Online Fraud The Use of PKI and Smartcards to Combat Phishing Scams By Kate Hodgson, a Business Analyst with Royal Mail, UK. Kate is also Vice Chair of eema’s ECAF (European Certification Authority Forum) Interest Group. She can be contacted at email@example.com. Figures published by the Anti Phishing Working Group and Tumbleweed Communications show that the average monthly growth rate in phishing sites for the period July 2004 to April 2005 was 15%. In April alone, 2854 active phishing sites were reported with 79 brands hijacked by phishing campaigns, predominantly against financial institutions. Furthermore, the average time online for the phishing site was just 5.8 days, allowing the phisher to come and go with consummate stealth. It seems a far cry from just a few years ago, when people were still wondering if they could be sued for using the word spam in its pejorative sense. Today it is on everyone’s lips. It has to be. What used to be regarded as a time-wasting irritation is now clogging up the arteries of industry throughout the world, and worse, it has evolved into something more sinister. Spammers used to be regarded as commercially savvy nuisances, virus writers were the technicians. Spammers were looking for profit, virus writers were looking for notoriety. Put the two together and you have global cyberfraud, of which phishing is one of the most ominous forms. Technical and Social Tactics Phishing attacks use both technical subterfuge and social engineering to steal consumers' personal identity data and financial account credentials. Technical subterfuge schemes plant crimeware onto PCs to steal those credentials directly, often using Trojan keylogger spyware. Social-engineering schemes use spoofed e-Mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. By hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. For example, in June this year, PostFinance, the financial services arm of Swiss Post, was made the target of a phishing campaign. e-Mails written in English asked the recipients to click on a link and enter their yellownet security features. Several customers did so, enabling the fraudsters to withdraw money from their accounts. PostFinance bore their customers’ losses although it was not legally obliged to do so, and called on its customers to treat personal data and security features as confidential. While online banking is relatively new and banks are still absorbing the losses, people remain willing to take the risk. The worst thing that happens to them is the inconvenience of a delay while their accounts are sorted out. However, as more and more people start to use online banking, the prize for scammers becomes bigger, and banks will eventually move liability back to the customer. When that happens there may be a backlash against online banking that could cost even more. A Multi-faceted Approach This alarming rise in criminality undermines trust in the internet and e-business, and until measures can be taken to safeguard online transactions the fraudulent activities of a minority of computer geeks and criminals, working in partnership, will continue to impede the adoption of online services throughout Europe and the rest of the world. But dealing with the problem is not easy. As security technology evolves and user awareness grows, so does the criminal element intent on circumventing it – not dissimilar to a bacterial mutation cracking the body’s immune system. Industry constantly seems to be playing catch-up. And as with many diseases, the problem can only be solved through a multi-faceted approach. Since 40% of attacks use attack software, 2 35% use the messaging infrastructure and 13% of spam is threatening, security measures must be implemented on at least four levels: user education, legislation, policy and technology. With all four in place there is a chance of eradicating this modern-day plague. And responsibility for that rests with all parties concerned: politicians, public bodies, corporate bosses, lawyers, academics, technology vendors and users. User Education User education is tricky. The difficulty is getting people to recognise a scam. Some of the web pages victims are directed to appear convincing. And since there are ways of disguising where the link goes, the URL does 1 not necessarily reveal a scam. Banks claim that they never ask for a password, but the truth is that they do – every time a customer logs on. A customer may well have difficulty distinguishing between a genuine webpage and a fraudulent page that looks authentic. And banks often send marketing e-mails too. The key point for customers to understand is that banks won't send e-mails asking for passwords, and that’s quite a subtle message to inject en masse. Legislation Of course phishing is illegal, and there are many pieces of legislation to combat it at both a national and international level. The punishment is severe. In June this year, for example, two men were jailed for a total of ten years for an online identity scam. They ran a UK syndicate which cloned credit cards using stolen financial information gained through e-mail phishing scams. However, since they managed to steal somewhere between £750,000 and £6.5m it’s small wonder that they paid scant attention to the law. Criminals rarely do. Policy Policies and best practice are an essential part of the battle, but e-mail is ubiquitous and in most cases, policy enforcement involves a significant culture change, as well as buy-in from all parties concerned, and a closer relationship between IT and business than has hitherto existed. Nevertheless, the arrival of whole rafts of new compliance legislation such as Sarbanes Oxley and its European counterpart will certainly help to focus the corporate mind on all forms of security and risk management – e-mail and internet use included. Technology There is a growing number of technologies that enable the user to authenticate e-mail, monitor the internet, filter spam, knock out viruses and automatically block malicious e-mail, but eema believes that phishing may be the opportunity that Public Key Infrastructure (PKI) has been waiting for. The concept of PKI has been attributed to Whitfield Diffie and Martin Hellman, who in 1976 put forward the idea of asymmetric encryption using two keys, one of which could be made publicly available without compromising the security of the other. This meant that a sender of a message could encrypt it using the public key of the intended recipient, who could in turn decrypt it using his/her private key. Diffie and