Phishing is an old problem in new form

There is a simple solution.

Authentication/Notification.

No amount of education can stop every old person being 'conned' and education cannot help a customer who does not know their details have been stolen.

I am not familiar with the precise details of the fraud against President Sarkozy, and  there are many possible scenario's, however I can say that unauthorised transactions would not succeed if he had been notified in real time, and required to authenticate if the amount was over a preset chosen limit of say $50.

The scam I mentioned in my blog could not have succeeded if the victim was required to authenticate or at least be notified about the subsequent fraudulent transactions - in real time (not after the fact ala Visa.)

Whilst advocates of biometrics correctly point out that if biometric were mandatory and universal (global) these types of frauds could be reduced. There is one problem - they aren't universal and never will be.

Mobile phones are ubiquitous, they're already there and it would be reckless not to use that infrastructure already in place, rather than entertain the fantasy that biometric readers could acquire equal universality.

It's like saying the roads are unsafe for the cars we drive so we better all get a new crash-proof car because none of us will be safe until every single one of us owns a new one. A great idea and it sounds perfectly logical but it's never going to happen.

They're more likely to reduce the speed limit or install traffic control.

That is exactly what is required, the speed limit is where you decide how much someone can take out of your account and the traffic control of who get's to take money out of your account and your mobile phone will be the traffic lights.

No green light from the account-holder then no money out.

Mobile authentication and account verification can prevent a phishing attacker from gaining sufficient knowledge to perform a fraudulent transaction and additionally prevent a fraud even when your information has been leaked or 'lost' by a merchant. How? - the initial phishing email from the scammer would be instantly recognised as fraudulent - because it would fail authentication, leaving the phisher with nothing.

The best thing about mobile authentication is that it could protect you even if you gave your card and PIN to the fraudster!

That is practical fraud prevention and identity security. All the rest is fantasy.

Dean starts out with the perfectly reasonable observation that proper authentication is what's need to counter phishing.  But his argument then proceeds with a classic strawman tactic: lead the reader to believe that biometrics is the leading authentication method, then demolish it, leaving mobiles as apparently the only alternative. 

It's a flimsy argument on a couple of counts. Firstly, biometrics is not actually a sensible way to authenticate e-mail senders.  After all, they're often machines!  It's quite specious to add biometrics into the debate; nobody has seriously suggested that e-mails from banks be biometrically signed by actual human bankers.  No, what's probably needed is digitally signed e-mails, with certificates chaining to trusted authorities, and revamped e-mail clients that properly process digital signatures so as to block the unsanctioned originators.  But there are plenty of other approaches too, like web mail which can be architected to be pretty well phishing proof.

Secondly, just because mobile phones are ubiquitous, that's insufficient reason to press them into service as all-purpose security solutions. Was the telephone network designed to be coopted for authentication?  If the network fails, who's liable for losses arising in the new fangled mobile-secured transactions?  What legal arrangements can be put in place to allocate risk if we are to bridge the hitherto separate banking and telephone networks?

Just what Dean's mobile technology actually does remains entirely unclear.  How would it secure e-mails so as to stop phishing?  Would our experience of e-mail have to be re-jigged to put the phone into the loop?  Or is it just a warning system that actually doesn't touch the e-mail at all but instead protects account holders after they happen to fall for a phish?  Or what?

If we're going to debate technologies and talk seriously about security solutions, then let's have some transparency please; i.e. what's under the hood Dean?

Cheers, 

Stephen Wilson, Lockstep.

In response to Stephen's very pertinent queries.

'biometrics is not actually a sensible way to authenticate e-mail senders.'
 
I'm not sure I ever suggested biometrics or tokens or smart cards and can't see how they could be of much practical use in preventing phishing but what other options are there?
For the sake of the discussion it's probably a good idea to establish that it is actually an authorised human making the computer send the email in the first place. You have to start somewhere, whether it's biometrics or mobile authentication or whatever.

'Nobody has seriously suggested that e-mails from banks be biometrically signed by actual human bankers'.

Nobody including me, but it might suit such as when an authenticated sender (perhaps on behalf of a bank) wants to ensure an authenticated recipient  receives the message and be notified that they have in fact received it (and even perhaps agreed to its content, ie loan agreement, change of investment etc). ie signing a document/contract.

'plenty of other approaches too, like web mail which can be architected to be pretty well phishing proof'
- I haven't seen anything practical yet.

'If the network fails, who's liable for losses arising in the new fangled mobile-secured transactions?'

I have a recollection that the mobile network is somewhat more reliable than the EFTPOS network, anyone have any numbers to disagree? Who is liable when the EFTPOS network or smart card reader fails? There is also generally more than one mobile network too. I understand that a lot of new EFTPOS installations are actually 'mobile' - it must be good enough.

I think the telephone network is perfectly fine for authentication and transactions, if you use the right methodology and features.

'How would it secure e-mails so as to stop phishing?'

