Extension

Document Sample
Extension Powered By Docstoc
					                   PORTFOLIO EXTENSION



School name: Westwood International School

Centre number: 001334

Candidate name: Kawondera Tariro

Candidate number: 001334-013

Title: Privacy Invasion by phishing

Article Title: Phishing with Ease

ArticleURL: http://www.techreview.com/blog/editors/22023/

Area of Impact: Business and Employment

Date: 21/08/08

Word Count: 938
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment

News Item; Naone, E. 20/02/2008, Phishing with Ease,
http://www.techreview.com/blog/editors/22023/


REPORT


N. Discussion and analysis of the interview
Research shows that phishing is on the rise. It is a problem that the cyber world has had
to face due to recent developments and misuse of technology. It is quite evident that the
problem of phishing has resulted in a lot of angry customers who are victims of phishing.
Many of these victims have lost huge sums of money and have had a piece of their life
invaded. However, another stakeholder has also been affected, the company. In this
Portfolio Extension, the interview conducted aimed to investigate the impact that
phishing has had on companies. One interview was conducted because I was able to
extract the necessary information needed to make an analysis on the impact that phishing
has had on companies.


Companies affected by phishing come in different forms from local supermarkets to
international banks. Phishers pose as legit companies in order to lure customers to giving
away personal details. Maurice Kebakile, a member of the First National Bank Online
Security team gives insight into some of the effects that phishing has had from the bank’s
perspective. First National Bank (FnB) offers a wide range of services to its customers
such as online, banking and online shopping. Maurice reveals that some of the reasons
their bank has been targeted is because of the large size of their bank and the
unawareness of most of their customers. The frequent wireless communications between
the bank and its customers have created more opportunities for phishers. The interview
also reveals that the most popular method used for phishing attacks is the “fake-email”
method. This is most probably because of the popularity of the bank’s online services.




                                            2
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment

The interview reveals some of the major impacts of pishing on the bank as a whole, some
of which are listed below:
      Inability to fulfil the Privacy Policy
      Weaker relationships between the bank and clients
      Loss of potential customers
      Bad reputation for the bank
All of these impacts are quite costly both financially and ethically. Financially, because
FnB has suffered loss in clients which has reduced their annual profits. Reduced annual
profits have lead to a downsizing of the staff or lower pay rates. It is ethically costing
because they have had to take the blame and responsibility for theses phishing attacks.
Angry victims have even questioned the bank’s standards and ability to protect personal
data, as promised in the bank’s Privacy Policy. It is clear that the bank has suffered as
much, if not more than the customers who have been victims of phishing.


On the contrary, Maurice introduces a brighter side to the story. He says that the bank
sees phishing as a challenge, but also as an alert to increase security. Therefore, perhaps
phishing has also helped a lot of companies to become more alert and in the process
securing themselves against other offenders such as hackers.


O. Reflection on the interview
Initial research suggests that the customer suffers bigger consequences of phishing,
because it is mostly presented from their perspective. However, the interview conducted
shows that the bank/company itself suffers their fair share of implications which in
general on a larger scale would most probably be greater than those suffered by the
customers. An interesting observation to make is that most of the problems caused by
phishing were centred on the clients’ unawareness and lack of clarity. Many of the
customers who have fallen victim to phishing were not even aware of what it was until it
happened to them.




                                                3
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment

Hence, it is evident that the problem is lack of knowledge and understanding of phishing,
and the solution lies in educating the customers. Making the customers understand what
phishing is and what its implications are will make the customers better prepared and
more alert for the next phishing attack.


The interview also raised some ethical consideration, the issue of whether or not the bank
should be held responsible or accountable for the phishing attacks. The phishers can be
held accountable because they did the crime. Nevertheless, the phishers are able to create
“spoofed” email and text messages due to weaknesses in encryption methods and security
measures therefore it is possible to hold the bank responsible. As stated in their policy,
the bank has to take measures to protect their customers’ data, it is their duty and
ultimately, their responsibility.


P. Projection of broader implications from the interview and portfolio
research
The problem has had quite an impact on companies both local and international.
Companies will have to stay alert in order to keep up with the new methods that phishers,
cons and criminals will find to perform cyber crimes. Customers will continue to hold the
bank or company responsible for these phishing attacks, so maybe they will need to
redraft their Policies in order to meet realistic expectations of their clients. Companies
should also make it a point to regularly update their customers on recent developments in
phishing attacks. A good example of a company that is taking the right path in
minimising phishing attacks is First National Bank. Below are a few examples of the
steps they have taken:
       They inform customers regularly of new fake sites or emails discovered
       They have set up an online security centre and a 24-hour call centre where
        customers can make inquires and make their concerns known
       They have also given customers tips on how to perform safer online transactions.




                                            4
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment

Perhaps we are a long way away from finding the solution to phishing, but companies can
still take every step possible to prevent or minimise the effects of phishing.


