Saturday, May 29, 2010

Phishers Ambush Military Credit Unions

Internet.com is reporting that "a number of bogus Web sites that appear to be the official pages of a pair of credit unions used by military personnel are actually phishing traps designed to steal soldiers' identities."



Phishing can be eliminated. What they are "phishing" for are online banking passwords and usernames. Get rid of the antiquated login process and start "really" getting serious about authentication.



Replicate the same trusted process to disperse cash "in real time" from an ATM and two-factor" authenticate the online banking session by having customers swipe their bank-issued card and enter their bank-issued PIN.  



Start doing that, and banks will eradicate the "phishing" problem...because there will be nothing left to phish phor.



The money banks spend "phighting" phishing can be spent providing their customers with a PCI 2.1 Certified PED resulting in the complete eradication of the threat posed.  (it would also provide an ROI to the issuing bank via interchange revenue derived from usage of the device for eCommerce purchases)



Whats the phake phishing site going to ask people to do? Swipe their card and Enter their PIN?  Worthless move.  It's instantly 3DES DUKPT encrypted inside the device and guess who "doesn't" have the encryption key? If you said the phisher you're right.  If you said the online banking customer you are also correct.  The way it's done now, the customer does have the information being phished phor.  



Translation: No more username/passwords.



Even the customer him/herself does NOT have the "information" the phishers are looking for so they cannot be "duped" into providing it.



Make sense?  When swiping the card and entering the PIN "outside the browser and inside the box" and there isn't "ANY phishable" information.






That's why Eugene Kaspersky of Kaspersky Labs last week called for "MASS adoption of peripheral card readers for ALL internet banking customers. (see top left...and click the top right sidebar graphic for the complete story)



May 28, 2010  By Larry Barrett


Phishers don't play favorites and their latest intended victims are the men and women in uniform.









As eSecurity Planet discovered, several clever phishing traps have popped up online in the past year with almost the exact same look and feel of a pair of popular credit unions primarily used by folks serving in the U.S. military.


Security software experts are warning customers of both USAA, an insurance and financial services firm, and the Navy Federal Credit Union to be especially vigilant before divulging their Social Security numbers, passwords, account numbers and other personally identifying information.
Symantec said this latest attack comes from Web sites hosted on servers in Taiwan and variants of this particular phishing URLs have been used to spoof other online brands as well.

U.S. Strategic Command officials are joining leading security software vendors in warning soldiers serving in the U.S. Army, Navy, Air Force and Marine Corps to be on high alert for a new phishing scam that targeting customers at a pair of credit unions catering to servicemen and their families.
Gen. Kevin P. Chilton, the STRATCOM commander, is warning soldiers and their families that bogus Web sites imitating both USAA, a popular insurance and financial services firm catering to military families, and the Navy Federal Credit Union have successfully stolen the personal and banking data of an unknown number of customers. 

Read the full story at eSecurity Planet: 

Phishing Scam Targets Military Credit Unions





Reblog this post [with Zemanta]

Disqus for ePayment News