Modernizing Authentication — What It Takes to Transform Secure Access
While the U.S. House of Representatives has initially focused on anti-spyware measures in the early days of the 109th Congress, Sen. Patrick Leahy (D-Vt.) this week targeted phishing in one of the first technology bills introduced in the upper chamber.
Phishing is a form of identity theft launched by cyberspace con artists. It usually begins with spoofed e-mail appearing to be from a trusted financial institution or business. The e-mail directs the reader to a fraudulent site that attempts to collect personal information such as credit card and account numbers.
"Some phishers and pharmers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded," Leahy said in a floor speech introducing the legislation. "For most of these criminals, that leaves plenty of time to cover their tracks."
Leahy's Anti-Phishing Act of 2005 targets both the e-mail bait and the Web site switch by entering two new crimes into the U.S. Code. The bill prohibits the creation or procurement of an e-mail that represents itself as being from a legitimate business but is, in fact, sent with the intent to commit a fraud or identity theft.
The second part of the bill prohibits the creation or procurement of a Web site that appears to be legitimate but attempts to induce the victim to divulge personal information with the intent to commit a crime of fraud or identity theft.
The bill also targets the practice of pharming, which entails hijacking Web browsers and the Internet's addressing system. The effect is that even individuals who correctly type a desired Internet destination into their Web browser may be redirected to a phony Web site.
The bill calls for fines of up to $250,000 and prison terms topping out at five years for convicted phishers and pharmers.
"It has been reported that the average phishing Web site is active on the Internet for less than six days. Moreover, the mere threat of these attacks undermines everyone's confidence in the Internet," Leahy said. "When people cannot trust that Web sites are what they appear to be, they will not use the Internet for their secure transactions. Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing and pharming.
According to the Anti-Phishing Working Group (APWG), phishing attacks jumped 42 percent from December to January. The APWG reported 12,845 new, unique phishing e-mails, and the number of phishing Web sites supporting these messages reached 2,560, which is up 47 percent from 1,740.
The types of attacks are also expanding, with cyber criminals looking beyond "Port 80" HTTP-based attacks. Port 80 is the default port for the HTTP Web protocol. In January, nearly 10 percent of phishing sites were hosted on non-Port 80 HTTP servers in an apparent attempt to evade detection.
The APWG believes the trend away from targeting Port 80 indicates that the number of user PCs that have been compromised for phishing attacks is growing. The report also said that financial service firms continue to be a leading target. Eight of nine newly hijacked brands in January belonged to financial institutions.
"To many Americans, phishing and pharming are new words. They are certainly a new form of an old crime. They are also very serious, and we need to act aggressively to keep them from eroding the public's trust in online commerce and communication," Leahy said.
Leahy said his bill protects free speech, even if it is deceptive, such as the innocent parodying of commercial Web sites for political commentary. The legislation also requires that anyone charged under the proposed new laws must have the specific criminal purpose of committing a crime of fraud or identity theft.
"There are, of course, important First Amendment concerns to be protected. The Anti-Phishing Act protects parodies and political speech from being prosecuted as phishing," Leahy said. "We have worked closely with various public interest organizations to ensure that the Anti-Phishing Act does not impinge on the important democratic role that the Internet plays."