Total Pageviews

11 May 2006

Phishing - a counter tactic

Phishing is a big problem. Can I suggest that the banks set up dummy phishing bank accounts with no money in them and issue logins to the bank accounts to all their customers. Maybe this could just be done via one central bank account and simply present a logical account number via the online banking.

Then when customers receive a phishing mail, they go to the phishing site and type in the dummy details.

The crooks then capture the dummy details and to all intents and purposes they can't tell the different between this account and a real one because the crooks would then be using the real banking site. The site could even be modified to show an account balance.

Then they try and move the money from that bank account to their own bank account and by typing in the details of where they are trying to send the money to, we might stand a better chance of being able to catch them.

At the very least the very large number of false bank details would tie up the crooks' time and make successful phishing that much harder.

Just a thought, anyone got any better ideas?

1 comment:

Jason said...

The good thing about this type of response to phishing is that, unlike IP address tracebacks etc. once you start tracking the money, you're going to start finding the right people, not a botnet host or some other innocent bystander.

This method is already being used by at least one commercial organization (brandimensions) offering anti-phishing protection to financial institutions.

From their web page explaining their process:

"We recommend establishing a bank account and active credit card number assigned to Brandimensions projects managers. Once a Phishing attack against your organization is confirmed, our project managers can submit the assigned card's number to the Phishing page. This provides your fraud department with an immediate trail for following the flow of outgoing funds."

(note that i am deliberately not linking to their site to avoid even looking like a spammer. and no, i'm not affiliated with them in any way, but i do deal with phishing incidents professionally and have been noticing a lot of reports coming from them lately. so i went to their site to see what they were about and was suitably impressed.)

Popular Posts