Identity-Based Fraud Tools Make Phishing Harder to Combat
March 17th, 2009 by Scott OlsonI came across a good article this morning on detecting and avoiding phoney fraud alerts. The problem is that I found myself thinking yet again that as online sites employ even more identity-based fraud management solutions to combat online fraud, the likelihood of these phishing attacks to succeed goes up. More and more often we are being asked for increasing amounts of personal information to validate our identity.
There are two problems with this. First, we are training online users that providing personal information in addition to credit credentials, i.e. color of your first car, your pet’s name, etc. is required to complete a transaction. As this has become the norm it is harder to spot phishing attacks. Second, we are feeding the online databases created by botnets with increasingly personal information that the scammers can use to bypass these same checks.
I truly believe that the long term viability of solutions that require input of substantial personal information is in question. To fight fraud, account takeover and identity theft, we should move more to systems that do not require this information like a variety of multi-factor authentication tokens, device fingerprinting, and smart cards.
Tags: device fingerprinting, identity theft, Online Fraud, Phishing
March 18th, 2009 at 6:39 am
Hi Scott,
I completely agreely with you. The Identity protection is getting complicated for consumer and also leading them to give their personal details.
In addition, the social networking sites are also opening up people’s life completely. All a phisher or hacker has to do is – POKE them, Add as friend….
Identity verification needs to be more robust but without relying on the consumer’s knowledge. it has to deliver identification attributes or out of band authentication that are not possible for phishers to ask or get.
vikram
March 19th, 2009 at 7:41 am
[...] HOME | ABOUT | CONTACT | RSS « Identity-Based Fraud Tools Make Phishing Harder to Combat [...]
May 4th, 2009 at 10:42 am
[...] The argument against this type of technology is that the device information could be collected and sold, constituting a violation of privacy of the online user. What is missed here is how significant an improvement this is over existing identity based fraud prevention techniques. Device fingerprinting solutions, such as the device reputation system offered by iovation, ideally work much more to dually reduce fraud while simultaneously protecting the privacy of the individual. iovation’s ReputationManager service, as an example, collects and requires no personal information from our customers. Our online service is completely incapable of assigning any online activity to an individual and we market it that way. This is in direct contrast to many of the systems in place today that fight fraud through an increasingly invasive collection of personal information in the form of questions and responses to personal questions. I have blogged about this topic twice in the past, first on the topic that identity based fraud management systems are part of the problem. Second, I blogged that relying on identity based fraud management systems makes phishing harder to combat. [...]