Had Phishing Been a Stock

Last October I presented at a meeting in London during RSA Security Europe. I was asked to come up with predictions for 2008 online financial threats. My first prediction was that Phishing will more than double. “Had phishing been a stock”, I said, “I would have bought it”. 

Pity that I couldn’t. This was a bit before the credit crunch hit the markets – I remember, because my financial advisor at the bank said buying more stocks in October is a good idea as I should be able to catch the end-of-year traditional Wall Street run.  So, had phishing really been a stock, it would have made you a lot of money. And even today I’ll say it’s a good bet for the next few years. Which is why I wasn’t surprised by APACS’ figures showing a 200% increase in the level of phishing attacks in Q1 2008 when compared to last year. Triple the number of attacks. My prediction was more than double; I guess this counts. 

The reason Phishing is here to stay is simple: it works. It’s as spread these days as common cold, and is as effective. Like common cold, it won’t kill you. Like common cold, there are plenty of remedies and relieves – but Phishing is highly resilient and just won’t go away. 

It won’t go away unless the root cause is addressed. As long as emptying bank accounts is an easy, cost effective and risk free operation, Phishing will fuel the fraud industry with stolen credentials. 

Phishing may migrate to other, nastier forms of disease, if banks and other organisations adopt strong 2-factor authentication. This is particularly true to transaction signing authentication, which is the highest possible level of EMV based 2-factor the market can throw at the fraudsters. Those deploying transaction signing can enjoy a spell of relative calm in the stormy days of online fraud, but should expect a hurricane once fraudsters decide it’s time to use Man in the Browser techniques. When this happens, we’ll all be saying ‘god, how we miss the good old Phishing days’. 

But even then I don’t believe Phishing will stop, since by the time the financial industry comes up with effective defence mechanisms, Phishing will have other uses and targets. It will target areas within the financial sector that are less protected, like loan applications and online trading. It will hit non-financial organizations, social networks and web 2.0 applications inside the enterprise’s firewall. It will be used to collect data in order to conduct identity theft.  

No, I’m pretty sure Phishing, like spam, botnets, and other maladies of the Internet age, is here to stay for a long time.