Wednesday, April 04, 2007

Taking Down Phishing Sites - A Business Model?

Processing orders for taking down malicious or fraudulent web sites is gaining grounds with not just RSA providing the service, but also, with Netcraft joining the process :

"Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies are Netcraft customers. Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity. However, some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action."

How does Netcraft differentiate its value proposition compared to RSA's? Netcraft's core competency is monitoring of web sites and providing historical perforce reports regarding various server variables, and they've been doing it for quite some time. Moreover, the company directly relies on the success of its anti-phishing toolbar in respect to gathering raw data on new phishing sites, thus, a future customer in the face of company whose brand is attacked. While the business models seem sound to some, it's worth discussing their pros and cons. Will ISP implement an in-house phishing sites monitor to compete with the services offered by third-party vendors -- they could definitely delay their actions given the huge infrastructures they monitor and the lack of financial incentives for the timely shut down -- or will ISPs and vendors figure out a way to build an ecosystem between themselves? The pioneer advantage is an important despite the common wisdom that even if you have an innovative idea and a market that's not ready to embrace it it wouldn't get commercialized.

In the past, there were futile attempts by banks to utilize the most commonly abused phishing medium - the email - to build awareness among their customers on the threats of phishing which isn't the way to solve the problem. You've got many options in respect to your customers - either educate them, enforce E-banking best practices or deny them the service if they don't comply, be a paper tiger and forward the responsibility for fraudulent transactions to their gullibility, or improve the entire authentication process. As we have seen two-factor authentication may improve consumer's confidence, but we're also seeing malware authors getting pragmatic and adapting to the process as well. Flexibility also stands for better transparency of the process - respect to the banks providing me with the opportunity to receive an SMS each and every time money come and go out of the account.

OPIE and multiple factor authentication are inevitable, but a customer's awareness of the threat is worth more than another keychain of OPIE generators. The rest are unmaterialized E-commerce revenues due to customers still fearing the risks are not worth the benefits.

No comments:

Post a Comment