B.1.5.9 Strong Authorization
for Financial Transactions
Measures that can be employed to bind
strong authorizations with financial transactions (e.g., digital signatures) in ways that make it difficult for impostors to initiate
fraudulent financial transactions.
B.1.5.10 Secure eMail Services
Any techniques that can be used to increase confidence in email correspon-
dence, such as source authentication, authorizations, or confidentiality.
B.1.5.11 eMail Proof-of-Delivery/Receipt Services
Additional services
that can be used to inde-
pendently assure email correspondents that a specific message was delivered by the indicated sender or was received by the
designated recipient. Included are services that depend on neutral third parties that can witness the delivery and receipt of
email correspondence (e.g., postmarks, registered email services)
B.1.5.12 Authenticating FIs to End Users
Any facilities that can be used by end users to authenticate
that they are truly communicating with their financial institution (and not an impostor), especially authentication schemes
that are easily understood and recognizable by average consumers.
B.2 Financial Industry Technical Counter-Phishing Measures
These
categories of solutions are
either specific to Financial Institutions, or are available as options that can be employed by an individual organization. In this
regard, most of these solution options tend to be tactical in nature.
B.2.1 Category VI: Counter Measures Associated with Financial Services
Some counter
measures may be unique to the financial industry, or at least leverage the role of financial institutions in conducting financial
transactions. After all, fraud and abuse are familiar problems to the financial industry, and have been
addressed using an array
of industry measures.The financial industry also has its own infrastructure and data resources that can be leveraged to create
new opportunities for combating phishing on several fronts.
B.2.1.1 Improved Ability to Share Relevant Data within Financial Industry
New facil-
ities or services that would allow the financial industry to better share information that can be used to counter phishing
threats. Included might be facilities for broadcasting information about new phishing attacks, or ways for the industry to
leverage existing credit or fraud databases to reduce losses and impact on customers.
B.2.1.2 Improved Ability to Share Relevant Data
across Industry Boundaries
New
facilities or services that can leverage information accumulated by other industries, such as the communications or retail
industries, or that may allow information from financial institutions to be made available outside of the financial industry for
purposes of combating phishing. Regulatory compliance will be an important feature of any solution that shares information
across industry boundaries.
B.2.1.3 Improved Ability to Share Relevant Data with Law Enforcement
New facilities
or services that allow law enforcement agencies to work more effectively with financial institutions
through improved sharing
of information, including forensics, fraud data, and complaints filed by citizens/customers.
B.2.1.4 Data Mining for Phishing-Related Information/Evidence
Tools or techniques that
can pull useful evidence of, and information about, phishing activities from the mountain of data available from a broad array
of sources.
B.2.1.5 Shutdown/Disabling
of Phishing-Related Sites
Services that can effectively shutdown or
disable any site found to be involved in phishing activities. Such services may be defensive or preventative depending on
which stage of the phishing life cycle they address.
B.2.1.6 Hardening of Credit-Reporting Infrastructure
Measures that reduce exposures through
the credit-reporting infrastructure, including abuses that allow unauthorized access to credit data or that facilitate misrepresen-
tations of “identity” in applications for credit.
B.2.1.7 Hardening of Payments Infrastructure & Transactions
New
measures that can be used
to harden the payments infrastructure against fraud based on use of account credentials stolen through phishing attacks.
Examples include multifactor authentication, stronger authorization, one-time credit/debit card numbers, and blinding of
account numbers in transactions.
B.2.1.8 Refinements to Risk Management Approaches
Enhancements to risk analysis and man-
agement approaches that allow financial institutions to more rapidly and effectively recognize
new sources of risk from
phishing attacks, and take steps to mitigate increases in risk.
B.2.2 Category Vii: Monitoring and Surveillance Measures
It is important to note that
phishing is, by its very nature, an observable act, even if the victims are not themselves aware that they are being phished. It
also leaves a lot of tracks and generates its own trail of events that can be traced. Consequently, improved techniques for mon-
itoring the sorts of activities that indicate potential phishing coupled with effective surveillance and collection of evidentiary
information can represent useful measures for addressing the phishing threat.
Do'stlaringiz bilan baham: