• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager
• Smartbuy

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth
• Events 2007

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

Ravikanth Nandula

Leonardo DiCaprio: “Brenda, …I’m not a doctor. I never went to medical school. I’m not a lawyer, or a Harvard graduate…”

With these words, DiCaprio, playing the role of an impostor in Steven Spielberg’s 2002 film Catch Me If You Can, leaves his bride on the wedding night, slips out through a window and disappears into darkness. He’s carrying with him a suitcase full of Dollars.

The film, tag lined ‘The true story of a real fake’ is an account of the real life of Frank Abagnale Jr, a conman who defrauded millions of dollars in fraudulent cheques from 26 countries. Posing variously as a Pan Am pilot, doctor and a legal prosecutor, he did all this before his nineteenth birthday. It was in the 1960s.

Coming to the 2000s, in the world of Internet and e-commerce, any pseudo with his easy eyes on others’ hard-earned money need not go to such great lengths to achieve his aims. His task is, arguably, much simpler and his victims, gullible by definition, much easier to con. In fact, in a lot of cases, they may not even be aware of being conned.

Unlike in the brick & mortar world, where one can pay for the goods one purchased through cash, cheque or other ‘physical’ ways, e-commerce offers only one mode of payment — electronic. Once a person goes online shopping and fills out the payment form giving in the credit or debit card details, all that financial information is, to the prying eyes of a fraud, up for grabs.

And the Internet, global and inter-connected by nature, affords the fraud many avenues. He doesn’t have to be in the physical vicinity of his potential victim; indeed, he doesn’t even have to limit himself to one victim at a time. He can carry out his activities against any number of people simultaneously.

Starting when e-commerce started, Financial Identity Theft has used tools-of-trade such as malware and trojans and techniques such as phishing and pharming (pronounced ‘fishing’ and ‘farming’), to de-fraud individuals, banks and institutions of billions of dollars.

Keyloggers, trojans and malware are small pieces of software that come attached to an e-mail or hidden in a file. When a person opens the file, these get installed into the computer, scavenge the system’s database for confidential data and relay it back to the fraud’s computer. In worst cases of Trojan-infections, the fraud can actually take over the victim’s system. This is called, in the industry’s parlance, ‘technical subterfuge’.

Phishing is, well, a different kettle of fish altogether. It combines both ‘social engineering’ and ‘technical subterfuge’. Social engineering scammers use ‘spoofed’ e-mails (an e-mail that looks exactly like one sent by your bank asking you to, for example, update your data or to change your password) to lead consumers to counterfeit Web sites designed to trick the customer into divulging confidential data. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince their targets to respond.

And it’s not always the innocent individual who has fallen to the phisher’s tricks. A recent BusinessWeek cover story details how e-spies have used phishing techniques to infect US State Department computers. A 2006 outbreak of ‘Man-in-the-middle’ attacks (a variation of phishing) targeted big banks and brands and was widely reported at that time.

“In the initial days of the Internet, it was probably the amateurs, the kids with high IQ, who wanted to do these things for fun or for an ego-kick. But now it’s highly organised. The more frightening aspect of it is that now even rank laymen can launch phishing sites,” Raj Gopalakrishna, Vice-President of Arcot Systems, a California-based company that is an industry leader in protecting and verifying digital identities, says. He was referring to what is being called as ‘Pinch Tools.’

‘Pinch’ is a set of tools that is being sold on several online forums. While it is designed to create trojans, the masterminds who created the program have also provided it with an easy-to-use interface. Uncovered by the popular anti-virus maker Pandalabs late last year, Pinch requires no knowledge of software or coding skills from the user. Just select the nature, type and kind of information that you want to scavenge from the victims and this piece of software will create the Trojan for you. Sometimes sold for a song, it has all the attention of the online security industry.

Leonardo DiCaprio: ‘Stop chasing me!’

Tom Hanks (the cop): ‘I can’t stop. It’s my job.’

Not all is bad news. According to the latest data from Antiphishing.org, an industry and law enforcement association focused on eliminating identity theft and online fraud, the number of phishing Web sites detected in January 2008 stood at 20,300. This is less than half of the peak number of 55,000 reported in 2007. “The problem is they’re increasingly getting sophisticated. You close one site, another one crops up next day,” an executive in the security industry says. If a normal ‘mischievous’ site takes a day to close down, it takes 130 days to track, identify and shut down a phishing site. “They operate globally,” the executive adds.

But it’s not as if it’s the law-enforcement agencies alone that are fighting it. Software vendors, anti-virus companies, industry collectives and even well-intentioned individuals on the Web keep close to the tails of the frauds and release patches, tools and solutions to mitigate any new risk that may emerge. Companies in the business of enabling secure transactions, such as RSA, Verisign and Arcot, have a range of products for e-commerce’s needs and tweak and improve their solutions up to four-five times a year.

Over the last decade, banks, credit card companies such as Visa and Mastercard and individual merchants have pooled in resources to combat the menace. Solutions based on both software and hardware (the customer is given a smart-card or smart key which he has to use in addition to his original card information) have been tried and improved upon.

Among the various solutions that came about, the most visible and popular are the ones that involved only software. The reason is pretty obvious: Software solutions are easily upgradeable, that much quicker to respond to new threats and are eminently scalable — the number of people using the solution doesn’t add to the cost or the effort.

“Back in 2000, we were already in the business of online authentication. For us, the whole question boiled down to one thing — provide the people involved in a transaction a credible way of completing it — Authentication. We brought together the three sides involved — the merchant, the credit card company, and the card-issuing bank — addressed their concerns and came out with a software-only solution called Transfort,” Raj Gopalakrishna says, talking about one of the company’s solutions.

Tranfort is the heart behind Verified-by-Visa, Visa’s successful bid to limit the incidence of fraud. Operating in the 3D environment of bank-card company-merchant, this software checks the authenticity of all involved before giving the go-ahead to the transaction. It’s also adopted by other card majors Mastercard and JCB.

Today, almost all parties involved in an e-commerce transaction employ one or more software-based security solutions. “There’s nothing called an absolute solution to the problem. What software solutions do is to limit the damage,” Raj says. In a scenario where security or lack of it is defined by the latest threat, the words ring true. The cat and mouse game will go on.

Frank W. Abagnale: “I believe that punishment for fraud is so rare that prevention is the only viable course of action.”

Now let’s come to the real person on whose life the film was made. Today, he’s one of the most respected security consultants on forgery, embezzlement and secure documents.

After his teenage flirtations with fraud, he’s worked with the FBI for more than thirty years. Over 14,000 financial institutions, corporations and law enforcement agencies follow the security procedures and manuals he developed. An author and lecturer on security-related subjects, he’s the head of Abagnale & Associates.

What does all this mean to you and me, the ordinary ones? Is it safe to shop online at all? Are we vulnerable for no fault of ours?

Well, we can take the cue from Frank Abagnale’s view. Various sources in the industry say that the problem can be controlled up to 50-60 per cent at the individual level. Keeping the anti-virus up-to-date, keeping the operating system and software with the security patches, clean browsing habits and keeping an eye out for scammers’ spam and checking the security certificate of a Web site before you do transaction with it or even a simple habit of typing HTTPS:// (in place of HTTP://) and getting to a security-enabled version of the site when doing transactions go a long way in ensuring your safety.

rkanth@thehindu.co.in

More Stories on : Security | Economic Offences | Viruses

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Towards safe networking

Copyright © 2008, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line