MasterCard Targets Phishing, ID Theft

MasterCard International said it would launch an aggressive campaign against identity theft schemes that use phony Web sites to collect personal information from Internet users. The credit card company said it tapped NameProtect, a digital fraud-detection company, to scour the Web for so-called “phishing” schemes that attempt to dupe consumers into revealing personal information, such as credit card data, to sites that appear to be legitimate.

MasterCard billed the move as a “fundamental shift” and a “more aggressive approach” to the problem of online identity theft. The partnership calls for NameProtect to detect online scams “in real-time,” the companies said in a release, and to cooperate with law enforcement to “dismantle the online tools and venues that are used by identity thieves before they can be used to steal personal information.”

“We are confronting identity theft head-on,” said Sergio Pinon, senior vice president, MasterCard Global Security & Risk Services. “By identifying these illegal card number-swapping rings and working to close down these online credit card black markets, we can squash illegal activity before people’s accounts are compromised.”

Growing Problem

Identity theft has been among the most common complaints lodged by Internet users since the early days of e-commerce and regularly ranks high on the Federal Trade Commission’s list of complaints about the Web. The FTC said 9.9 million Americans were victims of ID theft last year, costing businesses $48 billion.

More recent reports have warned that online ID theft is accelerating and that a surprisingly large number of consumers are still falling victim to the ploys. A Gartner report last month found that nearly 20 percent of those who receive phishing e-mails clicked on the link embedded in the message and nearly 2 million people turned over some personal information to the phony Web site.

Meanwhile, the Anti-Phishing Working Group said this week that it confirmed 1,197 new and different phishing schemes during the month of May and that incidents have grown by 4,000 percent since November of 2003.

“There are still a lot of consumers who are unaware that this is happening,” Gartner analyst Avivah Litan told the E-Commerce Times.

Litan and others say law enforcement efforts have not dented phishing because it’s often well after the fact — when they receive a credit card bill with fraudulent charges, for instance — that consumers realize they’ve been duped. By then, the Web sites and spoofed e-mail addresses used in the phishing exploit are often already taken down.

“It’s only a matter of time before these attacks start to erode confidence in online transactions,” Litan added.

Getting Proactive

NameProtect said it will seek to sniff out phishing attacks and credit-card fraud rings as they’re being plotted and carried out by continuously monitoring domain names, Web pages, e-mail lists and online forums. The San Diego, California-based company will also guard MasterCard’s brand identity by seeking out any fraudulent uses of its name or logo.

MasterCard said it will then turn over the reports it receives from NameProtect to the FBI, the U.S. Postal Service or other appropriate law enforcement agencies and immediately notify the 25,000 banks that issue its credit cards of any potential fraud through an existing alert network.

“The MasterCard initiative is compelling in its scope and reach,” said NameProtect CEO Mark McLane. “This partnership creates a platform to attack the source of Internet-based fraud.”

The Anti-Phishing Working Group said several new attacks have been spotted already this week, the majority targeting banks and other financial institutions.

Forrester research analyst Jonathan Penn said wider adoption of more rigorous authentication measures that go beyond simple passwords are needed to stamp out phishing attacks. But he said emerging standards that will validate the address of e-mail senders will help as well, because phishing messages often are sent from spoofed addressed.

“It won’t eliminate spam, spoofing or phishing, but it will make it easier to combat,” Penn told the E-Commerce Times.