Computer Crime Research Center


Plugging the "phishing" hole: legislation versus technology

Date: March 17, 2005
Source: Duke's Law and Technology Review
By: Robert Louis B. Stevenson

... an "open relay" in order to help hide their identity. Despite the best efforts of the investigating team, it is possible we may not be able to determine who really sent the messages.[37]

14. Two years after this event, an almost identical incident occurred at Duke University shortly before Duke hosted a PSM conference.[38] As of yet, investigators at Duke attempting to track down the source of the unauthorized e-mail were again only able to "determine that it originated in California."[39]

15. These incidents highlight one of the biggest roadblocks that any legislation in this area faces--finding the perpetrators. In order to punish phishers for their fraudulent actions, one must first locate them. Yet, the current state of Internet technology makes this extremely difficult. In a recent report to Congress by the Federal Trade Commission concerning the spam problem--the findings of which could apply equally as well to phishing--the situation was explained in this way:

The single greatest challenge for anti-spam law enforcement is to identify and locate the source of a particular spam campaign. Finding the wrongdoer is an important aspect of all law enforcement efforts, but in spam cases it is a particularly daunting task. Because the present email system lacks any mechanism requiring that a sender’s identity be authenticated, spammers can and do conceal their identities with ease.[40]

16. Put another way,

[the] Internet allows anonymous communications that are virtually impossible to trace through Internet nodes. Cyber-tortfeasors frequently use false e-mail headers and anonymous remailers to make it difficult to retrace the steps of wrongdoing. Computer records are easy to alter and it is likely that spoliation of electronic evidence is widespread.[41]

17. No threats of legal action can ever hope to effectively reduce the growing phishing problem until there is some way of finding the phishers.

18. The second hurdle, obtaining jurisdiction over the phisher, stems from the fact that "[c]ybercrime has always been a cross-border enterprise."[42] Even if the perpetrator can be located, it is very possible that the person is located in a foreign country outside of the legislation’s jurisdictional reach. Indeed, "[c]ountries where cybercrime flourishes tend to have weak laws dealing with computer crime, law enforcement agencies that lack computer forensic capabilities and an underdeveloped apparatus for collaborating with law enforcement agencies in other countries."[43]

19. In fact, the APWG found that as of January 2005, only 32% of phishing web sites were located in the United States.[44] The three countries hosting the next largest percentage of phishing sites were China, South Korea and Japan.[45] Clearly, jurisdictional issues are a major hurdle in applying U.S.-based legislation to foreign phishing scheme perpetrators.

20. The third problem is that even if the first two hurdles are overcome the perpetrator will very often be found to be "judgment proof."[46] This phenomenon is explained as follows:

Even when a prevailing plaintiff wins a large punitive damages award, collecting it is a different matter. Collecting a punitive damages award is difficult because a number of wily Internet mice either fail to make an appearance, file bankruptcy, or simply disappear after the plaintiff obtains a judgment. Default judgments outnumbered cases decided by juries in the larger cybertort dataset. . . . The large number of default judgments in cyberlaw reflects the reality that it is easy for web sites to disappear or assets to be transferred.[47]

21. The Federal Trade Commission’s own experience in attempting to enforce judgments against Internet scammers illustrates the problem:

Indeed, the most egregious spammers, like other fraud operators, are likely to transfer assets offshore to place them beyond the reach of U.S. courts. . . . In the FTC’s experience, attempting to reach the defendants’ offshore funds necessitates a foreign action to enforce a U.S. court judgment. This is time-consuming, expensive, and, in many cases, futile, as many countries do not enforce U.S. court judgments obtained by government agencies.[48]

22. The House of Representatives itself has echoed these sentiments by acknowledging that "the vast majority of phishing would likely be unaffected by government regulation or civil enforcement."[49]

23. With these three formidable hurdles--finding the perpetrator, obtaining jurisdiction, and collecting the judgment--what options do we have to combat the ever increasing phishing problem?

