• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R. Savitha

Think before you part with sensitive personal information. Phone phishing is in the air.

WATCH EVERY WORD. - K.K. Mustafah

Caller: "Sir, this is to advise you that we are upgrading you to a silver account, which allows a higher interest rate on your FD and lowers your housing loan by 0.25 per cent. That effectively will save you around Rs 3 lakh on the total loan amount."

Call receiver: `Ok.'

Caller: I need a confirmation of your acceptance. It is just a formality but we can take it over the phone.

Receiver: Ok, I guess if it is going to benefit me I will go for it.

Caller: Fine sir, I need you to key in your T-Pin number.

Receiver: (At this stage, he/she has pressed the t-pin (a four digit code the caller will capture — the sound tone will tell him the key numbers)

Caller: Right sir, thank you for verifying your t-pin. Now I need you to tell me which account I should upgrade.

Receiver: Which account? What do you mean?

Caller: Sir, we have two accounts here. A savings and a current account.

Receiver: No but I have only one account — savings.

Caller: Ok sir, there seems to be some small confusion. What is your account number?

Receiver gives his account number.

Caller: Oooh. Sorry sir, the confusion was at my end. Your account is more than six months old? No?

Receiver: Yes/No

Caller: (regardless of the answer) That explains it. A parallel account number was allotted to you in case you ever wanted to create another account. Anyway, no problem. You will get a mail confirming the same at your e-mail ID within the next five days. Could you just confirm that we have the latest one on our records?

Receiver: gives the e-mail ID.

Caller: Great. Have a nice day.

R. Savitha

Did that sound like a typical conversation with your bank? But it could so easily have been a fraudster getting key information from you, and cleaning out your account .

Wake up to the threat of `phone phishing'.

How does one protect oneself ?

Srikiran Raghavan, Regional Sales Head, RSA, the Security Division of EMC, says as a general policy, consumers need to be suspicious of any correspondence from their bank asking them for confidential information.

Information like this should only be disclosed face to face, using a properly authenticated phone conversation using a well known and advertised phone number, or by proactively logging into the bank's Web site.

When inputting credentials during online banking, consumers should educate themselves about encryption and verify that they are accessing the correct well-known Web site of their financial institution and that the certificate is correct for every page. In addition, consumers should always have up-to-date anti-virus and anti-malware software installed in their machine, he says.

Capt Raghu Raman, CEO, Mahindra Special services Group, an Information security consulting firm, says phone phishing is an evolved form of the age old (and one of the most successful) exploits called social engineering.

"Basically the concept is simple. The attacker cons the victim into revealing valuable information by masquerading as a trusted party."

Caller ID, Electronic challenge response and Voice recognition are some steps to counter the problem but fall short of addressing it, says Capt Raghu.

Srikiran says such attacks rely on the popularity of VoIP (voice over Internet protocol) phone services. Once RSA receives a copy of the fraudulent e-mail, or the phone number used in the attack, the service provider is contacted to shut down the phone line — similar to what is done with fraudulent Web sites, by dealing with the ISP or hosting provider. The RSA Anti-Fraud Command Centre has shut down more than 10,000 attacks to date, he says.

Niraj Kaushik, Country Manager, Trend Micro India and SAARC, says phone phishing is a twist to the existing practice of phishing. Although law enforcement and other security agencies can trace phone numbers, perpetrators often use payphones, stolen cellular phone numbers, or hacked accounts, so it's important to avoid being conned rather than try to minimise damage afterwards.

Kaushik says instead of being directed to a Web page, you could be prompted to call a customer support number where a person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data to steal your identity and access your account. Hence it is up to the consumer to be careful of such mails and thereby avoid falling prey to such attacks.

Srikiran says RSA Security has consolidated its range of anti phishing solutions with the acquisition of Cyota. RSA Cyota runs a command centre that scans about 1.5 billion e-mails a day looking for new phishing attacks. When an attack is discovered, the company contacts the relevant ISPs to shut down the phishing site.

"The main thing we do is shut down the Web site. It may be hosted from 12 different locations — China, Seoul and Lithuania — but we get a real-time translator, contact the local ISP, and tell them we are calling from the bank; please shut it down." On average, the duration of a phishing site is about 6.5 days. With RSA Cyota, it is 5.5 hours — "we really shorten the window of `opportunity',''he says.

Experts' advice is: Treat all unsolicited e-mail (and phone) messages with scepticism and avoid clicking on links.

Before you call, research unfamiliar area codes using legitimate local phone companies to avoid long distance, international, or other toll charges. Download a fake Web site detector: Consider installing a browser extension such as SpoofStick, which can help detect a spoofed Web site. Enter addresses manually, rather than clicking on links: There are e-mails utilising more sophisticated fraud techniques, in which links appear to connect to official Web sites, but in fact direct users to a disguised site when clicked. Therefore, do not directly click on any links in an e-mail. Go directly to the valid company's site then log on f rom there or call the company directly to confirm the e-mail, say experts.

savitharin@gmail.com

More Stories on : Security | Telecommunications

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Friend or Foe?

Copyright © 2006, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line