phishing tales: honestly, the problem is ‘this big’ peter black, queensland university of...
TRANSCRIPT
Phishing Tales: Honestly, the problem is ‘this big’
Peter Black, Queensland University of [email protected]
http://freedomtodiffer.typepad.com/
Outline
1. Phishing explained Definition Case studies Why the ‘ph’?
2. Growth of phishing3. Australian legislation4. US position5. Difficulties with a legislative response6. Other methods of combating phishing
1. Phishing explained
Phishing is the creation and use of e-mails and websites in order to deceive internet users into disclosing their bank and financial account information or other personal data.
Once this information is obtained, it then used to commit fraudulent acts.
Case study: Westpac
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>
Case study: Westpac
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>
Case study: Westpac
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>
Other targets: Internet services
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/25-10-04_MSN(Your_membership_will_be_cancelled)/25-10-04_MSN(Your_membership_will_be_cancelled).html>
Other targets: Internet services
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/25-10-04_MSN(Your_membership_will_be_cancelled)/25-10-04_MSN(Your_membership_will_be_cancelled).html>
Other targets: Online commerce sites
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>
Other targets: Online commerce sites
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>
Other targets: Online commerce sites
Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>
Other targets: Search engines
Source: millersmiles.co.uk: the web’s dedicated anti-phishing service <http://www.millersmiles.co.uk/report/878>
Charities: United Way
Source: millersmiles.co.uk: the web’s dedicated anti-phishing service <http://www.millersmiles.co.uk/report/1201>
Why phishing with a ‘ph’?
The word ‘phishing’ is derived from the analogy that internet scammers use email lures to ‘fish’ for passwords and financial information from the ‘sea’ of internet users.
The term was first used in 1996 by hackers attempting to steal America On-line (AOL) accounts.
2. Growth of phishing
Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006<http://www.antiphishing.org/reports/apwg_report_May2006.pdf>
Phishing sites hosting countries
Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006<http://www.antiphishing.org/reports/apwg_report_May2006.pdf>
Economic impact of phishing The dollar damage from phishing is substantial.
Estimates of the loss to the consumer and online commerce being between: $500 million a year (Ponemon Institute 2004); and $2.4 billion in 2003 (Gartner 2004).
Phishing also exacts a significant toll on individual consumers. See Jennifer Lynch, ‘Identity Theft in Cyberspace:
Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’(2005) 20 Berkeley Technology Law Journal 259 at 266-67.
3. Australian legislation Phishing could be criminally prosecuted under
state legislation that deals with identity theft and fraud: Crimes Act 1958 (Vic): obtaining property by
deception (s 81(1)), and obtaining financial advantage by deception (s 82);
Crimes Act 1900 (NSW): obtaining money by deception (s 178BA), obtaining money by false or misleading statements (s 178BB), obtaining credit by fraud (s 178C), false pretences (s 179), and fraudulent personation (s 184);
Criminal Code 1899 (Qld): misappropriation (s 408C); Criminal Code (WA): fraud (s 409(1));
Australian legislation
continued … Criminal Code Act 1924 (Tas): dishonestly
acquiring a financial advantage (s 252A(1)), and inserting false information on data (s 257E);
Criminal Code 2002 (ACT): obtaining financial advantage by deception (s 332), and general dishonesty (s 333);
Criminal Code (NT): criminal deception (s 227); Criminal Law Consolidation Act 1935 (SA): false
identity (s 144B), and misuse of personal identification information (s 144C).
Criminal Code Act 1995 (Cth)
Part 10.8 of the Criminal Code Act, s 480.4 provides:
A person is guilty of an offence if the person:a) dishonestly obtains, or deals in, personal
financial information; andb) obtains, or deals in, that information
without the consent of the person to whom the information relates.
Penalty: Imprisonment for 5 years.
Other relevant Commonwealth legislation
1. Spam Act 2003 (Cth);
2. Trade Practices Act 1974 (Cth);
3. Privacy Act 1988 (Cth);
4. Trade Marks Act 1995 (Cth).
4. US Position Federal offences:
1. Identity theft (18 U.S.C. 1028 (2000));2. Wire fraud (18 U.S.C. 1343 (2000 & Supp. II
2002));3. Access device fraud (18 U.S.C. 1029 (2002));4. Bank fraud (18 U.S.C. 1344 (2000)).
Internet users are also protected by the: Truth in Lending Act (15 U.S.C. 1643(a)(1)
(2000)); and Gramm-Leach-Bailey Act (15 U.S.C. 6821(b)
(2000)).
US Position The Identity Theft Penalty Enchancement
Act, enacted in 2004, established a new crime of ‘aggravated identity theft’ – using a stolen identity to commit other crimes.
Most states have criminal and consumer protection laws that deal with identity theft.
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), enacted in 2003.
Anti-Phishing Act of 2005 Anti-Phishing Act of 2005, a bill to create two
new crimes that prohibit the creation or procurement of:1. a website that represents itself to be that of a
legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.
2. an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.
5. Difficulties with a legislative response1. Phishing is difficult to deter as the normal
barriers to offline crime do not apply.
2. Phishers are able to appear and disappear remarkably quickly, making their identification and prosecution difficult.
3. Jurisdictional issues.
4. Phishers are often found to be judgment proof.
6. Other methods of combating phishing Information security technology
solutions:1. Strong website authentication;2. Mail server authentication,;3. Digital signatures and/or gateway
verification.
Internet users should also use spam filters on email, anti-virus software and personal firewalls.
6. Other methods of combating phishing Internet users should look for signs
that the email they have received is a phishing email: deceptive addresses; emails addressed to a generic name rather
than a username; unsuspected requests for personal
information; alarmist warnings; mistakes.
Conclusion Issue:
legislation vs
technology
Professor Lawrence Lessig has argued that architecture or ‘code’ is better than traditional law in cyberspace because law regulates ‘through the threat of ex post sanction, while code, in constructing a social world, regulates immediately’. Lawrence Lessig, ‘The Constitution of Code:
Limitations on Choice-Based Critiques of Cyberspace Regulation’, 5 CommLaw Conspectus 181, 184 (1997).
Conclusion
As we wait for technological improvements, companies and consumers need to be aware of the phishing threat and use existing technology and common sense to reduce the instances of successful phishing attacks.
If companies and consumers fail to respond, phishing will have caught us hook, line and sinker.
Creative Commons License
This work is licensed under the Creative Commons Attribution-
NonCommercial-ShareAlike 2.5 Australia License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/au/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.