Phish: An Endangered Species?
All of the anti-phishing companies can point to graphs or statistics on how rapidly their technologies can detect and disable scams, but few boast that they have devised a solution to prevent scams from being launched in the first place.
Yet security experts say banks can blunt attacks by requiring their online customers to use so-called "two-factor authentication": something they know their username and password plus something they have, such as a tiny, unique photograph or file that resides on their own computers.
Anti-Fraud Alliance member Passmark Security of Redwood City, Calif., offers such a service, and last month the company announced that a federal credit union has opted to require all of its customers to use Passmark's technology for online banking.
Few banks require such measures, in large part because of worries that they could drive customers away from Internet banking, which has helped banks to dramatically reduce customer service costs, said Ed Skoudis, founder of Intelguardians, a Washington-based information security consulting firm that frequently works with banks.
However, financial institutions may be starting to change this view, perhaps because of federal pressure. In December, the Federal Deposit Insurance Corp, which investigates financial institutions for compliance with banking regulations, issued recommendations urging banks to adopt two-factor authentication technologies as a way to stave off what it called a wave of "bank account hijacking."
"If the FDIC writes it, the [Office of the Comptroller of the Currency] and other regulators are almost certainly going to consider whether there should be hard and fast rules," said Jevans of the Anti-Phishing Working Group.
Officials from the OCC declined to comment for this story. But many in the financial services industry say there is little evidence that consumers are suffering large losses from the attacks, and that in most cases the credit card company or bank will absorb the costs of fraud.
Despite an eighty-fold increase in phishing attacks over the past year, banks haven't suffered corresponding losses because they have improved their methods for detecting fraudulent transactions before they are fully processed, said Chuck Wade, project leader for the Financial Services Technology Consortium, a group of banks, financial services firms, universities and government agencies.
Still, Wade said, such precautions are largely hidden from consumers, while the high visibility of relentless attacks threatens to undermine consumer confidence in online banking. And that visibility is becoming increasingly difficult for regulators and lawmakers to ignore.
"Pretty much everyone in the [banking] industry agrees that better authentication is important and needed," Wade said. "But we have to recognize that it has to be done with a long-term view in mind and in a cooperative fashion across multiple industries."
There are indications that preventive technologies are helping to deflect attacks, if only toward banks that may not be as experienced in fighting online fraud. In recent months, phishers have begun targeting dozens of smaller, regional financial institutions, many of which have operations in just a handful of states.
Kevin Omiliak, vice president of marketing for NameProtect, said online criminals will continue widening their target lists unless more financial institutions embrace anti-phishing technologies.
"If only the top two dozen banks deploy a solution ... then this will remain a Whac-a-Mole problem for some time," Omiliak said.
The FBI's Larkin said the anti-phishing industry continues to provide invaluable intelligence on the networks of online criminals behind these scams, data that is aiding numerous investigations.
"As we develop a better approach to the problem in terms of investigating and prosecuting these types of crimes ... a deterrent effect should follow," Larkin said. "We're doing some very good things with investigations that have led to search and seizures that you're not necessarily going to see the results of for a while. For now, we're simply making our way up the fraud food chain."