How Safe Are Your Details? Deloitte Reveals Phishing & Pharming Security Tips

Post date: 
Thursday, September 20, 2007 - 01:00

How Safe Are Your Details? Deloitte Reveals Phishing & Pharming Security Tips

By Nathan Statz

September 20, 2007: Professional Services Firm, Deloitte have released their Global Security Survey for 2007, with the Asia Pacific region still showing worrying amounts of security breaches, also released is a list of security tips to help deal with the rising threat.p

Security breaches, particularly for financial institutions, are of major concern for both the company and its stakeholders. Not only does a breach mean the potential loss of sensitive corporate and client data, but it is also a severe hit to the company’s reputation.

“There’s been a lot of media coverage around individual security breaches. Security and the responsibility for it is usually blamed on IT, when the majority of breaches come from people issues” said Tommy Viljoen, Enterprise Risk Services Leader.

The report found that 36% of Financial Service Institutions (FSI’s) who participated in the survey have experienced repeated internal breaches over the last 12 months. Contrasted to this, 79% of FSI’s have experienced external breaches in the last year.

With such a high amount of repeated breaches, the underlying causes need to be addressed. Deloitte have also warned of the rise of Phishing, Pharming and Spear-Phishing scams which will increasingly attempt to steal financial details. Phishing refers to scammers attempting to lure users into providing personal details by posing as a real company, the most common way this is done is by sending out fake emails from a major bank asking the user to login to a fake website.

“The real danger is phishing scams which link up with social networking sites” Viljoen explained.

To combat this Deloitte has released a list of tips to avoid the increasingly sophisticated phishing and farming traps.

Phishing & Pharming Security Tips for Consumers

    • Stay Calm - When receiving un-invited email that warns of credit card charges, fraud, frozen accounts etc. resist the first impulse to visit a web site or respond to the email. If you don't expect it, delete it!


    • Secure your computer - Use a personal firewall, antivirus software and keep them securely configured and updated. This will help in protecting you from key stroke loggers. Deploy the latest security patches to fix security vulnerabilities that an attacker may use to hack your operating system. With Windows systems enable "Automatic Updates" or visit the Microsoft Windows Update Site


    • Don't use internet cafe or un-trusted computers to access online banking sites. Turn off the preview pane in your email client to prevent email content being executed without your permission.


    • Make sure you're not visiting a fake web site - Manually enter the URL for your banking web site into your web browser. Don't click on links from other web sites or forums.


    • Consider using an alternative browser like Firefox or plugins like Spoofstick to make it harder for an attacker to direct you to a fake web site. Click on the Padlock in the bottom right window of your web browser and check the SSL certificate certification path each time you use internet banking. A spoofed site will either have no padlock or have a different certification path.


    • Report any Concerns immediately - Regularly check your account balances and statements. If something strange occurs immediately ring your bank.


    • Restrict your limits - for online transactions set up a separate VISA debit card or equivalent. Only put a small amount of money into the account when required. An attacker can only access those limited funds and cannot rack up charges as with a credit card. Ask your bank to restrict the maximum daily transfer limit on your accounts (it can be up to $5K by default) and disable "pay anyone" or international money transfer functionality if you don't use it.

    Phishing & Pharming Security Tips for Companies

    • Identify and classify your assets, protection required depending on the type, value and sensitivity of the asset.


    • Update or develop a security strategy


    • Ensure security strategy is led and embraced by line and functional business leaders.


    • Have always an up-to-date Policy, Standards, processes and procedures in place.


    • Perform Risk Assessments and identify potential risk areas in your system.(Special attention should be given to Web Applications, Phishing, Denial of Service (DoS), and middleware systems).


    • Incorporated application security and privacy as part of your software development lifecycle


    • Assess and review your current Web and email filtering capability and adequacy


    • Know at a pointing time the changes occurring in your data, and how to return to a coherent state from audit trail if data lost or corrupted


    • Enforce your logging policy and have enough logging and alerts information in place and safely saved.


    • Implement logging, monitoring and reporting tools that produce real-time and ad hoc correlation, analysis and visualisation of the activities on your Network, systems and data.


    • Implement an Identity and Access Management solution that provides you with a centralised place to manage authentication, authorization and user provisioning. This makes users rights and access auditing and compliance easier.

    Comment on this story.

Business Solution: 
Enterprise Applications