Abstract
This page aims at providing some hints on how to address the Online Identity Theft issue using home made tools.
This document aims at providing answers to two types of readers:
• the curious reader, who wants to make up his mind on
which type of security protection may be used based on his
requirements, and on which protection fields are rated as mandatory.
• the security aware reader, who is looking for a
pragmatic analysis, as each solution is rated according to the
protection level it offers, how it achieves it, the evolution of this
type of solution, along with the evolution of threats against these
solutions.
New security surveys are published almost on a weekly basis, and they all show an ever increasing number of phishing attacks.
Although the most commonly targeted brands have already deployed some
mechanisms to secure the authentication process of their users and
customers, others that have a lower visibility surface may not have
taken appropriate measures yet.
Big companies can afford to purchase expensive solutions to enhance the
feeeling of security to their customers. But smaller companies cannot
… although thay may quickly become phishing targets. The latest
security surveys and phishing analysis trends demonstrated that
fraudsters already began to address smaller financial institutions or
subsidiaries.
This is why I decided to publish this page with a comprehensive review
of some home-made and free or open-source solutions. Some are dedicated
to fighting fraud, other will only address detection …
I do not pretend to do a better job than companies that have commercial anti-phishing services.
I just want to try to help a wide range of security conscious people
such as business line unit managers, CSOs/CISOs, IT staff, developers
… when it comes to choosing an anti-phishing solution.
So, do not blame me if one of the solutions is not fully operational off-the-shelf, or does not fully meet your requirements.
Some of the tools mentioned below, are proof-of-concepts rather than fully functional packaged applications.
At a glance
We can classify the tools in the following array. Click a solution for details.
| Interest |
Solution |
Protection against... |
Detection... |
Ease to install |
User usage
(green=easy)
|
| |
|
funds transfert |
simple phishing |
MITM phishing |
ISP pharming |
trojan keylogger |
advanced trojan |
before-fraud |
after-fraud |
 |
|
|
s1 |
s2 |
|
s1 |
s2 |
s1 |
s2 |
s1 |
s2 |
By user |
N/A |
|
|
|
|
|
|
|
|
|
|
N/A |
N/A |
|
|
|
|
|
|
|
|
|
|
By user |
N/A |
|
|
| |
|
|
|
|
|
|
|
N/A |
N/A |
|
|
|
|
|
N/A |
N/A |
N/A |
N/A |
N/A |
By Corp |
N/A |
|
|
|
PVK - Protected Virtual Keypad |
|
|
|
|
|
|
N/A |
N/A |
|
|
|
|
|
N/A |
N/A |
N/A |
N/A |
N/A |
By Corp |
By Corp |
|
N/A |
| |
|
|
|
|
|
N/A |
N/A |
N/A |
N/A |
|
Corp |
Home |
|
|
|
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
By user |
|
|
|
EPAY - Electronic Payment Application for You |
|
N/A |
N/A |
N/A |
|
|
N/A |
N/A |
|
|
| |
|
|
|
|
|
|
|
By user |
N/A |
|
|
|
|
|
N/A |
N/A |
N/A |
N/A |
N/A |
By Corp |
N/A |
|
N/A |
|
|
|
|
|
|
|
|
By user |
N/A |
|
|
Protection against fraud has been chosen as a key factor, but the reader any other one, if he rates it as being more important.
Legend
|
Colors refers to the following levels
|
|
GREEN
|
protection : good —— easyness : easy —— user usage : easy or transparent |
|
YELLOW
|
protection : correct —— easyness : medium —— user usage : not so simple |
|
ORANGE
|
protection : medium —— easyness : difficult —— user usage : hard |
|
RED
|
protection : poor —— easyness : hard —— user usage : unapropriate |
|
WHITE
|
Not applicable. Several solutions do not aim at covering all fields. So a "N/A" is used |
"Corp" refers to corporate users
"Home" refers to home-users
When "s1" or "s2" are used, it means that this tool can be used in two different solutions, e.g. "solution_1" and "solution_s2"
Interest
The very first column is my own point of vue on solutions proposed. This appreciation is the result of different ratings obtained by a tool/solution melted with my own perception. The interest can be :
: a must look solution
: requires having a look
: interesting solution that can be useful
When no star is present, this doesn't mean the solution is useless, but rather than it can be quite complicated to deploy this solution.
