Security experts agree the anti-phishing legislation introduced to the
U.S. Senate last month is a good first step. But they also agree there
are bigger ”phish” to fry in the war against online fraud.
The Anti-Phishing Act of 2005, put forth by Sen. Patrick Leahy (D-Vt.),
calls for the criminalization of two essential parts of phishing attacks:
The creation and procurement of Web sites with the intent to gather
information from victims to be used for fraud or identity theft; and the
creation or procurement of e-mail that represents itself as a legitimate
business with similar intent.
”The digital age has fostered new types of cyberscams like phishing,
costing consumers and businesses billions of dollars a year and
undermining confidence in the Internet,” Leahy says. ”When people
cannot trust that Web sites are what they appear to be, they will not use
the Internet for their secure transactions.”
It’s the threat of consumers turning away from online transactions that
has the business and security communities worried. And while they applaud
Leahy for his efforts to help law enforcement catch and prosecute
phishers before they commit serious crimes, they warn that the act only
covers attacks within the U.S.
”Phishing is an international crime. It [crosses] many jurisdictional
frontiers,” says Peter Cassidy, secretary general of the Anti-Phishing
Working Group (APWG), a global association of law enforcement and
companies focused on eliminating identity theft and fraud. ”You can have
someone in Romania using servers in Canada and South Korea to rob people
in Hawaii. That makes this a difficult crime to stop.”
Cassidy says conventional phishing is steadily rising in terms of e-mails
that go out and servers that are enlisted in scam campaigns. In fact,
according to a January report from the APWG, 80 percent of phishing
attacks are conducted in the financial services sector. Cassidy says
banks are getting much better and quicker about stopping the attacks,
using monitoring and detection tools as well as browser-based heuristics.
However, he adds that phishers also are getting better at creating new
tactics. ”There’s an escalating confrontation between phishing and
counter-phishing movements.”
In fact, security experts are seeing an influx of new phishing techniques
that bypass e-mail altogether.
”We’re seeing a migration of phishing toward malware,” says John Ball,
senior product manager at WholeSecurity, Inc., an Austin, Texas-based
developer of anti-phishing tools. ”Trojan horses are being downloaded to
machines when you click on a URL.” That malware is then used to collect
keystrokes, gathering usernames, passwords and account numbers that the
victim enters into legitimate Web sites.
Stopping these types of attacks, which are sometimes referred to as
technical subterfuge, is difficult, Ball says. ”People want to click on
URLs. They’re curious. And phishers rely on social engineering.”
The real harm in all of this, in addition to the financial losses caused
by identity theft, is the damage done to corporations’ brand and
valuation.
”Financial institutions have made infrastructure changes that they can’t
go back from,” says Craig Spiezle, director of history and external
relations at Microsoft in Redmond, Wa. Banks rely on online transactions,
stock trades are confirmed electronically, 401k program statements are
sent over the Internet, he notes.
”They’ve moved to the electronic age and phishing risks undermine
this,” he says. If consumers lose confidence in doing business online,
companies have no means to reinstate their ”live” infrastructure. ”No
one wants to wait for this to go out of control. That’s why they’re
spending so many resources to work on the problem.”
One such effort was announced in December. Digital PhishNet is a
coalition of companies and federal agencies — Microsoft, America
Online, Inc., VeriSign, Inc., Earthlink, Inc. the FBI, the FTC and the
U.S. Secret Service. The group’s goal is to provide a single avenue for
communication among the industry and law enforcement to help catch
phishers in a timely fashion.
Spiezle says the group already has seen success by stopping a fraudulent
e-mail regarding the tsunami relief effort. With the help of Digital
PhishNet, ”we were able to catch the person within 28 hours,” he says.
Industry analysts say coalitions and legislation tackle one part of the
problem. But user education is a far greater challenge.
”We have to teach people to behave in ways that are defensive,” says
Mark Gibbs, president of Gibbs & Co., a California-based Internet
consultancy.
Gibbs says companies doing business online, such as banks, should have a
better strategy for authenticating their communications with customers.
He argues that the industry should have a universal online agreement that
users can be trained to understand ”in much the same way children learn
not to go with strangers”. The strategy would have to include simple
rules, such as letting users know that no legitimate email would include
a link for users to click on.
WholeSecurity’s Ball agrees that consumer awareness is key.
”The government should be educating consumers on this type of threat,”
he says. ”There will always be people who fall for phishing attacks, but
you can reduce the impact.”