CHAPTER V

Conclusion and Recommendation

Phishing started off being part of popular hacking culture. Now, as more organizations provide greater online access for their customers, professional criminals are successfully using phishing techniques to steal personal finances and conduct identity theft at a global level. By understanding the tools and technologies phishers have in their arsenal, businesses and their customers can take a proactive stance in defending against future attacks. Organizations have within their grasp numerous techniques and processes that may be used to protect the trust and integrity of their customers personal data. The points raised within this paper, and the solutions proposed, represent key steps in securing online services from fraudulent phishing attacks and also go a long way in protecting against many other popular hacking or criminal attack vectors. By applying a multi-tiered approach to their security model (client-side, serverside and enterprise), organizations can easily manage their protection technologies against todays and tomorrows threats without relying upon proposed improvements in communication security that are unlikely to be adopted globally for many years to come. It is worth noting that phishers are getting smarter. Following trends in other online crimes, it is inevitable that future generations of phishing attacks will incorporate greater elements of context to become more effective and thus more dangerous for society. For instance, suppose a phisher were able to induce an interruption of service to a frequently used resource, e.g., to cause a victims password to be locked by generating excessive authentication failures. The phisher could then notify the victim of a security threat. Such a messa ge may be welcome or expected by the victim, who would then be easily induced into disclosing personal information. Phishing has become such a prevalent problem due to its huge profit margins, and we believe it is here to stay. In the absence of a single silver bullet to address the problem, phishers will increasingly rely on context to keep their yield from being lowered by improved

countermeasures of the types mentioned above. We now know that social networks are an easy way to improve the effectiveness of attacks by a quantifiable amount. By anticipating this and other kinds of contextual phishing attacks, mitigating or preventative measures can be designed to limit the damage incurred.

II. Recommendation

Given the risk of phishing, what are the ways in which individuals and organizations can protect themselves? Though hard to implement but training the end-user is perhaps the best protection mechanism. Sensing the gravity of issue, more non-profit organizations and groups are joining hands to combat phishing scams. Legislation particularly needs attention in this matter to define phishing explicitly and elucidate phishing specific penalties.

Phishing exploits human vulnerabilities such that technical solutions can only block some of the phishing web sites. It doesn't matter how many firewalls, encryption software, certificates, or two factor authentication mechanisms an organization has if the person behind the keyboard falls for a phishing attack. A study on effectiveness of several anti-phishing educational materials suggests that educational materials reduced users' tendency to enter information into phishing webpages by 40%; however, some of the educational materials also slightly decreased participants' tendency to click on legitimate links. This leads to the belief that it is of paramount importance to find a new and efficient way of educating a large proportion of the population. The challenge lies in getting the user's attention to these security tips and advises. There are few questions that arise: Should we implement all these protection mechanisms which complicate the user interface? Should we provide better user experience at the cost of reduced security or improve security at the cost of user inconvenience? Several recent surveys indicate that lack of security is leading to loss of customer confidence in Internet commerce. That means users want appropriate security controls in place even if it means carrying a password token or getting their passwords on SMS. Today phishing is recognized by users as a real and potentially damaging threat. If appropriate anti-phishing controls are not put in place, chances are high that customers might switch to a more secure party to do business. Education is a vital component of the phishing battle as well as other online scams.

Based on the data gathered by the researcher some guidelines has been make up by the researcher; Dont reply to e-mails asking to confirm account information. Call or log on to the companys web site to confirm that the email is legitimate. Review credit card and bank account statements for suspicious activity Report suspicious activity Stop: Dont react to phisher ploys of upsetting or exciting information. Look: Look closely at the claims in the e-mail. Also look at the links and web addresses. Call: Call or e-mail the company in question to verify if the e-mail is legitimate,

Stop, Look, and Call

Computer users should make an effort to keep abreast of computer security issues in the news, and use common sense when giving information anywhere: online or otherwise. If an email (or phone solicitor or web site, etc., etc.) asks for personal information, that should be an immediate red flag that something may not be legitimate and needs to be confirmed. Legitimate companies will generally not solicit personal information via e-mail. If personal information is requested via a web site, the user should make certain he or she is connected to the proper site and that the communications are encrypted.

Unfortunately, phishing usually involves social engineering tricks, and, thus, even the best defenses that a company might have in place to combat outside threats are sometimes useless against these types of attacks. Although education is likely the best defense against phishing scams, there are technologies that make phishing harder to accomplish. When implemented with a defense-in-depth approach, software and hardware can be installed to slow the phishers down.

These are possible defense against phisher;

Two-factor Authentication - One of the more promising technologies to thwart phishing schemes involves two-factor authentication. This method uses a layered approach to validate a users credentials by using two separate methods to verify a user. A two-factor authentication technique currently being offered uses one-time passwords that expire after a single use. These passwords are generated using a shared electronic key between the user and a bank. A login is authenticated by not only the users credentials (username/one-time password), but also the key that generates the password. If a password does happen to get stolen, it will not matter since it expires after a single use.

Firewalls - There are e-mail firewall products that implement rules to block spam and phishing scams at the perimeter. These products offer heuristic rules that are updated as new phishing schemes are found. They not only block the spam, they verify the IP numbers and web addresses of the e-mail source and compare them to known phishing sites. For larger organizations, this can be an effective defense against spam and phishing. Anti-virus Technology -Though phishing scams are usually not considered a viral problem, if a user is infected with a worm that, in turn, installs a Trojan horse that can capture personal data, then anti-virus technologies are effective. Security best-practices direct that all users should implement an anti-virus product regardless of whether they are concerned about phishing or online fraud.

Security begins with establishing trust between a user and a web site. Digital certificates are a way to establish this trust in the form of an encrypted digital key system. A public and private key structure is established whereby a company has a private key, obtained from a Certificate Authority (CA), and a user who wishes to make. Though phishing scams are usually not considered a viral problem, if a user is infected with a worm that, in turn, installs a Trojan horse that can capture personal data, then anti-virus technologies are effective. Security best-practices direct that all users should implement an anti-virus product regardless of whether they are concerned about phishing or online fraud. Browser Enhancements - Recent versions of Microsoft Internet Explorer, Mozilla Firefox, Netscape, and Opera offer new security features aimed at controlling phishing attacks and other online fraud. Using databases of known phishing sites, the browsers can look up a site

and let the user know of the danger. These features are certainly a step in the right direction, thought they are not 100% accurate. Microsoft and the Mozilla Foundation have been at odds as to how accurate each of their respective anti-phishing technologies is. If history is any indication, the phishers will most certainly try and find ways to defeat the browsers. Time will be the judge as to how effective these new browser technologies are. These are details that researcher can provide for the recommendation of the research.