A post relating to this item from Finextra:
23 May 2008 | 11067 views | 0
ING Direct, the direct banking business of Dutch group ING, is offering US customers free anti-phishing software from Internet security outfit Trusteer.
How is it that we have all forgotten that an ounce of prevention is worth a pound of cure? Giving away anti-phishing software is shutting the stable door after the horse has bolted.
Phishing and pharming is enabled by the fact that conventional client-to-website connections pay no attention to the integrity of the target site. A phisher sends out a million invitations by e-mail to click on a link, and some proportion of people inevitably
do so -- but their browsers aren't configured to tell the difference between a real site and a fake. Or, punters are diverted to a pharming site -- totally bogus but cut-and-paste from the real mccoy -- and just because it looks right, or because a padlock
pops up, they trust it.
With just a little more effort, we could establish secure e-mail between banks and customers (probably web mail would be best) using EMV smartcards and the like to carry the keys. Cards should carry not only the private keys of the customers that establish
their legitimacy, but also the 'master' public keys of the bank. So, when you seem to have received an email from the bank, your card can double check its authenticity. And when you you're trying to visit the bank site, instead of typing in URLs or
clicking on links, the session can be established using a bona fide key retrieved from the bank's own chip card.
We shouldn't need to deploy anti-phishing software in an endless game of catch, engaged with scammers who continue to exploit the fundamental insecurity of the medium. Imagine the possibilities if banks could simply restore customer trust in e-mail!