When using the Internet, unless you are very inquisitive, skilled and have a lot of time, you know nothing about the site you visit other than the information displayed by the site. Scammers work very hard to mask themselves with Web sites that appear legitimate. Their intention is to tempt you to disclose your personal information. In fact, sites set up to steal personal information have become significant and widespread enough to warrant labels like "phishing" and "pharming."
Phishing usually employs e-mail messages or Web advertisements enticing you to go to a phony site. The incentives range from unbelievably tempting deals, like a $500 bonus card if you submit your personal details to messages like "There has been an unusually large purchase on your VISA card -- please visit our site to validate." Some phishing messages, called “spear phishing”, are personalized - an unsuspecting person receiving them cannot imagine that they are coming from scammers. For example, after you bid at an auction and do not win, you might receive a message telling you that you have been given a second chance to win at the price you offered. The scammers, pretending to belong to the auction site, take your money and you get nothing.
Pharming is an even more shifty approach. It uses DNS spoofing. This is a set of technical tricks, available on the Internet, which actually changes the destination of the URL that you see on your browser and directs you to an "undercover" site. In other words, you type www.mybank.com, you are sure you are accessing your bank, but you're actually entering a scam site.
There is a myth that the solution for phishing and pharming is tokens. These are small devices usually provided by banks or institutions who want their customers to connect to their web site. Some tokens can protect users from phishing, but most use a one-time password. In order to log into a site, the token is activated and the user is given a displayed password. The user must then type the password and login quickly because the password is valid for only a short time.
A phishing technology known as "man-in-the-middle" succeeds in accessing accounts of users protected by OTP tokens. The phishing site fools the user into thinking that it is the real site he or she has accessed before. This phishing site works during the login process as a proxy. It is connected to the real site and transparently transfers the data between the real site and the user, until the login process is complete. At that point, the phishing site disconnects the user. The operator of the phishing site has full access to the account of the unsuspecting user. If it is a bank account, financial transactions can be executed. If it is a corporate or government site, confidential information can be extracted. Several man-in-the-middle attacks were detected in 2005 causing banks to turn down their online banking sites until the scam site was shut down.
Most users are aware of the risks caused by phishing. They receive frequent e-mails from banks where they have no account and recognize the problem. Subsequently, most users are afraid of becoming victims. They get numerous frightening warnings about the grave consequences of providing personal information to scammers. As a result, most users refrain from executing transactions through online banking. Instead, they only view their accounts online. Banks try to encourage users to execute transactions, but users rightfully demand protection against Internet fraud.
Although most users are aware of the risks in online banking, many of them are easy targets for unbelievable deals on the Internet. If they search for a new PC and find a half price offer from a company that has a name that looks familiar, they may choose to buy from that vendor and submit personal details, unaware of the fact that the site is bogus. Because of fear and uncertainty many e-commerce sites face a problem. Users that have bought goods and services on unfamiliar e-commerce sites have become more suspicious. Instead of looking for the best deal, they limit their search to large, well-known sites. Medium and small sites are the victims of this trend, and they are unable to influence users' behavior.
Many sites, especially large e-commerce and online banking sites, ask users to login in order to execute a transaction. The simple login process, utilizing user name and password makes it an ideal target for scammers.
The phishing and pharming scams discussed above tempt users to disclose their login parameters. But even if the user is well protected against phishing and pharming, a spyware - malicious software that may sneak into the user’s machine, can detect the keystroke sequence or the sequence of mouse clicks and the associated screenshots used to login to a site, and send this sequence to an external source while the user remains unaware of the problem.
CallingID, a software company based in New Haven, Connecticut, provides solutions to encourage usage of Internet for business and to avoid all the potential problems of Internet fraud. CallingID for the Internet is a solution for individual users. CallingID Safety Seal is a website solution that provides strong authentication and anti-fraud protection. This solution focuses on online banking, eCommerce and corporate sites.
CallingID for the Internet
CallingID for the Internet is a simple browser add-on.. When users install CallingID they experience the Internet from a new angle. For the first time they see who owns the sites they visit, where the owner is located and receive an immediate indication about the risk level of sending data to these sites. When visiting msn.com they see that the site is owned by Microsoft and it is OK to send personal information to this site, but when they visit kazza.com they see that the owner of this site is hiding his identity and consequently, sending data to such a site is considered high risk (information sent to someone who deliberately hides his identity may be used by scammers). CallingID verifies for the user when it is OK to send data, particularly personal information which requires an encrypted session, and when there is a risk involved.
CallingID's unique use of 52 different verification tests to evaluate web sites provides the highest level of protection. When any of these tests fail, the users are urged to rethink their intention to submit personal information, username, password and credit card number, or to place an order from that site. It summarizes the results of the tests in a simple indication to help the user decide whether to proceed.
