How To Harpoon A Cyber Shark

New technology could thwart 'phish' e-mails that seek consumers' private data

The corporate battle against cybercrime is unending. And phishing -- bogus e-mails designed to trick consumers into coughing up personal info -- is among the most insidious of foes. Just ask Ambika Gadre, director of security and threat prevention at IronPort Systems Inc., an e-mail security firm. Gadre and her team, relying in part on a promising new authentication technology from Yahoo! Inc. (YHOO ) called DomainKeys, spot an ever rising tide of bogus e-mails slinking across the Web. "Phishing is so damaging," says Gadre.

With the phish epidemic starting to sap confidence in online commerce, e-tailers and banks alike are scrambling to beef up defenses. Inc. (AMZN ) is expected to begin testing an IronPort system soon that verifies if e-mail pitches sent to consumers under its name are real. Bank of America Corp. is rolling out technology that helps customers ensure they have reached the bank's real site -- rather than a fake one set up by the phishers to capture their user IDs and passwords. And the anti-phishing effort got a big boost June 1, when Yahoo! and Cisco Systems Inc. (CSCO ) announced plans to merge competing technologies -- clearing the way for a DomainKeys technical standard.

It's a counterattack against phishing that may at last have teeth. "When evil folks with malicious intent send an e-mail that purports to be from, we'll know," says Andrew R. Spillane, an exec in the e-mail unit of Yahoo!, which rolled out the technology last year.

The key to countering phishing, say experts, is making sure consumers know which e-mails are real and which are not. Since last year, many banks, e-commerce sites, and others who send e-mail have relied on a free software developed by Microsoft Corp. (MSFT ) and others called Sender ID. The technology uses the coordinates of Web-connected PCs and servers, known as IP addresses, to trace the origins of e-mail. Some 750,000 company domain names around the world have been registered under Sender ID, according to Microsoft. Trouble is, say security analysts, the bad guys can route phish through many servers to disguise who originally sent them. "Sender ID is the first step," says Ryan Hamlin, Microsoft's general manager of technology care and safety. "But it's not the end game."


Enter DomainKeys -- a more robust authentication technology. Here's how it works: When a bank or e-commerce firm sends out e-mail, the mailing contains a signature that corresponds to a unique code allocated to the sender. When an e-mail firm or an ISP receives a message to transmit to its users, it can check to see if the signature on the e-mail matches that of the bank or e-commerce site it claims to be from. If it does, the person getting the e-mail will be told it's legit. If not, the ISP will warn the customer not to open it.

That's not the only way banks are beefing up Internet security. Some are putting in place technology that helps online customers ensure they are visiting the real Web site, as well as keep fraudsters out. Bank of America's (BAC ) SiteKey system shows online customers a picture when they visit its site. If the image they've chosen doesn't pop up, they will know they've reached a bogus site. And if fraudsters try to access a customer's BofA account from an unrecognized PC, they will have to answer a predetermined question.

Still, such technologies face hurdles. With Yahoo! and Cisco just agreeing on common standards for DomainKeys, many companies may resist investing in the technology until the kinks are worked out. Price is another issue. Both Yahoo!'s and Cisco's products can be downloaded for free online. But an e-mail security system with DomainKeys for a mass e-mailer costs $500,000, on average, says IronPort. For a big company, that's not much to stymie forged e-mails that can damage reputations and clog up millions of e-mail accounts. But smaller businesses may hesitate to upgrade until the price drops. With consumers increasingly wary about buying and banking online, however, they may have little choice.

By Brian Grow in Atlanta, Mara Der Hovanesian in New York, and Jay Greene in Seattle

Before it's here, it's on the Bloomberg Terminal.