MasterCard International and digital-fraud-detection firm NameProtect have joined to fight illegal online activities, principally "phishing" schemes and the online trading of stolen credit card numbers. The partnership marks a more active approach to addressing online fraud. MasterCard will use NameProtect's technology to detect online scams as they unfold and, in conjunction with law-enforcement organizations, shut them down before significant losses can occur.
"The new threat that we are particularly addressing here is the cyberattack, involving phishing, identity theft and so on," Sergio Pinon, senior VP of MasterCard global security and risk services, said on a media conference call in June. "We want to insure that the trust remains between our consumers and the financial-payment system."
At the moment, there's ample reason to be wary. Research firm Gartner (Stamford, Conn.) estimates that 57 million Americans have received phishing e-mails in the past year. During two weeks in December 2003, 60 million phishing messages were sent, according to the Anti-Phishing Working Group, an organization to which both MasterCard and NameProtect belong. Additionally, identity theft has been the number one consumer complaint for the past four years, according to the Federal Trade Commission.
"In order for this to be effective, we have to be able to monitor online phishing attacks, trading of account numbers, identity theft and so on, on a 24/7 basis," Pinon said.
NameProtect is now monitoring domain names, Web pages, images, auctions, chat forums, spam and other online formats to identify online fraud. It sends real-time reports to MasterCard, accessible through a Web portal. Within four hours, MasterCard is able inform its 25,000 member financial institutions worldwide of online attacks, using its MasterCard Alerts service.
MasterCard also will be going after Web sites that offer how-to information to those interested in committing fraud, with the help of the United States Secret Service, the Federal Bureau of Investigation, the U.S. Postal Service and Interpol.
To date, MasterCard can provide no specific instances of sites shut down during the trial portion of this program, which ran from April through June. "We have passed the information on to the affected parties," said Pinon, "and I am sure, having that information in hand, that they have taken the [appropriate] steps."
With regard to domains that masquerade as sanctioned MasterCard sites, Mark McLane, CEO of NameProtect, says that his company has already helped MasterCard shut down a number of such sites, but he declined to provide further details.
It's the details that may prove problematic. Gartner VP and research director Avivah Litan says it's not easy to shut down a Web site, especially if it's based in a country where the U.S. and European Union don't have a lot of pull. "Once you catch them, you can't necessarily stop them," she says. "It's like trying to catch a cockroach." Still, she says, "It's a practical solution. It's not a slam dunk."
Pavni Diwanji, CEO and founder of anti-spam vendor MailFrontier (Palo Alto, Calif.), echoes the concerns expressed by Litan. While she says she's glad a company as big as MasterCard is trying to deal with the problem, she cautions that these phishing messages and scam sites don't have to be around for very long to do damage. Often, she says, scammers themselves will take phishing sites down after only a few hours. That's because phishing campaigns can bring in credit-card information in a matter of minutes. Beyond alerting banks, she says, "We have to protect the victims in a timely manner, too."
Andy Klein, anti-fraud product manager at MailFrontier, offers an example of how sophisticated phishers have become: They do market research to determine who's vulnerable to their scams. To identify who might be likely to open mail purporting to be from a certain bank, phishers recently sent a trial e-mail with a Web bug - a link to a graphic file stored on a remote server, used to measure whether or not the message was opened. Receptive recipients were subsequently targeted with a phishing e-mail.
MailFrontier's Phishing Index for May 2004 shows that one out of 10 people were duped into following the link provided in a phishing e-mail - despite the fact that the message had been quarantined and labeled suspicious. A May 2004 Gartner report found that 3 percent of a projected 57 million people who believed they had received a phishing e-mail clicked on the links to spoofed Web sites and submitted personal and financial data. Certainly, there's a need for user education.
"This is absolutely a step in the right direction," Diwanji says of the MasterCard initiative. "Is it enough? No."
This article originally appeared in InformationWeek, a sibling publication of Bank Systems & Technology.
Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio