Computer Crime Research Center

phishing/japan.gif

Plugging the "phishing" hole: legislation versus technology

Date: March 17, 2005
Source: Duke's Law and Technology Review
By: Robert Louis B. Stevenson

... address without detection.[73] However, it would still be possible for a phisher to obtain a valid digital certificate for a domain that is deceptively similar to that of a target company (e.g. the phisher could use "ebay.custservices.com," which is an entirely different domain from "ebay.com").[74] Concerning the use of the recipients’ email client to verify the validity of the digital certificates, the main drawback is that not all email clients currently support the secure email standard that would be employed.[75]

33. The fourth recommendation, digitally signed email with gateway verification, is almost identical to the third recommendation; however, "[i]nstead of relying on the end user’s email client to verify the signature on the email, a gateway server at the mail relay level would verify the signatures before they were even received by the receiver’s email server."[76] While this approach solves the problem of some recipients’ use of email clients that do not support the digital certificate standard, it does not address the problem noted above regarding a phisher’s possible use of a deceptively similar domain name.[77]

34. After providing a detailed and critical discussion of each recommendation the APWG concludes their analysis with the opinion that "a combination of signed email with desktop verification, and either gateway verification or mail server IP verification would solve all aspects of the phishing problem for both consumers and business users."[78] Whether or not that prediction would eventually prove accurate, technological changes of the type recommended by the APWG are generally agreed to be a much needed step in the right direction to address the rising phishing problem.[79]

Conclusion

35. Something must be done to stop the increasing flow of phishing scams on the Internet and technological changes must be at the forefront of any action taken. While the Anti-Phishing Act of 2005 will likely provide some additional assistance in the fight against phishing scams--and should, therefore, be passed into law--its usefulness is limited due to the global nature of the Internet and the ease with which phishers can hide and avoid judgments. Technological changes such as those proposed by the APWG therefore offer the most hope of providing a comprehensive and lasting solution to the phishing epidemic.

Footnotes

1. Robert Stevenson is a third year student at Duke University School of Law. He received a B.A. in Economics from Brigham Young University and is the founder of an Internet services company.

2. See e.g., House of Representatives Government Reform Committee, Technology, Information Policy, Intergovernmental Relations and the Census Committee Hearing, 108th Cong. 35-36 (2004), [hereinafter House Committee Hearing] (Testimony of Bill Conner, Chairman, President and CEO of Entrust, Inc. stating that "[j]ust as the Internet has supercharged commercial transactions, it has also supercharged cybercrime.") available at 2004 WL 2137978.

3. United States Dept. of Justice, Special Report on "Phishing," p. 3 (2004) [hereinafter DOJ Report], available at http://www.usdoj.gov/criminal/fraud/Phishing.pdf (last visited Oct. 19, 2004). For other definitions of "phishing," see also The Anti-Phishing Working Group, Proposed Solutions to Address the Threat of Email Spoofing Scams, Dec. 12, 2003 [hereinafter APWG Whitepaper] ("Phishing is the creation of email messages and web pages that are replicas of existing sites to fool users into submitting personal, financial, or password data.") available at http://www.antiphishing.org/Proposed%20Solutions%20to%20Address%20the%20Threat%20of%20Email%20Spoofing%20Scams%20White%20Paper.pdf (last visited Oct. 19, 2004); and Financial Services Technology Consortium, Project Proposal: FSTC Counter-Phishing Initiative, 2004, p. 2 [hereinafter FSTC Proposal] ("’phishing’ refers to the activities of criminals who imitate legitimate companies’ e-mails, web sites, and phone calls or other communications to entice account holders to share highly sensitive personal data such as SSNs, usernames and passwords, and/or account numbers. Once acquired, perpetrators leverage the stolen authenticators to commit a myriad of subsequent crimes.") available at http://fstc.org/projects/FSTC_Phishing_Prospectus_Final.pdf (last visited Oct. 19, 2004).

4. "The Anti Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing...There are currently over 706 organizations participating in the APWG." Anti-Phishing Working Group, Phishing Activity Trends Report, January, 2005, [hereinafter APWG Report] available at http://antiphishing.org/APWG_Phishing_Activity_Report-January2005.pdf (last visited March 6, 2005). The website for the APWG is http://www.antiphishing.org/.

5. APWG Report, supra note 4.

6. Id.

7. Id.

8. Laura Sullivan, California; Internet ‘Phishing’ Scams on the Rise, L.A. Times, Mar. 22, 2004, p. C2.

9. Good news: 'Phishing' scams net only $500 million , CNET News.com, Sept. 29, 2004 (article summarizes studies from Truste, Inc. and Gartner, Inc.) available at http://news.com.com/Good+news+Phishing+scams+net+ionlyi
+500+million/2100-1029_3-5388757.html (last visited Oct. 19, 2004).

