Our information security manager recently asked me and a few other resources via email if we could do something programmatically to prevent phishers from using our corporate logo.  One person suggested using JavaScript and/or CSS to trap right-clicks or obfuscate images behind transparent layers.  Unfortunately, all of the mechanisms he mentioned rely on client-side browsers to enforce our bag of tricks, and the average phisher is probably too smart for that.  Whereas IE is effectively blocked from right-clicking via JavaScript, Firefox easily defeats that trick (Click Tools > Page Info.  Go to the media tab.  Voila!  Save whatever image you want).  Even easier for the Linux-based phisher, as he can just use wget to pull down whatever images he wants.

A lot of banks have implemented two-factor and two-way authentications schemes (one of the earliest being Bank of America).  A little known insider's fact:  That's actually due to a regulatory requirement.  If your bank isn't doing it yet, trust me, they will.  So will implementing these schemes across all these banks actually help solve the phishing problem?  Probably, for a year or two.  Then all of your phishing attacks will rely on man-in-the-middle attacks to get around these two-way and two-factor authentication schemes.  Bruce Schneier predicted it, and it’s already been proven and is likely in the wild.  See:

• http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html
• http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
• http://www.cr-labs.com/publications/index.html
• http://www.gpayments.com/pdfs/Bank%20of%20America%20-%20A%20Perfect%20Target.pdf

My take:  Schemes like SiteKey (BoA's trademarked implementation based on a software package available from RSA) are useful for the time being, but in the long run, provide little in the way of valuable protection.  Unfortunately, many people view it as a panacea and have created a false sense of security around the whole two-factor and two-way authentication scheme.  Banks should not rely too heavily on implementations of two-factor and two-way authentication to ensure customer security.  Instead, I think banks need to step up customer education across all lines of business.  This includes campaigns to help the customer understand:

• Why you should never click on a link in an email
• What to look for in your browser to ensure a SSL connection directly to your domain
• How to use modern browsers’ built-in anti-phishing tools

Personally, I envision all of the above as being part of a strategy to increase corporate transparency.  There have been a lot of so-called corporate blogging sites launched lately, that help to foster a sense that corporations are listening to their customers and are genuinely interested in making them happy and soliciting their feedback.  Some great examples:

• Microsoft
• Dell
• Google
• Amazon
• Intel
• The World Bank

If you look at these, particularly in the conversations created in the comments, it becomes obvious that this is a great way to educate customers, get customer feedback, and make customers feel more empowered as partners.  Wouldn’t it be great if more corporations had a mechanism for this?

Of course, no one in our marketing department has asked me…  I’m eagerly awaiting their call…

(Reiterated disclaimer:  This ain't Commerce Bank's opinion, this is wholly mine.  See the legalese on the right, please...)