Modernizing Authentication — What It Takes to Transform Secure Access
President Bush just signed legislation to increase penalties against phishing and other identity theft-related cyber crimes. While the Identity Theft Penalty Enhancement Act, or ITPEA, doesn't win awards for having a compelling title (unless the word ''enhancement'' is a clever tip-of-the-hat to spammers), its goal is admirable: To make it harder for identity theft to pay.
Phishing is an insidious cyber scam perpetrated by identity thieves who use official-looking but bogus e-mail to lure recipients to a dummy Web site ready to steal visitors' personal and bank information (provided they hand it over). Nearly anyone online in the past year has been e-mailed repeatedly by ''eBay,'' ''MasterCard'' or their ''private bank,'' urging them to take urgent action to solve an urgent problem with their account ("Did we mention this is urgent?") by clicking on the provided Web site link.
Of course, like the e-mail, the Web site also looks ''official,'' but is instead a phishing hole, so to speak. And if you aren't careful, you could end up handing over credit card numbers, user names, passwords and other information for phishers to use or sell.
A scourge indeed. But for many people convicted of identity-theft crimes, punishment often comes in the form of probation, restitution, home confinement and perhaps a stern lecture from the judge -- a reliable recipe for recidivism.
ITPEA tries to toughen things up by establishing a new crime -- aggravated identity theft, which the federal government defines as using a stolen identity to commit other crimes. Convictions for aggravated identity theft would carry a mandatory two-year prison sentence.
Mandatory sentencing usually arises from several factors -- a climate of fear or urgency fueled by genuine frustration about a certain type of widespread crime, pressure on politicians to appear ''tough'' and the eternal desire for easy solutions.
The trouble with easy solutions is that they're not always ''just,'' and ''just'' should be the top priority of a ''justice'' system. The imposition of mandatory sentencing essentially replaces some bad judgment with no judgment, while providing a forum for public representatives to dispense some ''sheriff'' sound bytes.
So while the president and the ITPEA's congressional sponsors undoubtedly feel good about their tough stand on identity theft, it's not likely that phishers, especially the many based in Asia and Eastern Europe, will be scared straight.
A better piece of anti-phishing legislation was introduced to the U.S. Senate on July 9 by Sen. Patrick Leahy, D-Vt. The Anti-Phishing Act of 2004 defines phishing as a federal crime. Specifically, the proposed law prohibits spoofing a Web site in order to ''induce, request, ask or solicit any person to transmit, submit or provide any means of identification to another.''
The bill tackles the ''lure'' part of the phishing equation by outlawing the transmission of e-mail disguised to look like it's from a legitimate business, but is intended to trick online users into providing personal and financial information with the intent to commit identity theft or fraud.
Convictions under the Anti-Phishing Act of 2004 could mean up to five years in prison -- a stiff sentence -- and a $250,000 fine. Plus the bill is proactive: Charges could be filed against phishers just for attempting an online scam, so law enforcement doesn't have to wait for a victim to be defrauded.
No legislation is perfect, but as long as criminal elements roam the Internet, clearly we'll need evolving laws to deal with them. In this case, I prefer the Leahy bill because it's tough but flexible and gives federal officials the ability to pre-empt scams.
Chris Nerney is executive editor of Jupitermedia's Earthweb and IT Management Channel