E-crime must surely be less risky, which is why it continues to grow. Phishing is now commonplace and not a day goes by without more e-mail arriving from “Royal Bank of Scotland”, “Citibank” and “Merrill Lynch”. In the latter case, this convincing missive arrived while I was typing the beginning of the paragraph!
Merrill Lynch Enhanced Security Authentication: We have enhanced the Merrill Lynch Business Center security access to further safeguard access to your account information. Click on the hyperlink below and follow the prompts to answer and record answers to five personalized security questions. We may, in the future, ask you for answers to these questions when you log into the Business Center to ensure that only you are accessing your account information.
By clicking the link below and/or by using the Merrill Lynch Business Center website (“site”), you:
Login by clicking here: https://wcma.businesscenter.ml.com/ [deleted URL for security purposes: 8yvcv.com] I. Represent and warrant that you are authorized to accept the Merrill Lynch Business Center Terms Conditions [deleted URL for security purposes: 8yvcv.com] and use the site on behalf of yourself and your employer and in doing so you are acting within the scope of your duties and
II. Accept the Merrill Lynch Business Center Terms Conditions [deleted URL for security purposes: 8yvcv.com] on behalf of yourself, agree to be bound by them.
Pretty convincing, I’m sure you’ll agree. I almost clicked on it myself, but didn’t because I don’t have a Merrill Lynch account. But some people do, and some of them will click on it. The phishers rely on familiarity to acquire sensitive information, such as usernames, passwords, and financial data, by masquerading as a familiar or nationally recognized bank, credit card company or even an online auction site. A McAfee Avert Labs report showed the number of phishing Web sites increased by 784 percent in the first half of 2007. Social network sites are also a new target for the fraudsters: in December of 2006, cyber criminals targeted MySpace and used a worm to convert legitimate links to those to lure consumers to a phishing site designed specifically to obtain personal information. Until we begin to assemble a proper digital identity infrastructure, I can’t see much changing here to be honest.
So “real” world money isn’t safe and online money isn’t safe either. In fact, fraudsters happily straddle both worlds, compromising physical point-of-sale (POS) terminals to collect and store the data on cards and then whisk it around the world to manufacture bogus cards for use in POS and at ATMs or in card-not-present environments. Avivah Litan of Gartner says
It’s almost more dangerous to go to the gas station than it is online.
That’s if you can find a gas station that still takes cards, of course. She also said that of 160 data breaches investigated for one major credit card brand, 128 were card present (hence all the efforts to strenghten PCI-DSS). It doesn’t look as if there will be much improvement either: Gartner predicts that only a third of POS software will be PCI-DSS compliant by 2009. But even when the POS software is fully PCI-DSS compliant, the problem of criminals tampering with POS terminals will still grow. So long as people are being asked to put their PINs into a device they cannot trust, criminals will target that process as the weak link in the card security chain.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]