Proposed Law Against 'Phishing' Would Be Difficult to Enforce

[R.A. Hettinga]

<http://online.wsj.com/article_print/0,,SB111081169939678648,00.html>

The Wall Street Journal


 March 16, 2005 6:59 p.m. EST

 E-COMMERCE/MEDIA



Proposed Law Against 'Phishing'
 Would Be Difficult to Enforce

By DAVID KESMODEL
THE WALL STREET JOURNAL ONLINE
March 16, 2005 6:59 p.m.


A proposed measure in Congress to crack down on "phishing" scams -- a type
of online identity theft -- probably would do little to curtail the
activity because it is nearly impossible to catch many of the perpetrators,
security experts say.

U.S. Sen. Patrick Leahy, a Vermont Democrat, introduced a bill last month
that would impose jail sentences of up to five years and fines of up to
$250,000 against people convicted of phishing. Several Democrats have filed
a companion bill in the House. Republicans have yet to take a position on
the legislation, called the Antiphishing Act of 2005, but there is growing
concern on Capitol Hill about identity theft.

In a phishing scheme, impostors use e-mails and Web sites to trick
consumers into releasing key personal information such as bank-account
numbers. In a common attack, consumers will get an e-mail that looks as if
it came from a bank or retailer. The e-mail points to a phony Web site,
where consumers are asked to enter vital information. Criminals have gotten
very good at mimicking legitimate e-mails and Web sites, making their
attacks more effective.

Unfortunately, criminals have also grown more savvy when it comes to
covering their tracks. The biggest challenge for the proposed legislation
is that many of the offenders reside overseas, and they use byzantine crime
networks to keep their own identities concealed. What's more, the average
phishing site exists for less than six days, estimates the Antiphishing
Working Group, an industry trade organization that supports Sen. Leahy's
bill. "It is difficult, if not impossible," to find the offenders and
prosecute them, said Gary Steele, chief executive of Proofpoint Inc., an
e-mail security provider. He said the main strength of Sen. Leahy's bill
would be to make the public more aware of phishing threats.

'Unusual Activity'

Prosecutors have thus far used traditional laws against wire fraud and
identity theft to fight phishing, but Sen. Leahy argues the legislation
would make it easier to prosecute a person suspected of engaging in such a
scheme. It would criminalize the act of setting up a phishing site,
enabling prosecutors to go after someone before any financial fraud occurs.
The law also would criminalize "pharming," a related type of fraud in which
hackers manipulate settings on users' computers so that they will go to a
counterfeit Web site when they try to visit a legitimate Web site for a
bank or other service.

Research firm Gartner Inc. estimates that 130 million U.S. Internet users
have been targets of a phishing scheme through e-mail. The Antiphishing
Working Group said it received reports of 2,560 active phishing Web sites
in January, up from 1,740 in December. The group, whose members include
banks, Internet service providers and security firms, says that in some
phishing ploys, up to 5% of the targets take the bait.

Major U.S banks, as well as online auction site eBay Inc. and its PayPal
online payment unit, have been among the frequent targets of phishing
attacks. Recently, Washington Mutual Inc.'s customers received
legitimate-looking e-mails that told them that the bank's account review
team had "identified some unusual activity in your account." It pointed
customers to a Web site and asked them to enter their name, account number
and other data, and to review account transactions to make sure the account
"has not been compromised." Last year, Wells Fargo & Co. said customers
were being asked to provide their name, social security number, account
number and ATM pin for the alleged purpose of updating them on changes in
bank policy.

These days, a prevalent phishing scam is to send consumers e-mails
declaring that the recipient has won a lottery. The messages ask for a bank
account number so winnings can be delivered, said Avivah Litan, a vice
president with Gartner. "The lottery trick is really the biggest thing
now," she said. It plays "on people's imaginations that they won a lottery
or are eligible for an award."

Jody Westby, a managing director for PricewaterhouseCoopers LLP
specializing in cybercrime, said far more cooperation among countries is
needed to combat phishing. In February, online-security firm VeriSign Inc.
said 58% of the phishing sites it examined in last year's fourth quarter
were located outside the U.S., in countries including China, Germany and
Taiwan. "I applaud [Sen. Leahy] for his efforts and certainly think it is a
step in the right direction, but I think it butts against technological and
jurisdictional realities," Ms. Westby said.

Skeptics of the proposed federal legislation point to the 2003 Can-Spam
Act, a federal law designed to stanch the deluge of spam in Americans'
inboxes. While there have been a handful of prosecutions using the new law,
most offshore offenders have remained out of reach. What's more, the law
appears to have done little to unclog mailboxes -- by some estimates, the
volume of spam being sent continues to rise.

Limited Prosecutions So Far

Prosecutors in the U.S. have succeeded in bringing some phishers to
justice. For example, a Texas man last year pleaded guilty to a scam that
defrauded 400 people out of about $75,000. He was sentenced to nearly four
years in prison.

"They tend to catch the people who are small-time criminals, not the ones
who do it day after day around the world in massive operations," said Alex
Shipp, senior antivirus technologist for MessageLabs Inc., an e-mail
security firm.

For his part, Sen. Leahy acknowledged in an interview that it might be hard
to catch the people behind phishing schemes. "I want to make sure there's
teeth there if you do," he said. It has "gotten to a point where you really
don't have an awful lot of choicesŠ If people start losing faith in the
ability of Internet commerce, then you have enormous problems."

The Federal Trade Commission says about 10 million Americans are victims of
some form of identity theft annually -- a figure that includes phishing and
other online scams, as well as traditional tactics such as stealing a
credit card. The FTC says the cost to businesses and consumers is about $50
billion a year.

Outlook for Passage Is Uncertain

The antiphishing bills have been referred to the Judiciary Committee in
both the Senate and the House, and no action has been taken yet. A
spokesman for the House Judiciary Committee said it was too early to rate
the legislation's chance of passage. Congressional leaders are under
pressure to help prevent identity theft following a recent string of
high-profile incidents. Lawmakers on Tuesday grilled ChoicePoint Inc. Chief
Executive Derek Smith about his company's sale of private data on 145,000
people to criminals posing as legitimate small-business customers.

States are also looking at the phishing problem. In Washington state, the
House on March 9 passed a bill to criminalize the practice. Similar
measures have been proposed in Arkansas and Minnesota.

Many in the online-security industry have advocated a system of
authenticating the identity of an e-mail sender as a way to thwart phishing
and other schemes. Such a system validates that the "from" address listed
in an e-mail is the actual origin of the message. Such tools could not only
help stop spam, but would help weed out phishers posing as legitimate
businesses. A number of companies and government organizations are using
authentication tools, including Nike Inc. and the U.S. Food and Drug
Administration. But the tools have not been widely adopted, in part because
no single authentication standard has been agreed upon, said Jeff Smith,
chief executive of Tumbleweed Communications Corp., a security firm that
has Nike and the FDA as clients.

Requiring all e-mail to be validated also is controversial, he said. "You
see these forces coming up against each other. One force wants to make the
Internet more of a trusted platform. The other force wants to keep the
Internet open and anonymous."


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com