- I can only speak here about a particular system I am familiar with and can't speak for anybody else's approach. My ideal approach is where the receiver should know if an email is not genuine before they answer it or follow a link in it and if they answer a phishing email despite it not being authenticated - the phisher would be unable to access their account or use the information to carry out a fraudulent transaction.The objective is...

My guess is that if phishing was generally unsuccessful, in spite of even the worst efforts of the users, phishing emails would eventually diminish.

'Would our experience of e-mail have to be re-jigged to put the phone into the loop?'

Not at all, although it might be a shock to be able to trust authentic or important emails like genuine ones from our banks.

Users don't have to carry out any extra steps, or learn any new skills, if that is what you mean, and it is 100% compatible with virtually every existing email client or server currently in use.

'is it just a warning system that actually doesn't touch the e-mail at all but instead protects account holders after they happen to fall for a phish?'  

It's more than a warning system and doesn't have to touch the email, but if you wanted to you could encrypt the email, digitally sign it or whatever else you care to.
It does not prevent you receiving a phishing email, but it let's you know if an email is a genuine email or not.

It protects you before the phish, and it also protects you afterwards if you happen to get phished anyway. You won't be able to be successfully defrauded despite your best/worst efforts in helping the phisher.

There is also the added benefit that you won't ever really have to provide anyone with information, they don't need to know it. They'll automatically get the minimum they need to perform the process, usually none, and even if they do already have the information and they shouldn't, it will be of no use (ie. to the hackers who already have all your information.)

Phishing just does not work even if you give all your information including your PIN to a phisher -  if you are using the basic authentication/transaction product, whether you use email trust authentication or not. The email authentication is really just to get you to actually read genuine messages from your bank or whoever else you trust enough to want to read their message. It's up to the sender and is just a free feature for the recipient if they're already using the basic authentication system.

'What's under the hood?'
From the user's perspective just their mobile phone.

I was questioning the wisdom of piggy-backing payment authentication services onto the mobile telephone network.  I asked "If the network fails, who's liable for losses arising in the new fangled mobile-secured transactions?"

Dean responded:

I have a recollection that the mobile network is somewhat more reliable than the EFTPOS network, anyone have any numbers to disagree? Who is liable when the EFTPOS network or smart card reader fails?

Plainly, when the EFTPOS network fails, the EFTPOS network operator is liable.  But when a mobile phone network fails, and damages result in a payments application for which that network might not have been designed for (nor accredited for) then the question is obviously much more complex. Though I fear that the answer might be simple: the mobile operator is likely to say 'no' to liability! And perhaps even 'no' to any use of its systems for these novel purposes.

Consider this parallel.  One day I realise that Qantas runs a more reliable transport network than any trucking company.  So it strikes me that a good business opportunity is to start carrying parcels as hand luggage on behalf of business clients.  And then one day a parcel gets lost in the airline system and my service level agreement with my customers is breached.  What chance do I have of recovering losses from Qantas?  In the absence of a contract with the airline, absolutely zero.  So it would be wise for my ad hoc courier business to have an arrangement in place with Qantas for me re-using their service. 

But what do you think that sort of arrangement would look like?

I think the telephone network is perfectly fine for authentication and transactions, if you use the right methodology and features.

With respect Dean, what you think isn't the issue, it's what the mobile network operators think, especially in relation to liability arrangements and contracts.  So when I ask "what is under the covers", what I'm really interested in is the legal arrangements you propose to have with telcos for their networks to be coopted for authenticating payments?

As I've mentioned before on these pages, what kills novel authentication arrangements (like all manner of federated ID schemes for instance) regardless of their technological merits, is the sheer novelty of the legal arrangements that are implied.  To get lawyers to get their heads around new schemes, especially when these schemes break open existing silos and change business models, is a lengthy and staggeringly expensive exercise.

Cheers,

Stephen Wilson, Lockstep.

A standard telco service contract is just fine. No special agreements required, it's designed that way and has worked perfectly fine that way so far, without the telcos even knowing we were doing it. In fact it's better that way. We have all sorts of redundancy available and need not depend on any particular network.

As with any activity dependent on a third party infrastructure - like driving your Ford on the local road, you complain to the Municipal Council if the roads aren't up to scratch, not Ford, because the only thing they can do is sell you a 4 wheel drive to get over the pot-holes. If your telco isn't providing you with mobile service, you may not be able to transact using your mobile. Complain to them or choose a different telco.

All that is required for mobile transactions on the part of the telcos is that they be telcos and keep shooting for those Five9's. They will profit significantly from the increased use and their networks which will become even more reliable and the coverage will get better. As it stands, their coverage is far broader than EFTPOS and mobile transactions can work anywhere there is coverage. No special requirements.

In fact I think I have the key to long term 3G success and profitability for the networks, but they'll have to wait and see what we're planning there. Should we pull an Apple - where one or two networks get the spoils and the others miss out?
No - the strength of the business model is that it doesn't depend on any special relationship with either manufacturer or telco or bank. That's not to say there isn't room for many special relationships - I'm particularly interested in special relationships with consumers.

I hope I haven't further depressed any lawyers.