Past performance many not be indicative of future security
People usualy rely on past experience. In the case of security this is often a mistake. Past bad experience is often reliable but past good experience is not.
If there is a security problem you can expect it to continue until effective measures are deployed to control it.
If there is no security problem today that may be either because the system is secure or because nobody believes it worth their while to attack.
The problem is that the second criteria can change very rapidly. Three months ago use of VOIP (Internet telephony) in phishing attacks was a rare event. Customers are now reporting that this problem is now routine.
As long as email phishing was providing the attackers with sufficient rewards there was little incentive for the phishing gangs to invest in developing a VOIP capability. Occasional attacks were observed but these were clearly of an experimental rather than a production basis.
Over the past two years the difficulty of making email phishing attacks has increased as the rewards have diminished. Consumers are much less likely to be tricked. Phishing capture sites remain active for much shorter lengths of time due to the intervention of takedown services. Use of phished credentials is much more difficult due to deployment of Fraud Detection Services.
In response to these challenges the criminals have developed a new generation of email phishing technologies and branched out into other phishing mediums such as VOIP. Even if email phishing was wiped out entirely tommorow the underground marketplaces used to exchange stolen card numbers would continue to exist. Even if VOIP phishing is defeated the credit card fraud rings would return to buying stolen credit card numbers from dishonest waiters carrying a skimming device.
The lesson is that we must be proactive in deploying strong security. Europe has already deployed chip and pin credit card protection. Eventually that technology will be deployed in the US. In the meantime we must continue to anticipate and react to attacks in advance of the attackers. If we fail to do that the criminals will win and that outcome is unacceptable.
