Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft [Hardcover]

Markus Jakobsson (Editor), Steven Myers (Editor)

Book Description

Publication Date: December 15, 2006 | ISBN-10: 0471782459 | ISBN-13: 978-0471782452 | Edition: 1

Phishing and Counter-Measures discusses how and why phishing is a threat, and presents effective countermeasures. Showing you how phishing attacks have been mounting over the years, how to detect and prevent current as well as future attacks, this text focuses on corporations who supply the resources used by attackers. The authors subsequently deliberate on what action the government can take to respond to this situation and compare adequate versus inadequate countermeasures.

Editorial Reviews

Review

"…I highly recommend this as a must-read book in the collection of phishing literature." (Computing Reviews.com, September 13, 2007)

"…may be used as a textbook or a comprehensive reference for individuals involved with Internet security…" (CHOICE, July 2007)

From the Back Cover

"This book is the encyclopedia of phishing. It provides views from the payment, human, and technical perspectives. The material is remarkably readable—each chapter is contributed by an expert on that topic, but none require specialized background on the part of the reader. The text will be useful for any professional who seeks to understand phishing."
—Directors of the International Financial Cryptography Association (IFCA)

Phishing attacks, or the practice of deceiving people into revealing sensitive data on a computer system, continue to mount. Here is the information you need to understand how phishing works, how to detect it, and how to prevent it.

Phishing and Countermeasures begins with a technical introduction to the problem, setting forth the tools and techniques that phishers use, along with current security technology and countermeasures that are used to thwart them. Readers are not only introduced to current techniques of phishing, but also to emerging and future threats and the countermeasures that will be needed to stop them. The potential and limitations of all countermeasures presented in the text are explored in detail. In spite of the fact that phishing attacks constantly evolve, much of the material in this book will remain valid, given that the book covers the general principles as much as actual instances of phishing.

While delving into a myriad of countermeasures and defense strategies, the authors also focus on the role of the user in preventing phishing attacks. The authors assert that countermeasures often fail not for technical reasons, but rather because users are unable or unwilling to use them. In response, the authors present a number of countermeasures that are simple for users to implement, or that can be activated without a user's direct participation. Moreover, the authors propose strategies for educating users. The text concludes with a discussion of how researchers and security professionals can ethically and legally perform phishing experiments to test the effectiveness of their defense strategies against the strength of current and future attacks.

Each chapter of the book features an extensive bibliography to help readers explore individual topics in greater depth. With phishing becoming an ever-growing threat, the strategies presented in this text are vital for technical managers, engineers, and security professionals tasked with protecting users from unwittingly giving out sensitive data. It is also recommended as a textbook for students in computer science and informatics.

See all Editorial Reviews

Product Details

• Hardcover: 736 pages
• Publisher: Wiley-Interscience; 1 edition (December 15, 2006)
• Language: English
• ISBN-10: 0471782459
• ISBN-13: 978-0471782452
• Product Dimensions: 9.5 x 6.5 x 1.5 inches
• Shipping Weight: 2.5 pounds (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars  See all reviews (3 customer reviews)
• Amazon Best Sellers Rank: #896,182 in Books (See Top 100 in Books)

More About the Author

Dr. Markus Jakobsson writes about various aspects of Internet security, aiming for an audience of technically interested readers, without requiring deep prior knowledge of computer science, mathematics or security.

He is Principal Scientist at Paypal, and has previously held positions at Bell Labs, RSA Labs, Xerox PARC, Indiana University and New York University. He has a PhD in computer science from University of California at San Diego. Dr. Jakobsson does research on mobile commerce, malware, authentication, user education, user interfaces and phishing. He is an inventor of more than 100 US and international patents and patents pending and the co-founder of two startups.

His webpage is www.markus-jakobsson.com

Customer Reviews

Most Helpful Customer Reviews

2 of 6 people found the following review helpful:

5.0 out of 5 stars The best extensive resource for researchers, November 6, 2007

By 

Zulfikar Ramzan (California, USA) - See all my reviews
(REAL NAME)   

This review is from: Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft (Hardcover)

Phishing and Countermeasures is the best (and only!) extensive resource on phishing for researchers that I'm aware of. The book not only applies to technical security researchers, but also to those interested in researching phishing from other vantages -- such as the social, legal, or policy-oriented implications. Also, the book does an excellent job of considering more cutting-edge trends, such as the impact of additional social context in phishing attacks. This book absolutely belongs on the desk of anyone with serious interests in both understanding and combating phishing.

4 of 11 people found the following review helpful:

5.0 out of 5 stars At last, all in one place!, February 13, 2007

By 

S. Stamm "web security researcher" - See all my reviews
(REAL NAME)   

This review is from: Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft (Hardcover)

"Phishing and Countermeasures" (P&C) does an excellent job of summing-up the state of Phishing attacks and research. It describes--in depth--technical attacks and countermeasures to the attacks, presenting both points of view in an extremely complex problem.

Phishing is not a simple technical or social exploit, it is a process. P&C breaks the process down into little bits, describing in depth how each portion accomplishes its goals. They show technical and social techniques used by Phishers, and then delve into theoretical extensions of phishing attacks, including context-aware attacks (spear phishing) and other advanced data gathering techniques (browser history snooping, accoustic keyboard monitoring, etc). They make it obvious to a reader that Phishing is not a simple problem, and also that it is not yet fully understood.

The sheer volume of countermeasures, coupled with the fact that I get new phishing emails daily, simply backs up the book's claim on Phishing's complexity. There is no one technical solution to Phishing attacks, there are LOTS of them, and this book provides an encyclopedic view of the myriad technical countermeasures, complete with analysis of what the countermeasures can and cannot accomplish.

