Can SecureLogin help reduce the risk of identity theft that arises when users entering information such as credit card details, passwords and PINs into web sites distributed via phishing eMails?

  • 7940168
  • 19-Aug-2009
  • 08-Jan-2014

Environment

SecureLogin
SecureLogin SSO
All Versions


Situation

Question

Can SecureLogin help reduce the risk of identity theft that arises when users entering information such as credit card details, passwords and PINs into web sites distributed via phishing eMails?

Resolution

Answer

What is phishing?

Phishing is described as the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise (such as a bank or travel site) in an attempt to scam the user into surrendering private information (such as their account number, passwords, credit card details etc.) that will be used for identity theft.

The e-mail directs the user to visit a web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers. However, the web site is bogus and set up only to steal the user’s information. The scam relies on the user not noticing the web site is invalid and entering their credentials. The hackers redirect and collect the credentials for unauthorized use.

Users are the weak link

By using SecureLogin to recognize legitimate applications and manage your applications and credentials, they are only ever passed to legitimate web sites. Since users aren’t involved in the process, the weak link is taken out of the equation.

SecureLogin can handle authentication to external and internal sites

Because SecureLogin doesn’t need to change web sites or place modules on servers it can recognize and SSO enable both internal and external web sites. For example, you can configure SecureLogin in your organization to SSO enable external web sites you make secure payments on, such as www.lastminute.com and www.avis.com.

The SecureLogin administrator can choose which sites to enable

The SecureLogin administrator centrally defines which applications are SSO enabled. The administrator also defines which credentials are passed and when (e.g. once the site has been verified), if users will even know their passwords or if they are changed randomly based on a strong policy etc.

How can SecureLogin verify if a site is legitimate?

Before passing credentials to a web site, SecureLogin is able to interrogate and a web site by performing a combination of;

  • Reading part of a URL (e.g. https to make sure it is secured via SSL)
  • Reading a full URL before retrieving triple DES encrypted credentials (e.g.http://www.lastminute.com/lmn/pso/user/login/register.jhtml)
  • Reading text on the screen (e.g. searching for particular words, phrases or sentences)
  • Reading fields on the screen (e.g. ensure a password field exists before typing a password into it)
  • Verifying a particular frame exists on the web page
  • Reading and Setting check boxes and list boxes

By implementing a combination of checks that can only exist on the valid web site, SecureLogin can be configured to seamlessly and securely pass credentials to a legitimate site, bypassing user interaction.

In addition, alerts can be sent to audit events using SNMP traps, SMTP, logging to a file or logging to the event log.

Auditing

Using the auditing capabilities of SecureLogin, if a user accesses a phishing site, an alert can be sent to a log file, event log, or to an administrative console. For example, if users are redirected to a bogus web site, SecureLogin can be configured to alert them with a message such as “The web site accessed is not secure! An alert has been sent to your systems administrator†and shut down Internet Explorer, or redirect them to your Intranet page, if desired.

Summary

SecureLogin handles site recognition and the passing of credentials, removing users from the equation and eliminating the risks associated with phishing. SecureLogin provides full control over application credentials such as usernames, credit card details, and passwords/PINs ensuring they are never passed to bogus applications.

In addition, SecureLogin can alert you (and take action as determined by the SecureLogin admininistrator) if someone accesses a bogus web site from within your organization, further enhancing security.

For stronger proof of identity for transactions, consider installing SecureLogin Advanced Authentication (SLAA), which requires strong authentication methods such as biometric (e.g. fingerprint), smartcard/PIN and tokens to logon to the network and applications.

For more information

http://www.webopedia.com/TERM/p/phishing.htmlhttp://edition.cnn.com/2000/TECH/computing/07/26/fake.banking.fraud.idg/http://www.news24.com/News24/Finance/Economy/0,6119,2-8-25_1390990,00.html