Word count: 938




                                              5
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment

Appendix
INTERVIEW: Anti phishing group


Interview Questions
1. What is you name and what position do you hold in the company?
2. Does your bank offer online services?
3. How does the bank communicate with its customers?
4. Has your company been targeted by phishers?
5. Why do you think your bank has been targeted?
6. What methods have phishers used to con your customers?
7. Which ones are the most popular and why?
8. What sort of details is popularly obtained by phishers and why?
9. Does your bank have a Policy in place to protect your customers’ privacy?
10. Is this policy readily available to customers?
11. What are some of the details included in this policy?
12. What effect have phishing scams had on your bank?
13. How have your customers (victims and non-victims of scanning) reacted to these
   phishing attacks?
14. What has the bank done to protect its customers?
15. How effective are these methods?
16. Are there any advantages of phishing that your bank has benefited from?
17. Do you think there can ever be an end to the problem of phishing?




Interviewee’s Details
Name of the person interviewed: Maurice Kebakile
Qualification/position: member of First National Bank risk online security team
Name/address of organization: First National Bank in Johannesburg, South Africa
Data/place of interview: 25th August 2008/ First National Bank



                                             6
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment

Transcript of interview

1. What is you name and what position do you hold in the company?
My name is Maurice Kebakile and I am a member of the First National Bank risk online
security team in Johannesburg, South Africa.

2. Does your bank offer online services?
Yes. We currently offer online banking and shopping online services.

3. How does the bank communicate with its customers?
We communicate with customers via text message on a regular basis, usually to inform
them of a recent bank transaction e.g. the withdrawal of money. We also use the email
service especially for our customers who do their banking online.

4. Has your company been targeted by phishers?
Yes, FnB, like a lot of banks in South Africa has experienced some phishing attacks.

5. Why do you think your bank has been targeted?
Well, first of all, we are a bank. A lot of customers submit personal and vital details on a
daily basis, so it is a good source of potential victims and their details. Our bank is one of
the biggest banks in South Africa, therefore perhaps phishers see it as a great target.
Another factor is that most of our customers are still unaware of the problem of phishing,
therefore they are more vulnerable to these attacks.


6. What methods have phishers used to con your customers?
Both the “spoofed” or fake emails and text messages have been used. Customers receive
messages asking them to call a certain telephone number to update some details. In most
cases, the phishers pretend that large sums of money have been withdrawn from the
customer’s account and this really attracts their attention as they will be concerned
about the status of their account.

7. Which ones are the most popular and why?
The email method is probably the most popular because a lot of our customers have been
using the online banking services, and it is much easier to catch the customer unaware
because the fake emails look very professional and authentic.

8. What sorts of details are popularly obtained by phishers and why?
Mostly it is financial details… account numbers, PIN numbers, and some personal details
occasionally. A lot of the details obtained are of some value and are used to perform
identity theft, fraud and other similar crimes. These personal details are also quite
profitable because they could be sold to other companies or individuals.




                                              7
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment

9. Does your bank have a Policy in place to protect your customers’ privacy?
Yes, we have a Privacy Policy.

10. Is this policy readily available to customers?
This policy is readily available to new customers when they open an account at FnB, and
to the rest of the customers it is available on our website or on request at any of our FnB
branches.

11. What are some of the details included in this policy?
We promise to: respect customer privacy and personal information, take measures to
protect our customers’ information, even after they are no longer customers. We also
promise to use customers’ information only with their permission and not to sell, rent or
provide their information to a third party. We also inform our customers of the ways in
which their information is collected and stored in secure databases with built in safe
guards.

12. What effect have phishing scams had on your bank?
Well, these scams have made it quite difficult to live up to our Privacy Policy as we have
had to face new challenges that the bank had not foreseen. We can no longer ensure
absolute privacy of our customers’ details. Some of our relationships with customers
have also been compromised because the level of trust that existed between the bank and
its clients is now to a lesser degree. These scams have also given us a bit of a bad name
and some customers have closed down their accounts in fear of being the next victim of a
phishing attack. I also believe that we have also lost some potential customers who had
intended to join the FnB family before hearing about the phishing attacks.

13. How have your customers (victims and non-victims of scanning) reacted to these
    phishing attacks?
They have displayed their concerns about the invasion of their privacy and some have
questioned the bank’s ability to provide protection of customer data.

14. What has the bank done to protect its customers?
We have set up the Risk Online Security Centre where our customers can go to learn
more about phishing and other online crimes in general. We also have a call centre
where our customers can report suspected phishing attacks and make inquiries about any
of our services.

15. How effective are these methods?
I think these methods are quite effective because our customers are becoming more alert
and better informed, so they are less vulnerable to phishing attacks.


16. Are there any advantages of phishing that your bank has benefited from?
Perhaps I could say that phishing has helped our bank to put in place stronger security
measures and to be better prepared.

                                             8
Candidate name: Tariro Kawondera
Candidate number: 001334-013
I.T.G.S PORTFOLIO EXTENSION
Area of Impact: Business and Employment


17. Do you think there can ever be an end to the problem of phishing?
I do not think that there can ever be an end to the problem, but I believe it can be
controlled. As long as technology evolves, new crimes will arise.

Example of ‘Fake’ email sent to some FnB customers




Figure 1: Image from Netucation, produced by Ramon Thomas. 2008. How to avoid
phishing emails from South African Banks,
http://netucation.co.za/2008/03/how-to-avoid-phishing-emails-from-south-african-banks/




                                             9

				
DOCUMENT INFO