The Anti-Phishing Act of 2004: |
|
By ANITA RAMASASTRY |
|
Monday, Aug. 16, 2004 |
Phishing (pronounced "fishing") is a particularly pernicious type of Internet identity theft scam. So far, little has been done to stop it. But that will change if a promising new anti-phishing bill introduced by Senator Patrick Leahy.
In this column, I will explain the merits of Leahy's bill. I will also explain why legislation like this is still needed, even despite the fact that President Bush has just signed new federal identity theft legislation into law.
What Is "Phishing"? A Brief Primer
Here's how phishing works:
An Internet user receives an official-looking e-mail that purports to have been sent by a familiar business or organization - for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The user reads the message because it looks official.
The message says that the Internet user needs to "update" or "validate" his account information by clicking on a given link - or else some dire consequence, such as suspension of the user's account, may occur. The users clicks on the link.
The link takes the user to a copycat web site that looks very much like the site of the business or organization mentioned in the email. In fact, however, it is a phony site.
At the site, the user is asked to input personal and confidential information (credit card number, user name, password, and the like - for the supposed "update" or "validation" of his or her account information. But if the user does so, the user's information will actually be used for identity theft.
According to an industry consortium, the Anti-Phishing Working Group (APWG), the word "phishing" comes from an analogy: Internet fraudsters use email lures to "fish" for confidential passwords and financial data from a "sea" of Internet users.
Apparently, the term "phishing" was coined around 1996 by hackers who were stealing America On-Line Internet accounts by getting unsuspecting AOL users to divulge their passwords. The first Internet mention of phishing was reportedly on the alt.2600 hacker newsgroup in January 1996. However, the term may have been used even earlier in the printed edition of the hacker newsletter "2600".
APWG also notes "by 1996, hacked accounts were called "phish", and by 1997 phish were actually being traded between hackers as a form of currency. People would routinely trade 10 working AOL phish for a piece of hacking software that they needed."
Why the "ph"? Why not just call it "fishing" The answer is that hackers commonly replace the letter "f" with "ph" - for instance, the original form of hacking, done by phone, was known as "phreaking." Hackers used a special blue box that emitted tones to control the phone switches. Through phreaking, they could make long distance calls for free, or bill calls to someone else's phone number.
So Far, Phishing Has Grown, and Little Has Been Done to Stop It
Recently, phishing has been thriving. According to the APWG, there were 1,422 separate phishing scams in June. This was a 52 percent increase from May. (500 of these attacks targeted Citibank.) And according to Senator Leahy, during the last 12 months alone, the estimated losses have exceeded $2 billion, and the losses continue to mount.
Meanwhile, over the past few years, phishing attacks have not only grown in number, but also grown more sophisticated. Rather than stealing passwords to access the Internet for free, scam artists are now engaged in large scale identify theft. Early phishing attacks were by novices, but there is evidence now that some attacks are staged by organized criminal enterprises..
Phishing attacks now target users of online banking, payment services such as PayPal, and online e-commerce sites, such as eBay. Since August 2003, most major banks in the USA and the UK, for example, have been the targets of phishing attacks.
Educating Internet Users Is Not a Complete Solution to Phishing
Readers who are sophisticated about the Internet may assume that "phishing" may die of its own accord, as more and more Internet users get wise to the trick. And it's probably true that, as awareness of phishing grows among consumers, law enforcement and web hosting services, the incidence of phishing may shrink.
But getting rid of phishing through education alone may well be difficult to impossible. And new or technology-naÏve Internet users may always be easy pickings for phishers.
Even the savvy may sometimes be fooled. Phishers are getting better and better at mimicking genuine emails and websites. Where emails and websites were once suspicious-looking -- rife with misspellings or devoid of convincing corporate logos, and so on -- that is no longer always true. In fact, there is an Internet quiz designed to test a user's phishing IQ, which makes this point very well.
Indeed, sometimes there's no way - short of picking up the phone -- for users to verify whether a given e-mail came from their bank or not, beyond checking the return address (which can be forged). If a customer has no reason to think the e-mail is fraudulent in the first place, they aren't likely to spend the time tracking down someone at the bank or Internet retailer to check its authenticity. Many customers may not want to spend hours on hold or navigating a series of telephonic prompts when trying to get through to a specific company.
Even now, although phishing has existed since 1996, one in twenty Internet users may fall prey. According to a study by the APWG, by hijacking the trusted brands of well-known banks, online retailers, ISPs and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.
With the cost of sending bulk email very low, that's a high return rate for the phishers. After all, one successful phishing expedition can mean they strike gold: Consumers suffer credit card fraud, identity theft, and financial loss.
Why Phishers Often Are Not Caught
Why aren't phishers caught and punished under existing fraud and theft laws? The answer is, in essence, that the fraud can be perpetrated very quickly, and afterward, the perpetrator can "vanish" into cyberspace.
