February 14, 2005 7:29 AM PST

Microsoft, eBay join antiphishing initiative

Microsoft, eBay, PayPal and Visa have joined a new antiphishing initiative spearheaded by WholeSecurity, the companies said Monday.


Related story
Phishing flaw a danger
to some browsers

Non-Microsoft browsers
are vulnerable to a
weakness in a domain
name standard.

Dubbed the Phish Report Network, the effort will attempt to slow the spread of phishing attacks by reporting deceptive Web sites to a central database operated by WholeSecurity, an IT security company based in Austin, Texas.

Once a site has been reported to the network and confirmed as fraudulent, the organization notifies all of its members about the URL, allowing companies to block the suspect site and encourage their customers to follow suit.

Phishing schemes typically consist of e-mail messages that appear to come from trusted companies. These messages attempt to lure people to bogus Web sites, where they're asked to divulge sensitive personal information, such as bank account details and Social Security numbers. Once armed with that data, criminals will often use it to commit identity theft.

WholeSecurity is orchestrating the initiative--which was announced at the RSA Security Conference taking place this week in San Francisco--through the use of its Web Caller-ID technology. The tool is already in use at eBay and its PayPal subsidiary, two of the most common brand names used by phishing fraudsters. Offered as part of eBay's free Internet toolbar, the application notifies consumers when they enter a site that WholeSecurity has confirmed as fraudulent.

The Phish Report Network will distribute aggregated lists of banned sites so that its members can incorporate the data into their own software, e-mail applications and browser services. The group is also encouraging any other company that has been targeted by phishing sites to join in its efforts, saying that the more companies sign up for the initiative, the more effective it will become.

Many e-commerce sites have called for greater vigilance on the part of financial services companies such as Visa to help stem the tide of online fraud, as credit cards are involved in a majority of the criminal schemes. Visa executives cited the Phish Report Network as a prime opportunity to respond to some of those requests.

"Visa is focused not just on shutting down phishing sites but preventing phishing e-mails from ever reaching consumers worldwide," Brad Nightengale, department head of the emerging-products division at Visa, said in a statement. "Working with the participants in this solution, Visa can play a key role in stopping this crime before it happens and in maintaining global consumer confidence online."

2 comments

Join the conversation!
Add your comment
Ironic that Visa is doing this...
Visa created the 'Verified by Visa' program that claimed to protect the cardholder against unauthorised Visa billings, but in fact was remarkably simple to get around, and required the cardholder to give up virtually all protection from Visa in exchange.

Their system was a classic example of why phishing works: under the terms of the agreement with Verified by Visa, you'd lose virtually any right to refuse a charge or challenge it. In fact, the agreement clearly stated that if you let your password out, you're responsible for charges.

However, simulating their verification login is trivial and would allow unscrupulous people to set up webfronts that appear legit, but serve to collect Visa PINs.

The same thing could be done by simple phishing tactics. Since the only verification is your pin and since no further verification is done other than that, losing your pin to a phisher would be very destructive.

Compare this to Amex's Blue system that used a smartcard and a one-time credit card number to ensure both the identity of the cardholder via a a difficult to duplicate physical medium, and protect the user from multiple hits. Even more impressive - the agreement with Amex does not limit the cardholder's right to challenge a charge... showing that Amex had greater confidence in their system than Visa did.

The problem of fraud can be eliminated to a great degree using existing technology such as PKI and onetime account numbers. Amex has proven that. Why are we still playing around with easy to break systems like PINs?
Posted by JeffLewis (43 comments )
Reply Link Flag
unscrupulous
<a class="jive-link-external" href="http://www.analogstereo.com/volvo_xc90_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/volvo_xc90_owners_manual.htm</a>
Posted by Al Johnsons (157 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.