Protection categories
Protection against funds transfert :
This category applies for banks only since it focus on protecting the
customer money from not being moved away from his account. Many banks
will decide to rate this protection as the most important one since
it's the only mandatory way of acomplishing a fraud. A bank can accept
that a phisher connects to a user account as soon as he can steal
nothing.
Protection against simple phishing : Here we address a protection
against malicious websites reproducing part of the original banking
portal. The technique the fraudsters use is quite simple : get banking
pages you want, modify them a little to get back the credentials, place
it on a bot (or on a server with typosquatting dns name), complete with
a spam campaign and you've got it.
Protection against Man In The Middle phishing : This protection
addresses a scenario which at first glance looks like the previous one.
There is still a phishing site where the customer wants to connects
(link in spam) but this time, the phishing is not the end-point any
more, it's used as a transparent proxy. Requests arrive on the phishing
proxy and it reemits them to the real server as if it was the
legitimate user. This technique is used for One Time Password bypass
for instance.
Protection against ISP pharming : Quite difficult nowadays, ISP
pharming means that ISP DNS servers are vulnerable to DNS cache
poisonning. This can be observed either with old DNS server
versions or with a high amount of fake return request. If the first
option seems to be quite scarce
nowadays, the second one may still happen under certain conditions (DNS
server bad configuration & botnet mass response attack) where
the birthday attack can also help.
Protection against trojan keylogger : Everyone is now accustomed with
those malicious tools. Keyloggers will focus on capturing eveything you
do : pressed keys, mouse click postions (possibilities go further than
keyboard capture). When combined with a simple login/password access,
keyloggers can have devastative effects.
Protection against advance trojan : This category is a all-in-one. Thus,
many kind of advanced trojans exist : some may behave as rootkits,
running stealthy and deep in you operating system, some may hook
Internet Explorer when form posting or SSL warning is called. Some will
also have a backdoor integrated so that an attacker can virtually seat
on your desktop and use your accounts.
Detection before fraud : Sometimes it's possible to detect that a
phishing site is to be used soon but since spam campaign has not been
launched, it's still possible for staff to react. Tools can help to
achieve this goal, but the more phishing attacks will address small
companies, the more they will be undetectable. Two kinds of people can
detect something strange before fraud : the user (although it's not so
sure he will warn you...) and the security staff.
Detection after fraud : Most of the time, customer detects a mistake on
his account or is suspicious on a mail, then he may call his hotline.
In this case, fraud already took place. It's too late already. But it's
still urgent to react to prevent other customer to be attracted in the
fraud system. Some tools can also help identifying fraud rapidly. Two
kinds of people can detect something strange after fraud : the
user (this time, he's fast to call) and the security staff.
Ease to install : All security tools require to be installed somewhere
: on the user operating system, on the user browser, on an internet
server, on the front portal, in backoffice systems.... Depending on the
tool, it may be simple or hard to install it.
User usage : Here is an important parameter. User usage should be the
driver of everything willing to be as widepread as possible ( online
banking for instance). If user find it complicated, he will either find
a way to go around it ( and so zeroing the added security protection)
or will complain about its usage. In both case YOU lose... Best
idea is may be to find a solution which can increase the security level
and giving the user 1 - a feeling of pretection from his bank and 2 - a
security measure he likes.
Code and Licence
I'm not a code writer, so many bunch of code will need to be reviewed
and adapted to fit IT products and development policy.
You may find mistakes in the following examples or better way to do it.
Please notify me when you detect some.
These tools are free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the
Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Special thanks
Olivier Caleff
Pierre Caron
(updated 2007-07-29)