Indicates that exposing private or confidential information to this site is very risky and may be misused by the site owner. Such risk is a result of a pattern usually utilized by scammers. It may be, for example, masking site owner's identity; using a pirate server in a legitimate site or using a known phishing site.
Reveals that the site has a problem. The user should be aware of the problem and decide whether to take the risk of sending data to such a site. Low risk sites are sites whose owner was not identified as an organization conducting business, sites that were not registered correctly, etc.
Signals that it is safe to submit information and make purchases at these sites. The site was identified as an organization conducting business located at a real address and passed all 52 verification tests.
CallingID provides you with added value beyond the protection - whenever you visit a site you automatically see who owns it, and where its owner is located. This information is particularly useful when visiting new sites and deciding if they are real businesses and whether to trust the information provided by them.
Samples of a phishing site and the real PayPal site with CallingID indications:
CallingID for the Internet uniqueness:
1. CallingID is a comprehensive solution. It uses databases that contain information about more than 200,000,000 companies.
2. CallingID has a unique technology to automatically find the actual owners of web sites and their addresses. The technology validates that the owner is a real organization conducting business at the address it claims to be. The process is usually completed in 30 seconds when a positive verification is achieved and within 60 seconds when the automatic verification fails. In such a case a manual process is executed where a group of analysts try to manually detect whether the site belongs to a real organization at a specific address.
3. CallingID detects sites that hide the owner identity. These sites are defined as High-Risk unless their owners contact CallingID and provide sufficient information to verify their real name and location.
4. CallingID looks inside the web page to detect cases where data you type will be sent to a site other than the site you visit.
5. CallingID uses its black lists of fraud sites to protect users automatically. More than 100 new phishing sites are detected daily and added to that list.
6. CallingID displays its data in a short toolbar that automatically expands when the mouse is dragged over it. We received many positive comments because users appreciate that it does not take much of their valuable space.
CallingID Safety Seal
CallingID Safety Seal is an ideal solution for eCommerce, corporate sites and banks. When users of these sites try to login to their account at the site, they are well protected against attempts to use their login parameters and credentials. The solution is composed of three levels of protection to shield users when they log into a web site.
- Site Authentication for the user. The users are shown a unique shared secrete they have disclosed to the site. They known that the site is authentic before they login.
- Automatic detection of phishing sites. Extra level of protection is added, enabling automatic detection of login attempts to suspected sites. All known phishing techniques, including man-in-the middle, frame injection and pharming (DNS spoofing) are automatically detected. CallingID stops the user before login data is submitted and the user is alerted to abort.
- Neutralization of spyware. Even if the users’ computer is infected by hostile software like spyware, Trojan, screen capture or key-logger, his login parameters cannot be identified by that software. When a user logs into his online account, in cases where such hostile software exists the hostile software is led to detect a false password while the real password is safely delivered to the site using strong encryption. CallingID uses special technology that thwarts all hostile software.
Safety Seal is available for any Internet web site and requires registration of the site with CallingID. Two different versions are available:
Safety Seal Basic - Provides all web users basic protection against Internet fraud, without installing any software on the client PC, whenever they log into a website registered with Safety Seal.
Safety Seal Pro - Provides the functionality of Safety Seal Basic as well as a strong encryption of the password typed by the user, neutralizing Trojans and spyware from detecting the real password.
Institutions offering CallingID Safety Seal to their clients now have a way to considerably reduce the risk and concern that their clients have of being scammed, thus addressing their reluctance to conduct business over the Internet. The clients feel that the institution has taken the necessary steps to secure them, and since no complex procedure is added, they can significantly increase their business activities with the institution. We see this solution widely adopted by banks since Safety Seal helps banks comply with the latest FFEIC guidelines of October 2005 and two FDIC recommendations of June 2005 for a reliable form of authentication for customers when accessing their account online, and July 2005 for the protection of their customers against spyware.
The recommendations can be found at
The institutions will also be considered by their customers as proactive at protecting their interests and removing the barriers for executing online transactions.
Internet fraud has become a real threat for e-commerce and online banking. CallingID provides a comprehensive set of solutions that individuals can count on when using the Internet. The solutions are simple to use and are powerful enough so consumers can feel free to shop online. They know with whom they are dealing and when a problem is detected, they will be made aware of it immediately.
When users login to a web site protected by Safety Seal, the simple process of providing username and password is protected, keeping users’ login parameters out of reach for phishing sites and spyware.
CallingID was established in 2004 with the goal of encouraging computer users to utilize the Internet safely for business while avoiding Internet fraud – Phishing, pharming, spyware and Trojans. CallingID products enable safer browsing and promote healthy consumer practice. CallingID is headquartered in New Haven, Connecticut. Its team is composed of veteran executives and highly acclaimed software security professionals. The R&D center is located in Haifa, Israel.