Aside from looking at technical and human-oriented design countermeasures, P&C presents a legal and ethical look at understanding Phishing. Usually lacking from texts like this, coverage of legal and ethical issues rounds the book out nicely.

Do not read this book if you expect to learn how to completely stop Phishing attacks. Phishing is not a solved problem, so the solutions presented within are helpful measures only -- they make it harder for Phishers to succeed. The book does, however, explain some tools and techniques you can use to help significantly shrink the chance that you will be phished.

You should read this book if you are interested in the path research scientists are taking to understand and attempt to block the growing Phishing problem. As a non-technical expert, you can get immense value out of the introduction and future chapters as well the brief summaries present before each technial section or case study. This book reads well and presents a wealth of important information.

3 of 12 people found the following review helpful:

3.0 out of 5 stars suboptimal countermeasures, December 24, 2006

By 

W Boudville (Terra, Sol 3) - See all my reviews
(VINE VOICE)    (TOP 1000 REVIEWER)    (HALL OF FAME REVIEWER)    (REAL NAME)   

Amazon Verified Purchase

This review is from: Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft (Hardcover)

Phishing is a dangerous phenomenon. But only in recent years has it become common. Another way of seeing this is to note that this book is only the third devoted to phishing. The first two were published in 2005. (Whereas generic spam was already sufficiently a problem in 1998 that a book appeared then, with some primitive antispam methods.) Jakobsson and Myers have assembled a formidable set of articles that define phishing, its dangers and countermeasures. The text explains why phishing stands separate from spam. In part because it is always fraudulant, whereas some spam actually offers real goods and services.

Concerning dangers, Jakobsson and others describe experiments where they sent simulated phishing messages to university students. Response rates were disturbingly high. This from an educated group! The book also cites other studies which reveal that phishing messages and their websites can be very professionally done, and can sometimes fool even experts.

However, the countermeasures described in the book have severe disadvantages, some of which, though not all, are described in the text.

Consider making a blacklist of known phishing sites. This might be done at some central website. With a browser toolbar distributed to users, so that when a user goes to some URL, the toolbar checks the domain against the blacklist, which it gets from the central site. But phishing tests the very concept of a blacklist to destruction. Phishers can subvert many computers, scattered across the Internet, to act as fake websites. So identifying one of these as a phishing site has little efficacy.

Plus a blacklist is inherently reactive. How is a website classified as phishing? Often, if not invariably, by manual scrutiny. But after the phisher has turned on the site, and sent out messages linking to it. This allows a zero day attack.

Yet another problem is the lack of good net coverage, to identify (even if only tardily) many phishing sites. Chapter 14, on social networks, describes improving coverage with a social network, using the Net Trust toolbar. However, the social networks cited tend to be small, reducing coverage. The toolbar tries to improve on this with supplemental blacklists from some central sites. The problem remains. In general, you need many in a social network for good coverage. But this gives rise to some users accidentally or deliberately misclassifying websites as phishing or not. Where the accidentals might be due to subjective assessments of websites, and the deliberates to phishers infiltrating the social network.

Another method uses a two factor device ("fob") to generate one time passwords (OTPs). Typically issued by a bank to its customers. Costly. One American bank pays about $50 per fob, and passes some of this onto its customers who want the fob. It takes a loss on each fob, and thus cannot mandate that all its customers use them. Chances are that other banks (including non-US ones) have similar experiences. Also, the book does not discuss the scaling problems with a fob. Suppose you have several bank accounts, plus a brokerage account, and a retirement account, and one with an insurance company. And suppose you use a big online auction site, and that all these issue fobs. Really cumbersome. Especially if you will access those accounts when travelling.

Another method for identifying phishing messages uses Bayesians and similar content analysis on the message text. This idea is taken from tackling generic spam. But Bayesians work best when there is a clear content separation between spam and non-spam. Phishing messages hew closely in their word choices to actual messages or web pages of the real sites.

Another approach for messages is to look at the enclosed links. Various heuristics are used. Does the link have a raw address? What country is the website in? Etc. Also, the web page that is linked to might be analysed for other heuristics. Subjective and weak. None by itself is conclusive. So typically, the number of heuristics in a message is toted up to improve the prediction, and if it is above some threshold, then the message is (perhaps) phishing.

Yet another approach uses image passwords, to help you recognise the real bank's website. But while an image may be easier to remember than text, it is still another item to remember. One that scales with the number of websites that use this method, and that you have accounts at.

But there is another type of phishing, which is not described but can be expected. Where the message does NOT claim to be from your bank. It purports to be from another bank, asking you to open an account. With a link to a page where you enter all the necessary details about yourself. Another variant is an application for a credit card, from a supposed bank. Sidesteps any fob or passwords (text or images) you have at your banks.

What is lacking is a solution with these properties:

1. Objective. No subjective heuristics.

2. Lightweight. No heavy cryptography. Deployable globally, with no import/export restrictions.

3. No special hardware.

4. Very little (or no) manual effort by the user.

5. No extra user passwords.

6. No zero day attack.

7. Analyses messages and websites in essentially the same way. Some methods in the book work only against websites, and not against messages read in a browser. But if the user clicks on a link in a message, that goes to a phishing site, then she is already at risk, even if another method suggests that the site could be phishing.

8. Objectively classify a message from a company that you do not have an account at.

9. Enables verified advertising. So a company can send out messages, with links to co-marketing partners.

The last reason is very important. We have seen on the Web how an advertising channel can be a significant business and produce a large market cap.

Such a solution exists. Outside the ken of the book's methods, and conceptually discontinuous.