Hellman’s work spawned a series of developments which led to the creation of digital signatures and the evolution of the cryptographic infrastructure (PKI) comprising: Digital certificate: a signed data structure that binds attributes of an entity with its public key. Certification Authority (CA): an entity responsible for the creation and management of public-key certificates. Certificate Policy and Certification Practice Statement (CP & CPS): the documentation that defines procedures and practices for managing certificates. Certificate repository: a store within which public-key certificates, certificate revocation information and policy information are held. PKI-enabled applications: applications that are modified to be used within a PKI. PKI client software: software required to ensure PKI-entities are able to make use of the key and digital certificate management services of a PKI. Registration Authority (RA): the people, processes and tools that authenticate the identity of new entities that require certificates from CAs. Certification Service Provider (CSP): a third party that runs an outsourced PKI or issues certificates on behalf of a number of companies. But PKI has been slow to gain acceptance. The main objections are its complexity, the expense of implementation and maintenance, and lack of interoperability between PKI products and services. This latter 4 problem has recently been addressed by eema’s PKI Challenge, a two-year project funded by the Swiss Government and the European Commission. During that time PKI vendors, service providers and users successfully worked together to develop and demonstrate interoperability. Nevertheless, starting a PKI project remains a daunting task, and not one that can be justified easily on a cost basis. PKI has been waiting for a killer application. PKI and Smartcards Enter phishing, this most debilitating form of cybercrime. PKI could be of real benefit in the battle. In practical terms, the use of PKI ensures the authenticity, confidentiality and integrity of the transaction, as well as providing non-repudiation. One of the critical choices to be made is where to store the private key. There are two main places where it can be stored: a software key store on the client PC or a hardware key store such 3 as a smartcard. It is eema’s view that the smartcard is the most secure of all, and that PKI without smartcards is not enough. For example, PKI systems that use soft credentials, whereby the digital keys are stored on the PC's hard disk, are vulnerable. It would not be hard for a hacker to get a copy of them using malicious software hidden on the PC. Thereafter they would simply need to send the phishing e-mail and get the user to enter his pin on a fake site. When a smartcard is used to store the private key the problem disappears: the hacker clearly cannot steal it from the PC, and the user cannot inadvertently publicise it. PKI and smart cards could therefore wipe out phishing altogether. For the scammers to get access to the bank account, they would need to steal both the smartcard storing the digital credentials and the pin code to unlock the card. It is possible to do that – cash cards get stolen all the time – but there has to be physical presence to do so. It's not possible to steal them through an e-mail, even if the person does log onto the false site. And it's not possible to clone the card easily. In addition, smartcards are user-friendly: unlike the other mechanisms, the smartcard is usually well integrated with applications and allows users to move from one machine to another with relative ease. The security of smartcards has been questioned, principally by people such as Ross Anderson of 5 Cambridge University, who will be speaking at this year’s ISSE conference in Budapest. But despite his extensive research, you still have to get access to the card and some expensive equipment to get at the keys. The main drawback up to now appears to have been cost, although the price of cryptographic smartcards is falling, and further reductions could well help this technology achieve mass adoption. Implementing a PKI It is no easy task to implement a full PKI. The first and most important question is what the keys and certificates are to be used for. Some of the most popular reasons for using cryptography are a single, reusable credential; strong authentication; digital signatures for authorisation of electronic transactions; encryption to protect sensitive data stored on insecure devices; and encryption to protect sensitive data in emails. The battle against phishing clearly contains a number of these elements. Regardless of the reasons, there will inevitably be a number of glitches along the implementation path, and the following recommendations come from experience: Start with a pilot: The best way to begin to understand the issues involved in certificate management is to start with a small pilot. Choose one application and limit the scope to a single department if possible. Educate users: PKI is an infrastructure that can affect every part of the organisation. It requires appropriate processes and procedures for managing the certificates and the environment, as well as an education programme for users. They must understand how to use the applications and what they have to do to protect their keys. Use a CSP: A reputable CSP can help. Whether providing certificates or an outsourced PKI, a CSP should be able to get an organisation up and running within a matter of weeks rather than the months it would take in-house, even if the aim is eventually to run the PKI in-house. Speak to others: Speak to other people who have been through the pain of implementing a PKI already. Their advice is invaluable in avoiding common pitfalls. A CSP may provide reference contacts who can share experiences on tips and/or pitfalls to avoid, what benefits have accrued and the level of service they have received from the CSP. No two organisations are exactly alike so every pilot will throw up new problems, but the CSP should be capable of finding a solution. Understand the objectives: This applies not only to the final rollout but to the pilot as well. If the scope broadens, the pilot may well sprawl into a never-ending project with no measurable results. Objectives for the pilot might include an understanding of deployment problems and how to solve them; user acceptance; manageability of the whole process; user training; level of support calls; integration issues; and an understanding of how PKI will help achieve the overall