II. Another option - Focus on Technology

A. If not legislation, then what?

24. Phishing is a problem that exploits a weakness in the current state of technology and, in a manner of speaking, "uses it against us." It makes sense, then, that an effective solution to this problem should focus on repairing this weakness.[50] One commentator described the technological weakness in this way:

When the Internet was used mainly to communicate and access information, the lack of security didn't much matter. Now that it's used for online transactions and critical information, the absence of security is truly a big problem. It's as if consumers and businesses that rely on the Internet have wandered into a dangerous neighborhood of cheats, pickpockets and thieves, and don't even know it.[51]

25. Now that consumers and businesses are becoming increasingly aware of the Internet’s "dangerous neighborhood," what can be done about it? The House of Representatives has offered this useful suggestion: "[t]here is no silver bullet to end spyware or phishing but greater consumer awareness and use of available technological countermeasures clearly hold the greatest promise for curbing these abusive practices."[52]

26. Congress’s first recommendation is to increase "consumer awareness." To be sure, "common sense and a healthy level of suspicion go a long way toward not becoming a victim of phishing."[53] Nevertheless, consumer awareness alone is not sufficient to solve the phishing problem. While it might be convenient to assume that only the gullible or Internet novices fall victim to phishing scams, the current state of technology and the phishers’ ability to exploit it is such that even the most jaded and "web savvy" consumers can fall victim to a phishing scam.[54] Consumer awareness must be coupled with technological improvements.

B. The Recommendations

27. A number of Internet-industry groups and technology companies have come out with specific recommendations for changes and improvements in the current Internet technology that they feel would reduce or even eliminate the phishing problem. These groups include the APWG,[55] the Financial Services Technology Consortium,[56] Next Generation Security Software Ltd.,[57] Yahoo! Inc.[58] and Microsoft Corporation.[59]

28. Judging from the number of different sources that are making them, there seems to be no shortage of recommendations for how to make the Internet and email more secure. The real questions seem to be (1) which recommendations should be implemented, (2) how should they be done, and (3) when? It is the lack of a consensus on these details that has prevented us from already having the recommended upgrades.[60] Despite the current disagreement, the rising tide of phishing scams is prodding the various groups to work together to implement changes to alleviate the problem.[61]

29. Leading the charge in calling for technology changes to combat phishing has been the APWG. In December 2003, the group proposed four possible technological solutions aimed at preventing phishing scams.[62] These recommendations are:

1. Strong Website Authentication.[63]
2. Mail Server Authentication.[64]
3. Digitally Signed Email With Desktop Verification.[65]
4. Digitally Signed Email With Gateway Verification.[66]

30. The first recommendation, strong website authentication, "would require all users of legitimate e-commerce and e-banking sites to strongly authenticate themselves to the site using a physical token such as a smart card."[67] In essence, this means that anyone wanting to bank or make purchases online from such websites would first need to swipe a card in a device connected to their computer before being allowed to do so. The APWG notes that this approach is feasible only "for e-commerce and e-banking applications that do not have a large number of users, and where the risk of a phisher gaining access to a user’s account are high."[68]

31. The second recommendation, mail server authentication, would require all email to pass through a gateway server for source verification.[69] The APWG notes that the benefits of this approach include the ease with which it can be configured and the increased ability for legitimate business email to be identified.[70] Potential drawbacks, however, include the facts that both sender and recipient gateways are required and that it does not accommodate e-mail forwarding.[71]

32. The third recommendation, digitally signed email with desktop verification, would have companies that feel they are vulnerable to phishing attacks attach a digital signature to all their outbound email. The digital signature would then be verified for authenticity by the email client used by the recipient.[72] In evaluating the pros and cons of using digital signatures, the APWG notes that this approach would make it impossible to forge the "From:" address without detection.[73] However, it would still be...
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-09-02 06:29:19 - Very nice Mira
2005-04-11 07:51:00 - I am really amaged at the international... Prof. D. R. Kiran
Total 2 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo