Online Fraud: Hired Gun Hunts Phishers

By Edward Cone  |  Posted 09-11-2006

Hunting down phishers, pharmers and other online bad guys can be frustrating work for financial firms—so Commerce Bancorp Inc. decided to bring in some hired muscle. The $43 billion (assets) parent of Commerce Bank, based in Cherry Hill, N.J., is using services from RSA Security Inc. to target malefactors who attempt to fool banking customers into sharing personal data by means of phony look-alike Web sites, e-mail and similar trickery.

Commerce Bank has its own fraud protection systems in place, but the specialized services from RSA add to that protection by focusing on global scams like phishing and pharming, says Todd Bearman, the bank's vice president of IT security. RSA uses software and analysts at its round-the-clock security center to monitor traffic at Commerce Bank's popular Yesbank.com domain and the Internet as a whole, working to identify crooks, disrupt scams and terminate phony sites. "RSA really scours the Web," says Bearman. "They're looking at chat rooms, e-mails, Web crawlers, blogs and so on, for anyone who might be trying to emulate us and lure our customers."

Prior to inking the deal with RSA, Commerce Bank staffers handled phishing and pharming patrol themselves. But multiple time zones and language barriers (RSA lists India and Estonia as emerging hotspots for fraudulent operators) quickly became a problem. "A lot of these sites are hosted outside the U.S.," says Bearman. "To shut them down, you might have to deal with law enforcement in other countries. Same thing for the hosting services, which are often hard to contact. It becomes very resource-intensive for an organization like ours, but RSA has mastered it. They have standard processes in place."

RSA reports that regional banks and credit unions are the most frequent U.S.-based targets of the scamsters, and the number of brands subjected to phishing attacks reached new highs this summer. Bearman says the real value lies in allowing the bank to roll out ever-more sophisticated online services with confidence. "Say we want to offer account statements that we could e-mail or you could access with a link—we don't want our customers wondering if these are coming from us. There is a great opportunity to offer online services and save money, but it has to be trustworthy."

RSA fits into Commerce Bank's "layered defenses" against fraud, says Bearman. "We see the need for a three-dimensional response to threats," he says. In addition to its outsourced security from RSA, the bank maintains an information security staff, and uses software from Corillian Corp., as well as custom applications, to monitor for fraud, network intrusions and other risks. "We don't want to rely too much on one layer, or one service or product," says Bearman. "RSA can tell us if someone has copied our site, or linked to it for different periods of time to harvest information. But people act differently, there are different vectors of attack, so we try to respond in more than one way. We need to guard against phishing and pharming, but we also need the system to be able to guess that a log-on from China that tries to access four accounts in a row is probably not somebody checking their balances while on vacation, and lets us know to check who's knocking at the door."

Bearman hopes that pending security enhancements from vendors like Microsoft Corp. and from major Internet service providers, which promise to push intelligence out to end users' Web browsers and allow them to block suspect sites, will help automate anti-fraud work and make customers feel comfortable about using advanced online services. In the meantime, he's counting on his hired gun to take out some of the looming threats to customer security.