The Consequence of Non-Cooperation in the Fight Against Phishing: Difference between revisions
| Line 23: | Line 23: | ||
==Synopsis== | ==Synopsis== | ||
A key way in which banks mitigate the effects of | |||
phishing is to have fraudulent websites removed or abusive do- | |||
main names suspended. This ‘take-down’ is often subcontracted | |||
to specialist companies. This paper analyzes six months of ‘feeds’ of | |||
phishing website URLs from multiple sources, including two such | |||
companies. It demonstrates that in each case, huge numbers of | |||
websites may be known to others, but the company with the | |||
take-down contract remains unaware of them, or only belatedly | |||
learns that they exist. The authors monitored all of the websites to | |||
determine when they were removed and to calculate the resultant | |||
increase in lifetimes from the take-down company not knowing | |||
that they should act. The results categorically demonstrate that | |||
significant amounts of money are being put at risk by the failure | |||
to share proprietary feeds of URLs. The authors analyze the incentives | |||
that prevent data sharing by take-down companies, contrasting | |||
this with the anti-virus industry – where sharing prevails – and | |||
with schemes for purchasing vulnerability information, where | |||
information about attacks is kept proprietary. | |||
The authors examined data for the bank clients of the two take-down | |||
companies and found that websites had consistently longer | |||
lifetimes when the take-down company was either completely | |||
unaware they existed, or when they belatedly learnt of them. | |||
This effect was most apparent for banks that were frequently | |||
attacked, whereas it was less obvious, but still non-trivial, for | |||
small credit unions that might only be attacked on a handful of | |||
occasions. The paper also shows that websites were far more likely | |||
to last for more than a week if the take-down company was | |||
unaware of their existence. | |||
Banks uniformly benefit from universal sharing and – since they are paying the bills – they | |||
are in a strong position to force change upon the industry. | |||
Although our data analysis and results are specific to the | |||
take-down of phishing websites, we believe that the conclusions reached about the value of co-operation (and the real | |||
dollar cost of failing to do so) have application to other | |||
computer security scenarios as well, most notably in how the | |||
community handles knowledge of security vulnerabilities. | |||
==Additional Notes and Highlights== | ==Additional Notes and Highlights== | ||
[http://people.seas.harvard.edu/~tmoore/ecrime08pres.pdf Presentation Slides] | [http://people.seas.harvard.edu/~tmoore/ecrime08pres.pdf Presentation Slides] | ||
Revision as of 14:22, 24 June 2010
Full Title of Reference
The Consequence of Non-Cooperation in the Fight Against Phishing
Full Citation
Tyler Moore and Richard Clayton, The Consequence of Non-Cooperation in the Fight Against Phishing, 3rd Annual APWG eCrime Researcher's Summit, Association for Computing Machinery, October, 2008. Web AltWeb
Categorization
- Threats and Actors: Financial Institutions and Networks
- Issues: Cybercrime; Economics of Cybersecurity; Information Sharing/Disclosure; Public-Private Cooperation; Security Components of Classic Cyberissues (e.g. IP); Usability/Human Factors
Key Words
Credit Card Fraud, Disclosure Policy, Outreach and Collaboration, Phishing,
Synopsis
A key way in which banks mitigate the effects of phishing is to have fraudulent websites removed or abusive do- main names suspended. This ‘take-down’ is often subcontracted to specialist companies. This paper analyzes six months of ‘feeds’ of phishing website URLs from multiple sources, including two such companies. It demonstrates that in each case, huge numbers of websites may be known to others, but the company with the take-down contract remains unaware of them, or only belatedly learns that they exist. The authors monitored all of the websites to determine when they were removed and to calculate the resultant increase in lifetimes from the take-down company not knowing that they should act. The results categorically demonstrate that significant amounts of money are being put at risk by the failure to share proprietary feeds of URLs. The authors analyze the incentives that prevent data sharing by take-down companies, contrasting this with the anti-virus industry – where sharing prevails – and with schemes for purchasing vulnerability information, where information about attacks is kept proprietary.
The authors examined data for the bank clients of the two take-down companies and found that websites had consistently longer lifetimes when the take-down company was either completely unaware they existed, or when they belatedly learnt of them. This effect was most apparent for banks that were frequently attacked, whereas it was less obvious, but still non-trivial, for small credit unions that might only be attacked on a handful of occasions. The paper also shows that websites were far more likely to last for more than a week if the take-down company was unaware of their existence.
Banks uniformly benefit from universal sharing and – since they are paying the bills – they are in a strong position to force change upon the industry. Although our data analysis and results are specific to the take-down of phishing websites, we believe that the conclusions reached about the value of co-operation (and the real dollar cost of failing to do so) have application to other computer security scenarios as well, most notably in how the community handles knowledge of security vulnerabilities.