***

One brash young man who knows an awful lot about computers, though he's never admitted to being a hacker, has suggested to me that phishing is designed to instill a false sense of security in Internet users.

"How come?" I asked.

"Because," the young man explained, "when they triumphantly delete this bad-English e-mail that urges them to 'click here,' they feel they have prevailed in the war against the 'bad guys.' Alas, if they have assets to steal, and online accounts to drain, they will eventually come to the attention of the serious hacker, who is way beyond phishing."

Though in its infancy, the post-phishing era has begun.

"I know!" the lady across the conference table said. "You must be talking about pharming!"

"In part," said the young technologist.

"Well, pharming is some special brand of phishing, isn't it?"

"No, not at all. In fact the term is misleading because it suggests what you assumed, while in fact pharming is a hack that (1) does not require you to obey a strange e-mail, and (2) does not change anything on your computer. Pharming is a fraudulent act that is effected on far-away Internet machinery.

"Recall the old switchboard: you picked up the phone and asked the operator to connect you with your bank. Now, what if instead of connecting you to your bank teller, the operator connected you to a local fraudster who talked to you as if he is your banker? Later on that fraudster calls your real bank, armed with what he learned from the conversation with you, and successfully masquerades as yourself? Bye-bye bank account...

"Pharming is the modern version of this trick. In both cases the fraud is committed on an external and trusted entity. In one case it is the switchboard operator, and in the other it is a server's lookup table. Normally when you punch in your bank's name, the request goes to a special network computer that checks the name in a table that identifies the numeric Internet address for the bank. But if that table is hacked, when you key in your bank's name you are routed to a hacking site, and you would be hard pressed to realize it because neither you nor your computer has done anything wrong.

"No mistake was made, no fault. Extra caution would not have prevented it. You believed you communicated with your bank, but because the switchboard was hacked you were actually delivered to a wily fraudster."

So how can you ever be sure?

Pharming, unlike phishing, requires a professional hacker, and its practice is still limited. Also, a faulty Internet switchboard would affect everyone who tries to log on to the site, and hence it is discovered rather quickly.

Still, the potential damage from a pharming scheme is much more profound than that from a phishing ploy. Pharming lends itself to the mother of all hacking schemes: the attack of the man-in-the-middle.

Suppose that Alice and Bob send e-mails to each other, discussing this and that. At some point during that friendly conversation, Eve the eavesdropper interjects herself between the two. Eve snatches Alice's e-mails on their way to Bob, reads them quickly, and without much delay sends them on their way to Bob. She does the same to Bob, snatching his emails, reading them, then sending them unaltered to Alice.

Since Eve has not changed an iota in the e-mails, there is no way either for Alice or for Bob to realize that Eve is playing that trick on them. Eve simply learns what she can from the conversation, and keeps herself undetected indefinitely. However, at will, Eve could step up her intervention, and in a smart way alter the e-mails, and all the while neither Bob nor Alice would suspect anything.

My advice? A good starting point is to adopt two-way authentication. In my last column, I described a two-way authentication protocol that is based on the assumption that your entire dialogue with the bank is visible to a hacker. Yet, the hacker is none the wiser because the PIN that you and your bank share is never typed into the system, so a hacker cannot steal it.

Because this is two-way authentication, even a successful pharming scheme would be defeated. To remind you, in a two-way authentication the bank verifies your identity, and at the same time you verify that you are talking to the bank, and not to a fraudster. So even if you are a pharmer's victim, you prevail.