimate user can do. This is where Cydelity gets in
the game.Cydelity calls itself "the last line of defense" in your many layers of security. Cydelity has a fraud detection
system called eSentry that looks for behavioral patterns and identifies risky activities. Once this risky behavior is identified,
the application owner can take some type of remedial action, such as locking the person out of an application, or preventing
him from doing something.
|
