Fight against 'phishing'
22nd June 2004 (Computimes)
By Rozana Sani

EFFORTS to prevent and deter identity thefts over cyberspace need to be stepped up to nurture consumer trust in online banking and financial transactions, a key factor for growth in e-business activities in Malaysia.

Although the volume of such incidents, also known as "phishing", is still relatively low here as compared to developed countries such as the United States, parties likely to be affected need to address the rising menace in a co-ordinated manner at both the local and international levels via legal, technology and education means. They include those in the financial, telecommunications, technology as well as Government sectors.

Director of National ICT Security Emergency Response Centre (Niser) Lt Col Husin Jazri said while Malaysia is already part of collaborations to combat phishing through the Malaysian Computer Emergency Response Team (MyCert) at the international level, there are still many challenges.

"Through Niser (MyCERT), Malaysia is also part of the worldwide Certs networks that are committed to help local Internet communities. We have a good track record in helping local companies in putting off overseas phishing sites from attacking local companies and banks.

"While I believe present laws are adequate to handle the issue, the challenge now is enforcing those laws when the offences and crimes are committed overseas. And co-operation from law-enforcement agencies from the related countries could be inefficient," he told Computimes last Friday.

Local financial service providers must also play their part.

In that respect, Husin said they should report any cases to Niser (MyCert) which would provide assistance in putting the phishing sites off the Net through its channel.

The importance of a national-level collaboration to fight phishing must be emphasised on, said MyCert manager Solahuddin Shamsuddin. "We believe a good collaboration between local financial institutions including Bank Negara, the respective ministries and law -enforcement agencies should be in place to address any matters concerning phishing in terms of prevention, recovery, eradication and educating the public on this scam," he said, stressing that added safety measures can be taken by financial institutions in various aspects," he said.

He added that financial institutions, especially those conducting Internet banking should take measures to secure their systems, networks and online transactions. "Patches and upgrades should be applied to their operating systems to fix any vulnerabilities that can be exploited by phishers."

Financial institutions may also consider deploying a phishing/fraud-detection service that proactively monitors international e-mail traffic and provides immediate notification upon the discovery of new phishing e-mails.

"Call centre employees of financial institutions should be trained and equipped with proper knowledge in recognising signs of phishing scams. If a breach does occur, the best line of defence for a financial institution will be its call centres as they will be the first to field inquiries related to phishing scams," Solahuddin said.

He added that an incident response and handling element is also needed to contact the relevant authorities.

PricewaterhouseCoopers' executive director Ong Ai Lin said educating consumers not to be susceptible to requests for their personal information via the Net should be one of the key actions taken by financial institutions.

"Consumers not only suffer from financial losses but also reputation losses when they fall victims to phishing scams," Ong said.

Meanwhile, the Malaysian Communications and Multimedia Commission (MCMC) suggested that financial institutions conduct a comprehensive risk assessment in all relevant areas of the business, design suitable safeguards to control the risk and monitor their effectiveness. Risk assessments should be conducted on a regular basis and make the necessary adjustments to reduce risks, it said.