News
News
6/22/2004
03:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

MasterCard Goes Fishing For Phishers

It will partner with NameProtect to receive real-time reports of phishing attacks and other scams, then pass the information to law-enforcement agencies.

MasterCard International Inc. and digital-fraud-detection firm NameProtect Inc. have joined to fight illegal online activities, principally "phishing" schemes and the online trading of stolen credit-card numbers.

The partnership marks a more-active approach to addressing online fraud. MasterCard will use NameProtect's technology to detect online scams as they unfold and, in conjunction with law-enforcement organizations, shut them down before significant losses can occur.

"The new threat that we are particularly addressing here is the cyberattack, involving phishing, identity theft, and so on," Sergio Pinon, senior VP of MasterCard Global Security & Risk Services, said on a media conference call Tuesday. "We want to insure that the trust remains between our consumers and the financial-payment system."

At the moment, there's ample reason to be wary. Gartner estimates that 57 million Americans have received phishing E-mails in the past year. During two weeks in December 2003, 60 million phishing messages were sent, according to the Anti-Phishing Working Group, an organization to which both MasterCard and NameProtect belong. Identity theft has been the No. 1 consumer complaint for the past four years, according to the Federal Trade Commission.

Pinon noted that it takes eight days from the establishment of a Web address to the time that a phishing attack can be launched using that address. "In order for this to be effective, we have to be able to monitor online phishing attacks, trading of account numbers, identity theft, and so on, on a 24/7 basis," Pinon said.

NameProtect is now monitoring domain names, Web pages, images, auctions, chat forums, spam, and other online formats to identify online fraud. It sends real-time reports to MasterCard, accessible through a Web portal. Within four hours, MasterCard is able inform its 25,000 member financial institutions worldwide of online attacks, using its MasterCard Alerts service.

MasterCard also will be going after Web sites that offer how-to information to those interested in committing fraud, with the help of the United States Secret Service, the Federal Bureau of Investigation, the U.S. Postal Service, and Interpol.

To date, MasterCard can provide no specific instances of sites shut down during the trial portion of this program, which ran from April through June. "We have passed the information on to the affected parties," said Pinon, "and I am sure, having that information in hand, that they have taken the steps."

With regard to domains that masquerade as sanctioned MasterCard sites, Mark McLane, CEO of NameProtect, said that his company has already helped MasterCard shut down a number of such sites, but declined to provide further details.

It's the details that may prove problematic. Gartner VP and research director Avivah Litan says it's not easy to shut down a Web site, especially if it's some country where the U.S. and European Union don't have a lot of pull. "Once you catch them, you can't necessarily stop them," she says. "It's like trying to catch a cockroach."

Still, she says, "It's a practical solution. It's not a slam dunk."

Pavni Diwanji, CEO and founder of anti-spam vendor MailFrontier Inc., echoes the concerns expressed by Litan. While she says she's glad a company as big as MasterCard is trying to deal with this, she cautions that these phishing messages and scam sites don't have to be around for very long to do damage. Often, she says, scammers themselves will take phishing sites down after only a few hours. That's because phishing campaigns can bring in credit-card information in a matter of minutes. Beyond alerting banks, she says, "We have to protect the victims in a timely manner, too."

Andy Klein, anti-fraud product manager at MailFrontier, offers an example of how sophisticated phishers have become: They do market research to determine who's vulnerable to their scams. To identify who might be likely to open mail purporting to be from a certain bank, phishers recently sent a trial E-mail with a Web bug--a link to a graphic file stored on a remote server, used to measure whether or not the message was opened. Receptive recipients were subsequently targeted with a phishing E-mail.

MailFrontier's Phishing Index for May 2004 shows one out of 10 people were duped into following the link provided in phishing E-mail--this despite the fact that the message had been quarantined and labeled suspicious. A May 2004 Gartner report found that 3% of a projected 57 million who believed they had received a phishing E-mail clicked on the links to spoofed Web sites and submitted personal and financial data. Certainly, there's a need for user education.

"This is absolutely a step in the right direction," Diwanji says of the MasterCard initiative. "Is it enough? No."

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.