security strategy. Difficult Decisions Apart from where to store the private key, as discussed above, there are some difficult decisions to be made along the way, and these will depend largely on the scope of the PKI and the range of uses envisioned. Authentication and Registration of Users Registering customers for PKI can be costly for businesses that traditionally use lightweight online registration (e.g. for online shopping) as some form of physical presence is required to confirm the user’s identity. This is where banks have an advantage – they already have a relationship with the customer and they already issue cards. They also have the processes required to authenticate new customers, courtesy of the Money Laundering Legislation. Certificate and Key Initialisation There are a number of different approaches to creating and installing keys and certificates, which will be dictated by the PKI vendor/CSP being used. There may be a need, for example, to install client software. Some systems have sophisticated key management that requires a client application: yet another piece of software on the desktop that must be managed. The users will also have to be guided through the key generation process. This should be possible by providing a detailed set of instructions, but it will depend on the computer-literacy of users. Support staff may need to help. Furthermore, anything other than digital signatures requires two key pairs, one for encryption and one that is only used for signing. As well as being industry best practice, it is a requirement for Qualified Certificates. Finally, the user must be guided through the certificate installation process. Once the keys have been generated, they are sent to the CA to be certified and the returned certificates have to be installed on the client PC. Application Set-up and Use Applications must be set up to use encryption. If encryption is added to an existing application such as email, there may be changes required to settings to ensure interoperability. Probably the hardest task here is educating the user. They need to understand how the applications work and how to protect their keys. And if they are to use secure e-mail, they need to know how to find other people’s certificates. Support is obviously essential, and users must know who to contact when they have problems. The most common problem will be forgetting the password, but the pilot should give an indication of the most likely issues that users will have. One of the big sticking points at the moment is the lack of smartcard readers on customers' machines. It's a fairly simple and low cost piece of technology that should (by now) come as standard with new PCs. The cost and complexity for one bank to issue readers to their customers generally means that projects don't get off the ground. If the readers were generally available, it would very easy for any bank to make their online banking application PKI- and smartcard-enabled. Certificate and Key Updates This is an important function of PKI that is often forgotten. Keys and certificates have a fixed lifespan, usually set somewhere between one and three years. At the end of that period, the user will be required to renew their credentials, although some systems (with client software) support a function known as key rollover, where the update happens automatically. More basic PKIs require the user to go through the initialisation process again (key generation and certificate installation). Some, in the security community, would argue that re-registration is good security practice, but in reality, the costs involved are likely to outweigh the benefits. Here the decision involves balancing the costs of buying and managing the client software against the costs of supporting the user. The best way for banks to handle certificate and key updates is to tie it into the card renewal process. Key recovery and backup is also an important part of a PKI system. If company data is being routinely encrypted then the loss of keys or passwords could make that data inaccessible. A good PKI system will enable companies to either make copies of the encryption keys and store them securely or provide a master key for recovering encrypted data. Conclusion There is a growing consensus that fears over identity theft, hackers and phishing scams may result in a decline in online business over the coming years, and that financial losses will run into billions of dollars. Despite implementation issues, PKI in conjunction with smartcard technology provides very good security for online transactions. In a world where criminals can target thousands upon thousands of users at the touch of a button and walk away with huge financial gain for very little risk; when compliance is making corporate bosses personally liable for their corporate security and risk management; and when online rather than offline is a given, the question is no longer ‘Shall I implement a PKI?’ but rather, ‘Can I afford not to?’ References 1) Anti Phishing Working Group; Phishing Activity Trends Report; April 2005: www.antiphishing.org. 2) Nigel Beighton, Symantec, speaking at the eema Annual Conference 2005: www.symantec.com, www.eema.org. 3) Whitfield Diffie and Martin Hellman; New Directions in Cryptography; IEEE Transactions on Information Theory; November 1976. 4) eema; PKI Challenge; 2001–2003: www.eema.org/downloads/security_finished_papers/pkiC_final_report.pdf. 5) ISSE (Information Security Solutions Europe): www.eema.org/isse. About eema For 18 years, eema has been Europe's leading independent, non-profit e-business association, working with its European members, governmental bodies, standards organisations and e-business initiatives throughout Europe to further e-business technology and legislation. eema's remit is to educate and inform around 160 member organisations (and over 1500 member contacts) on the latest developments and technologies, at the same time enabling members of the Association to compare views and ideas. The work produced by the Association (projects, papers, seminars, tutorials and reports etc) is funded by both membership subscriptions and revenue generated through fee-paying events. All of the information generated by eema and its members is available to other members free of charge. Examples of papers produced recently are: Towards Understanding Identity, An Introduction to Instant Messaging, Spam and e-Mail Abuse Management, Wireless Deployment Guidelines, Secure e-Mail within the Organisation and PKI Usage within User Organisations.