The phony websites typically migrate from one server to another very rapidly -- in an effort to stay a step ahead of ISPs and law enforcement. For instance, in one scam documented by the APWG, the perpetrators operated a spoofed web page on seven different servers over a period of just 12 days. And the servers were all over the globe -- including four in Korea, two at American ISPs, and one in Uruguay.
The average phishing web site is online for only about 54 hours, according to June data from the APWG. (Some sites, however, have been able to remain online for more than two weeks before being shut down or abandoned.)
Existing Law Applies, But There Have Been Few Prosecutions
Existing federal laws do criminalize phishing - but mainly after the damage is done, when a consumer has already been defrauded as a result of the phishing. (Such laws include the laws against wire fraud, identity theft, credit card fraud, computer fraud, and a number of trade laws - and may even encompass the new federal CAN SPAM Act, which I wrote about for this site earlier.)
However, enforcement actions have been relatively few. In 2003, the Federal Trade Commission brought a civil enforcement action against a person who engaged in phishing - sending emails pretending to be from AOL that directed users to an "AOL" billing page." He used the information users entered to charge online purchases and open accounts with PayPal. Perhaps in part because of his age, the defendant in that case got off lightly. He was barred from sending spam in the future and was ordered to relinquish $3,500 of his "ill-gotten gains."
The agency charged the defendant's practices were deceptive and unfair, in violation of the FTC Act. In addition, the FTC alleged that the defendant's practices violated provisions of the Gramm-Leach-Bliley Act, which designed to protect the privacy of consumers' sensitive financial information.
More recently, the FTC and the DOJ took actions to shut down a phishing operation run by Zachary Keith Hill of Houston, Texas. The operation hijacked logos from AOL and PayPal in order to con hundreds of consumers into providing credit card and bank account numbers. DOJ obtained a criminal conviction, and Hill is awaiting sentencing.
In addition, President Bush recently signed legislation to increase penalties for identity theft-related crimes. The Identity Theft Penalty Enhancement Act, (ITPEA) establishes a new crime of "aggravated identity theft" This is defined as using a stolen identity to commit other crimes - and phishing would certainly qualify. Convictions for aggravated identity theft - including phishing -- would carry a mandatory two-year prison sentence.
With No Free Speech Question, There's No Need to Wait for Phishers to Strike
But ramping up enforcement, and increasing penalties, are not enough by themselves. The problem with the government's current approach goes deeper: It generally closing the barn door when the cows are already gone, waiting for a person to be victimized before bringing a prosecution or other enforcement action against the phisher.
So even if the savvy reader who opens a phishing email forwards it to the FTC or DOJ, enforcement won't happen until a later, naÏve reader opens the email and falls victim to the scam. Also, the savvy and naÏve reader alike may suffer a harm from phishing: a diminished trust in the Internet's system of addressing and linking. Senator Leahy has noted that trust in this system is crucial to the Internet fulfilling its potential as a medium for all manner of secure communications. Yet current law fails to protect against this harm.
Shouldn't the phisherman be punished before he lures his victim in, if possible? After all, the only purpose of his email is to commit fraud - there's no real free speech interest implicated here
That's where Senator Leahy's Anti-Phishing Act of 2004, introduced last week, comes in. It targets the entire scam, all the way from sending the e-mail to creating fraudulent sites. And it averts free speech issues by exempting parodies and political speech (via email or on websites) from its reach - and by stipulating that the perpetrator must have the specific criminal purpose of committing a crime of fraud or identity theft.
The Act is smart because it criminalizes the bait - not just successful phishing. It makes it illegal to knowingly send out spoofed email that links to sham websites, with the intention of committing a crime. And it criminalizes the operation of the sham websites that are the locus of the wrongdoing .
If the bill were to become law, then each and every element of the scam would become a felony subject to five years in prison and/or a fine up to $250,000.
Will the Proposed Anti-Phishing Act, If Enacted, Really Work?
. The Anti-Phishing Act should be enacted into law. But even if it is, it won't clear the Internet "sea" of all phishermen. So while it's valuable, it won't be the last word on this issue.
Many phishers appear to send their emails from overseas, and it may be difficult to prosecute persons who reside offshore. And finding quickly-vanishing websites and phishers - who may take advantage of Internet anonymity - may be time-consuming, costly, and in some cases futile.
What other anti-phishing measures might be invented. The computer industry is hard at work on new technological solutions to the problem According to one approach, anti-virus and anti-spam companies are trying to add additional filters to their programs to target these e-mails - but the challenge is to filter out only the fakes, not legitimate communications consumers have signed up to receive.
Meanwhile, security experts predict that we may be months--or years--away from implementing more extensive e-mail authentication measures. So for now, the Internet's waters still aren't entirely safe to swim in.