<http://online.wsj.com/article_print/0,,SB111081169939678648,00.html>
The Wall Street Journal March 16, 2005 6:59 p.m. EST E-COMMERCE/MEDIA Proposed Law Against 'Phishing' Would Be Difficult to Enforce By DAVID KESMODEL THE WALL STREET JOURNAL ONLINE March 16, 2005 6:59 p.m. A proposed measure in Congress to crack down on "phishing" scams -- a type of online identity theft -- probably would do little to curtail the activity because it is nearly impossible to catch many of the perpetrators, security experts say. U.S. Sen. Patrick Leahy, a Vermont Democrat, introduced a bill last month that would impose jail sentences of up to five years and fines of up to $250,000 against people convicted of phishing. Several Democrats have filed a companion bill in the House. Republicans have yet to take a position on the legislation, called the Antiphishing Act of 2005, but there is growing concern on Capitol Hill about identity theft. In a phishing scheme, impostors use e-mails and Web sites to trick consumers into releasing key personal information such as bank-account numbers. In a common attack, consumers will get an e-mail that looks as if it came from a bank or retailer. The e-mail points to a phony Web site, where consumers are asked to enter vital information. Criminals have gotten very good at mimicking legitimate e-mails and Web sites, making their attacks more effective. Unfortunately, criminals have also grown more savvy when it comes to covering their tracks. The biggest challenge for the proposed legislation is that many of the offenders reside overseas, and they use byzantine crime networks to keep their own identities concealed. What's more, the average phishing site exists for less than six days, estimates the Antiphishing Working Group, an industry trade organization that supports Sen. Leahy's bill. "It is difficult, if not impossible," to find the offenders and prosecute them, said Gary Steele, chief executive of Proofpoint Inc., an e-mail security provider. He said the main strength of Sen. Leahy's bill would be to make the public more aware of phishing threats. 'Unusual Activity' Prosecutors have thus far used traditional laws against wire fraud and identity theft to fight phishing, but Sen. Leahy argues the legislation would make it easier to prosecute a person suspected of engaging in such a scheme. It would criminalize the act of setting up a phishing site, enabling prosecutors to go after someone before any financial fraud occurs. The law also would criminalize "pharming," a related type of fraud in which hackers manipulate settings on users' computers so that they will go to a counterfeit Web site when they try to visit a legitimate Web site for a bank or other service. Research firm Gartner Inc. estimates that 130 million U.S. Internet users have been targets of a phishing scheme through e-mail. The Antiphishing Working Group said it received reports of 2,560 active phishing Web sites in January, up from 1,740 in December. The group, whose members include banks, Internet service providers and security firms, says that in some phishing ploys, up to 5% of the targets take the bait. Major U.S banks, as well as online auction site eBay Inc. and its PayPal online payment unit, have been among the frequent targets of phishing attacks. Recently, Washington Mutual Inc.'s customers received legitimate-looking e-mails that told them that the bank's account review team had "identified some unusual activity in your account." It pointed customers to a Web site and asked them to enter their name, account number and other data, and to review account transactions to make sure the account "has not been compromised." Last year, Wells Fargo & Co. said customers were being asked to provide their name, social security number, account number and ATM pin for the alleged purpose of updating them on changes in bank policy. These days, a prevalent phishing scam is to send consumers e-mails declaring that the recipient has won a lottery. The messages ask for a bank account number so winnings can be delivered, said Avivah Litan, a vice president with Gartner. "The lottery trick is really the biggest thing now," she said. It plays "on people's imaginations that they won a lottery or are eligible for an award." Jody Westby, a managing director for PricewaterhouseCoopers LLP specializing in cybercrime, said far more cooperation among countries is needed to combat phishing. In February, online-security firm VeriSign Inc. said 58% of the phishing sites it examined in last year's fourth quarter were located outside the U.S., in countries including China, Germany and Taiwan. "I applaud [Sen. Leahy] for his efforts and certainly think it is a step in the right direction, but I think it butts against technological and jurisdictional realities," Ms. Westby said. Skeptics of the proposed federal legislation point to the 2003 Can-Spam Act, a federal law designed to stanch the deluge of spam in Americans' inboxes. While there have been a handful of prosecutions using the new law, most offshore offenders have remained out of reach. What's more, the law appears to have done little to unclog mailboxes -- by some estimates, the volume of spam being sent continues to rise. Limited Prosecutions So Far Prosecutors in the U.S. have succeeded in bringing some phishers to justice. For example, a Texas man last year pleaded guilty to a scam that defrauded 400 people out of about $75,000. He was sentenced to nearly four years in prison. "They tend to catch the people who are small-time criminals, not the ones who do it day after day around the world in massive operations," said Alex Shipp, senior antivirus technologist for MessageLabs Inc., an e-mail security firm. For his part, Sen. Leahy acknowledged in an interview that it might be hard to catch the people behind phishing schemes. "I want to make sure there's teeth there if you do," he said. It has "gotten to a point where you really don't have an awful lot of choices� If people start losing faith in the ability of Internet commerce, then you have enormous problems." The Federal Trade Commission says about 10 million Americans are victims of some form of identity theft annually -- a figure that includes phishing and other online scams, as well as traditional tactics such as stealing a credit card. The FTC says the cost to businesses and consumers is about $50 billion a year. Outlook for Passage Is Uncertain The antiphishing bills have been referred to the Judiciary Committee in both the Senate and the House, and no action has been taken yet. A spokesman for the House Judiciary Committee said it was too early to rate the legislation's chance of passage. Congressional leaders are under pressure to help prevent identity theft following a recent string of high-profile incidents. Lawmakers on Tuesday grilled ChoicePoint Inc. Chief Executive Derek Smith about his company's sale of private data on 145,000 people to criminals posing as legitimate small-business customers. States are also looking at the phishing problem. In Washington state, the House on March 9 passed a bill to criminalize the practice. Similar measures have been proposed in Arkansas and Minnesota. Many in the online-security industry have advocated a system of authenticating the identity of an e-mail sender as a way to thwart phishing and other schemes. Such a system validates that the "from" address listed in an e-mail is the actual origin of the message. Such tools could not only help stop spam, but would help weed out phishers posing as legitimate businesses. A number of companies and government organizations are using authentication tools, including Nike Inc. and the U.S. Food and Drug Administration. But the tools have not been widely adopted, in part because no single authentication standard has been agreed upon, said Jeff Smith, chief executive of Tumbleweed Communications Corp., a security firm that has Nike and the FDA as clients. Requiring all e-mail to be validated also is controversial, he said. "You see these forces coming up against each other. One force wants to make the Internet more of a trusted platform. The other force wants to keep the Internet open and anonymous." -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
