The Internet has brought with it an assortment of benefits. From ecommerce to online degree programs, people all around the world are able to communicate and conduct business over secure Internet connections. And while these secure connections have made it possible to send confidential data over the Internet safely, they have also opened up an entirely new form of criminal activity -- phishing for authentication credentials.
It's important to note that phishing isn't restricted to insecure Internet sites. Phishing can also be accomplished with computer programs, scripts, and malware that take advantage of security bugs. And unfortunately the resources that are needed to carry out phishing are available from both private and public sources in the form of exploit kits. Some exploit kits have evolved and became automated, making it much easier for criminals without advanced technology skills to execute their own attacks.
In order to protect your company from phishing scams, it is imperative that proper countermeasures be put into place. Here's a closer look at phishing and the importance of strong authentication within your IT infrastructure and online activities.
Man-in-the-Middle Phishing Attacks
One of the primary reasons that phishing is so difficult to deter is because you sometimes never even know that it's happening. When a criminal carries out a man-in-the-middle phishing attack, communications taking place between two parties are intercepted by the attacker. The attacker could modify transmitted data while the victim is still logged on, or use or sell the intercepted information to impersonate the victim later.
Dialog Box Phishing Attacks
Phishing malware comes in many advanced forms, including dialog box overlays that can obtain authentication and PIN numbers. For example, the malware could sit on top of your bank's login screen and collect your username and password. If it passed those credentials on to the real login screen, you might never know you were compromised.
Phishing Countermeasures: It's Time to Enhance Your Authentication Processes
The purpose of authentication is to verify a person's identity to ensure they have the proper credentials to access whatever data it is they are trying to look at. To guard against illicit use of phished or easily guessed credentials, an effective way to beef up the authentication process is by requiring more than just a username and password. Many companies will ask for two forms of information, such as a person's birth date and a PIN number. Some companies, however, will mandate that a user have a specific hardware token to access the information in addition to two other pieces of information. The more information that is needed, the more secure the authentication process will be.
Although strong authentication processes can sometimes be a bit tedious, they are a necessary evil. One way to implement a two-step authentication process is to include SMS authentication; this strategy requires customers to enter in at least one piece of information -- security question answer, birth date, SSN, etc. -- and then after the correct answer is given, an SMS message is sent to the customer's phone with a unique login password. This type of security significantly lowers the risk of attackers being able to capture all authentication information that is needed to hack your customers' accounts without forcing the customers to remember the answers to a long list of questions.
To learn more about phishing and how you can steer clear of attackers, check out the Heroix blog today!