New Anti-Phishing Law Lacks Global Weight

Security experts agree the anti-phishing legislation introduced to theU.S. Senate last month is a good first step. But they also agree thereare bigger ''phish'' to fry in the war against online fraud.

The Anti-Phishing Act of 2005, put forth by Sen. Patrick Leahy (D-Vt.),calls for the criminalization of two essential parts of phishing attacks:The creation and procurement of Web sites with the intent to gatherinformation from victims to be used for fraud or identity theft; and thecreation or procurement of e-mail that represents itself as a legitimatebusiness with similar intent.

''The digital age has fostered new types of cyberscams like phishing,costing consumers and businesses billions of dollars a year andundermining confidence in the Internet,'' Leahy says. ''When peoplecannot trust that Web sites are what they appear to be, they will not usethe Internet for their secure transactions.''

It's the threat of consumers turning away from online transactions thathas the business and security communities worried. And while they applaudLeahy for his efforts to help law enforcement catch and prosecutephishers before they commit serious crimes, they warn that the act onlycovers attacks within the U.S.

''Phishing is an international crime. It [crosses] many jurisdictionalfrontiers,'' says Peter Cassidy, secretary general of the Anti-PhishingWorking Group (APWG), a global association of law enforcement andcompanies focused on eliminating identity theft and fraud. ''You can havesomeone in Romania using servers in Canada and South Korea to rob peoplein Hawaii. That makes this a difficult crime to stop.''

Cassidy says conventional phishing is steadily rising in terms of e-mailsthat go out and servers that are enlisted in scam campaigns. In fact,according to a January report from the APWG, 80 percent of phishingattacks are conducted in the financial services sector. Cassidy saysbanks are getting much better and quicker about stopping the attacks,using monitoring and detection tools as well as browser-based heuristics.

However, he adds that phishers also are getting better at creating newtactics. ''There's an escalating confrontation between phishing andcounter-phishing movements.''

In fact, security experts are seeing an influx of new phishing techniquesthat bypass e-mail altogether.

''We're seeing a migration of phishing toward malware,'' says John Ball,senior product manager at WholeSecurity, Inc., an Austin, Texas-baseddeveloper of anti-phishing tools. ''Trojan horses are being downloaded tomachines when you click on a URL.'' That malware is then used to collectkeystrokes, gathering usernames, passwords and account numbers that thevictim enters into legitimate Web sites.

Stopping these types of attacks, which are sometimes referred to astechnical subterfuge, is difficult, Ball says. ''People want to click onURLs. They're curious. And phishers rely on social engineering.''

The real harm in all of this, in addition to the financial losses causedby identity theft, is the damage done to corporations' brand andvaluation.

''Financial institutions have made infrastructure changes that they can'tgo back from,'' says Craig Spiezle, director of history and externalrelations at Microsoft in Redmond, Wa. Banks rely on online transactions,stock trades are confirmed electronically, 401k program statements aresent over the Internet, he notes.

''They've moved to the electronic age and phishing risks underminethis,'' he says. If consumers lose confidence in doing business online,companies have no means to reinstate their ''live'' infrastructure. ''Noone wants to wait for this to go out of control. That's why they'respending so many resources to work on the problem.''

One such effort was announced in December. Digital PhishNet is acoalition of companies and federal agencies -- Microsoft, AmericaOnline, Inc., VeriSign, Inc., Earthlink, Inc. the FBI, the FTC and theU.S. Secret Service. The group's goal is to provide a single avenue forcommunication among the industry and law enforcement to help catchphishers in a timely fashion.

Spiezle says the group already has seen success by stopping a fraudulente-mail regarding the tsunami relief effort. With the help of DigitalPhishNet, ''we were able to catch the person within 28 hours,'' he says.

Industry analysts say coalitions and legislation tackle one part of theproblem. But user education is a far greater challenge.

''We have to teach people to behave in ways that are defensive,'' saysMark Gibbs, president of Gibbs & Co., a California-based Internetconsultancy.

Gibbs says companies doing business online, such as banks, should have abetter strategy for authenticating their communications with customers.He argues that the industry should have a universal online agreement thatusers can be trained to understand ''in much the same way children learnnot to go with strangers''. The strategy would have to include simplerules, such as letting users know that no legitimate email would includea link for users to click on.

WholeSecurity's Ball agrees that consumer awareness is key.

''The government should be educating consumers on this type of threat,''he says. ''There will always be people who fall for phishing attacks, butyou can reduce the impact.''