HARRISBURG, Pa. - As phishers and other fraudsters "movedownstream," Pennsylvania State Employees Credit Union will beready with its virtual net. The $2.3 billion CU has signed on withCyota Inc. to use FraudAction, the New York City-based firm'santi-phishing solution. Cyota boasts a client list that includeseight of the world's largest 12 banks, as well as America Online,and its president says his company's business has broadened itsfocus to smaller financial institutions, too, as phishers find thegoing tougher against big institutions more able to defendthemselves and their customers. "We have more than 10,000 financialinstitutions using our products, including many, many creditunions, and that number has been growing fast as the attacks movedownstream," says Naftali Bennett, CEO of Cyota (www.cyota.com).PSECU went live with its system in mid-March, following a coupleweeks of conference calls, testing of encrypted e-mails for alertsand training. "We haven't seen any attacks against us, but wewanted to be proactive in our defense," says Kevin Doyle,information security manager at PSECU (www.psecu.com). "We knowthese things are moving downstream. The NCUA was recently a targetitself, for instance." FraudAction is part of Cyota's suite ofonline security services, which includes a brand-new solution namedeSphinx, an authentication service that assesses the risk level ofeach transaction and other activities in real time, based onfactors derived from years of working with its wide range ofclients. Problems are met with responses that can escalate fromautomated challenges for additional information to blocking thetransaction and calling the account holder by telephone. Cyotabills FraudAction as the industry's first such solution, introducedin 2003 when phishing was hardly a household word. Bennett says thecompany now is finding that serving big banks and small creditunions are two different propositions. "The big organizations weserve typically have incident response teams as well as a lot ofother resources you wouldn't expect credit unions to have," theCyota CEO says. "They expect us to guide them a lot more, thelearning curve is larger, and basically the message is, `OK, Cyotaguys, do the whole thing and just let us sleep at night." That'sjust what the company tries to do, Bennett says, with itsAnti-Fraud Command Center, staffed 7/24 by a group of 30 analysts.Their specialty is thwarting phishing attacks and Bennett sayswithout hesitation, "When one is launched, we're the first in theworld to know. We've collaborated with AOL and several other majoranti-spam and ISP companies and developed our own network, andevery day we scan roughly a billion e-mails for phishing attack sinreal time." When a potential attack is noted, the institution isnotified, as is the ISP hosting the apparent phisher and thearduous process of shutting down a site begins, which ofteninvolves translators working through "a very long and frustratingspiel," Bennett says. "We've reduced the time span of a typicalphishing attack from six days to five hours," he adds. Cyota alsoturns the tables on the attackers, feeding their spoof sites phonyuser names, passwords, account numbers and more. Noting organizedcrime's alleged interest in the identity theft business, Bennettsays, "A fraudster may obtain 500 credentials not knowing thatmaybe only 15 are valid. That's a very low-grade reward and when hesells them to Tony Soprano, well, Tony gets angry." -

[email protected]