“Phishing” seams to be dangerous, as an exotic disease, and, similarly it does not seem to occur sufficiently far away not to be an immediate threatening. From now up to the moment when the happy user will succeed in increasing the statistical victims’ percentage, only few clicks are missing. Details follow.

The case of a bank will be used, but this type of attack and the protection means implemented are encountered in other situations too.

How the attack happens: the attacker transmits messages on the behalf of a bank asking the clients to connect to the site of the related bank and to enter personal data related information. Instead of accessing the bank site, the client is directed to a false site, identical in visual aspect, where his information is saved for further use in order to draw money from the accounts or to bring other benefits to the attacker.

There are no exclusively technical mechanisms able to solve such a problem. A supplementary method would be used in order to authenticate the transaction but not the user, while, in function of the chosen method, such solution may be viable only for a short term, as in the case of the advanced authentication mechanisms.

The simplest situation for the attacker is the one when the user authentication is being made based on a unique factor – the user name and the password of access to the account. Knowing them leads to the exposure of the account and allows the non-detected access until the password is changed. Another type of applicable attack is guessing the password.

A sustained education campaign for the users and the implementation of appropriate technical measures are necessary, as the certain identification of the bank web pages and users’ identification based on two factors. This one is not an infallible solution, but it hardens the non-authorized access to the clients’ accounts.

There are two large-scale spread mechanisms, destined to the implementation of the authentication based on two factors:

One Time Password (OTP). The user has an access password and a device, which, at regulated intervals, ex. each minute, generates random identification codes. This equipment is synchronized with a server and the authentication is possible only by entering the access password and the generated code. Even if the network traffic is intercepted, the access by a code generated at a previous moment shall not be allowed. This mechanism is simply to be used but it was however cheated by an attack of the ”man in the middle” type: a false site of the bank was created, where the user introduced his identification elements then he was directed to the legitimate site. At a first view, the user cannot detect the attack and acts as if he would be on the bank site. It is obvious that, while the user is connected, transactions can be made between the false site and the bank or after the closing of the session, when in reality the session remains open, fraudulent transactions being possible to be made between the false site and the bank. A variant of a lower technology of the OTP is that of using a password and an access code contained in a table supplied by the bank.

Authentication based on a digital certificate stored on a smart card. The user has to hold the smart card on which the certificate is stored and to know the related access password. There is an attack danger here, as well. Given that digital certificates have been issued to the users, it is quite natural that the bank site should identify itself using a digital certificate too, which makes ,in this case, the “man in the middle” attack almost impossible. The site identification based on the certificate must be doubled by a strong education campaign destined to the users, teaching them how to verify the identity of the web pages any time when they connect for on-line transactions. This way the risk of access on false sites decreases considerably.

Even if the authentication is very certain and the client accesses a legitimate site, other attack methods can be conceived:

• computer virusing by a Trojan which, any time the user connects to the bank site, makes fraudulent transactions using the already authenticated connexion.
• client’s initial identification and particularly, the situation of emergency access cases (forgetting the access password, loss of equipment generating the random codes or of the smart card) represent cases when the attackers can exploit the system vulnerabilities.

Knowing the attacked person’s address or the personal identification number, as written on all the lunch tickets together with the full name), or the telephone number and mother’s maid name is sufficient. Nothing spectacular or hard to find here, especially as the personal information are already in the database of more and more institutions.

The identification of the messages transmitted by the bank and the user to be educated is crucial. If he does not check attentively the address of the visited pages(www.bamcaonline.ro is different of www.bancaonline.ro), he does not verify the validity of the site identification certificate and he does not protect his computer even when he does not make transactions, these are situations of a lake full of fish available to the “phishers”. If the users understand such dangers, the attacks will not have such a high success rate, they will be redirected to each user, employing another type of bait, and the related application becomes much more expensive.