10. Harry A. Valetk, Mastering the Dark Arts of Cyberspace: A Quest for Sound Internet Safety Policies, 2004 Stan. Tech. L. Rev. 2, 12 (2004).

11. Thomas Fedorek, Computers + Connectivity = New Opportunities for Criminals and Dilemmas for Investigators, 76-FEB N.Y. St. B.J. 10, 16 (2004).

12. S. 472, 109th Cong. (2005).

13. S. 2636, 108th Cong. (2004).

14. S. 472 at 1351(b).

15. Id. at 1351(a).

16. 150 Cong. Rec. S7897-02 (daily ed. July 9, 2004) (statement of Sen. Leahy). This statement was in support of the 2004 version of the Act. Because the 2005 Act is virtually identical to the 2004 version, statements supporting, analyzing, or criticizing one version are assumed to apply to the other version, as well.

17. Internet Spyware (I-SPY) Prevention Act of 2005, H.R. 744, 109th Cong. (1st Sess. 2005). This act is virtually identical to one that was submitted in the previous Congressional session but did not reach a vote. That act was the Internet Spyware (I-SPY) Prevention Act of 2004, H.R. 4661, 108th Cong. (2d Sess. 2004).

18. "Spyware" is "software that ‘aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge.’" H.R. Rep No. 108-698, at 3, (2004) (Report quotes from the Federal Trade Commission’s definition of spyware available at http://www.ftc.gov/bcp/workshops/spyware/).

19. H.R. 744, Sec. 3, 109th Cong. (1st Sess. 2005).

20. There is some indication from the Report accompanying H.R. 4661 that its sponsors did not feel that any additional law specifically addressed to phishing is necessary since they write that "the [phishing] schemes themselves, and the uses of the information by the criminals who obtain it are not unique to the Internet, and almost all are illegal under existing Federal criminal laws dealing with wire fraud." H.R. Rep No. 108-698, at 4 (2004).

21. 150 Cong. Rec. S7897-02 at S7898 (daily ed. July 9, 2004) (statement of Sen. Leahy).

22. Id. at S7897.

23. Winter Casey, Lawmakers File Tech Bills To Spur Economic Growth, Technology Daily PM, July 9, 2004, available at 2004 WL 74915988.

24. David McGuire, Senate Bill Targets ‘Phishers’, Newsbytes News Network, Jul. 12, 2004, available at 2004 WL 55866572.

25. APWG Report, supra note 4.

26. This is, of course, assuming that an actual person can be traced even if a particular phishing website remains "live." For a more in-depth discussion of the difficulties of tracking down Internet scammers and holding them legally accountable for their actions, see Michael Rustad, Punitive Damages in Cyberspace: Where in the World is the Consumer?, 7 Chap. L. Rev. 39 (Spring 2004).

27. See e.g. Kathy M. Kristof, Avoid Letting Yourself Get Hooked by an Internet ‘Phishing’ Expedition, Los Angeles Times, Feb. 1, 2004, C3 available at 2004 WL 55890852. (referring to phishing as a "two-tiered scam").

28. See e.g. Karen Greenstein, Defending Your Brand from Email Spoofs--Powerpoint Slides, 784 PLI/Pat 271, at 279-80 (Apr. 2004) (listing the harms to a business caused by a phishing attack as (i) harm to reputation, (ii) impairment of legitimate communication, (iii) strain on the customer service department, and (iv) strain on the servers).

29. Paul Courant, Provost’s Statement on Fraudulent ("Spoofed") E-Mail, Oct. 3, 2002 [hereinafter Second Courant Message], available at http://www.umich.edu/courant2.html (last visited Oct. 21, 2004).

30. Id.

31. Id.

32. Paul Courant, Interim Provost Paul Courant’s Message to Campus Regarding Violation of E-Mail Policy, Sep. 26, 2002 [hereinafter First Courant Message], available at http://www.umich.edu/courant.html (last visited Oct, 21, 2004).

33. Id.

34. Id.

35. Second Courant Message, supra note 29.




36. Id.

37. Id.

38. Email from John F. Burness, Senior Vice President for Public Affairs...
Original article



Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-09-02 06:29:19 - Very nice Mira
2005-04-11 07:51:00 - I am really amaged at the international... Prof. D. R. Kiran
Total 2 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo