Trust at risk from new hacking techniques

The outbreak of so-called 'phishing' attacks on financial services providers could have serious implications for consumer confidence in the internet.

Most major banks have been hit in recent weeks, and the flaw in Microsoft's Internet Explorer (IE) browser is making the task of copying web sites simpler for fraudsters.

But Phishing is not new. The National Hi Tech Crime Unit (NHTCU) recorded seven instances of phishing in 2002, and 50 last year. In October, it released advice to businesses about how to avoid attacks and how to educate users, in conjunction with the British Bankers' Association and Association of Payment Clearing Services.

Previously, the fake sites to which criminals were directing consumers were much less like the real thing and easier to identify as impostors.

The process is now much more sophisticated and the IE vulnerability makes cloned sites seem much more credible.

Microsoft is aware there is a problem, but has not yet released a patch for the vulnerability and has given no indication when one may appear, other than 'as soon as possible'.

The longer the problem remains, the more likely it is that online trust and confidence will decrease, says Dinis Cruz, chief technology officer at security specialist CISSP Ltd.

'There continues to be attacks and this is one of those situations where we don't particularly hear actually how much damage is being done,' he said.

'But every major bank has now been affected and they have the best security in the whole industry. This is a major problem because it has the potential to affect the amount of trust consumers have in the internet. Once you break that trust it's hard to get it back,' he said.

Internet crime and online fraud has always gained media attention. The perception lingers that every time you enter a credit card number or password on a web site there are hoards of criminals waiting to seize them. This has been tough to dispel.

Online shopping is at its highest level. Figures from retail trade body IMRG show that UK shoppers spent £2.5bn online over Christmas, a 70 per cent increase on 2002.

Anything that damages the trust that has been established could be a setback to the rise and rise of the internet.

Analyst Gartner believes that an increase in online security problems is inevitable as the internet is used for more purposes and by increasing numbers of people.

Gartner analyst David Fraley even says cyber-warfare will be possible by 2005.

'An increasingly connected world increases the possibility that cyber-warfare will be waged,' he said.

'The world's not going to hell in a hand basket, so we can get that off the table. What's important for people to do is continuity planning - be aware of the different threats and vulnerabilities that could hit their organisations.'

Microsoft is promoting its Trustworthy Computing initiative, but Stuart Okin, Microsoft UK's chief security officer, admits there will never be absolute security.

'There is no perfect security. There will always be vulnerabilities in all products. It's just like there is no perfect security in the physical world, and there never will be,' he said.

The banks are generally philosophical about phishing and how much they can do to prevent further attacks.

'We see phishing as an exploitation of the weakest link in the whole process, the customer,' said Lloyds TSB spokesman Emile Abu-Shakra.

'No amount of additional security features are going to prevent a situation where customers give out their details if they want to. It's more about education rather than this patch or that patch,' he said.

NatWest, which has also been hit, has a similar opinion.

'I think we are all becoming a bit more savvy about the internet. Quite a few banks have been hit and that's a concern if customers are being affected. Whether it's a massive concern I'm not sure. I guess that's up to the NHTCU to decide,' said a NatWest spokesman.

The NHTCU told Computing that the situation is being monitored.

Whether trust and confidence is damaged remains to be seen, but what is sure is that threats like phishing will increase.

'This is the beginning of a trend,' said Cruz. 'The more people use the browser, the more people will want to exploit the concept of browser hijacking.'