In this article we’ve decided to readdress the security and fraud prevention issues. In particular, we are going to focus on a fraud technique, commonly referred to as phishing attacks. Phishing attacks are often used in payment processing context as a fraud technique, designed to capture a user’s logon information, which is needed to access the payment gateway or payment system, the user is working with.
You may have heard the term phishing already, but in this particular post we are going to describe the issue from payment gateway and payment system access perspective.
There are several reasons for phishing attacks.
- Personal data theft. The phishing attack might be undertaken just to steal your personal data, or the personal data of your clients.
- Payment data theft. The attack might be undertaken to steal your payment information (credit card numbers), or payment information of those customers processed through your accounts.
Even if the payment information is hidden, the individual logon of a user into a virtual terminal of a payment gateway might still be used by fraudsters for the so-called credit card milking (verification of stolen card numbers using this user’s merchant account).
How phishing attacks occur
Phishers usually replicate (make an exact copy of) the logon page of the system they are trying to attack and send you a letter with a link, that you are asked to follow. In the letter you are told that there is some urgent issue with the system, which requires you to follow the link and login. The visual appearance of the link, usually, corresponds to the actual login page of the service. However, once you click on it, you are redirected to an absolutely different page, looking exactly like the expected logon page. If you do not pay attention to the URL, you cannot notice the fact that you are not on the real logon page, and you may inadvertently enter your logon information, which would then be stolen.
How to prevent phishing attacks
There are several preventive techniques which can be used by payment system operators to protect their respective payment gateways against phishing. The two most common ones are two-factor authentication and security image usage. Both approaches are based on some additional authentication factor, added to username and password.
The two-factor authentication is based on usage of an additional value during logon. The value is generated by a software product, a hardware device (usually referred to as token) or by a smartphone. Generally, only the user has access to the software/hardware/smartphone, so even if the username and password are stolen by phishers, they still cannot access the logon page. You can find more detailed information on two-factor authorization in our respective article on Google authenticator.
The simpler approach is based on usage of a so-called security image. During the first logon, the user is asked to choose an image, which will be used as his personal security image. The logon dialogue webpage has to be modified accordingly, so that initially the user is required to input only the username, without the password. Once the username is input, it should be verified, if it is present in the database\system. If it is, an image is displayed. If the image coincides with the user’s security image, it indicates that the user can proceed with logon and input your password. Otherwise the user simply does not input the password, thus, making logon impossible, and preventing the potential phishing attack (as phishers do not know the security image to be displayed).
If personal data and payment information of your clients are major concerns for you, you should implement some phishing attack prevention technique in your logon mechanism.