|
Federal and state governments have earnestly begun to initiate legislation to formally address phishing. Several government privacy watchdog committees, such as CDT and NASCIO, have become very active in providing current technology updates that emphasize the protection of personal data, citizen trust and confidence in government, identity management, and theft concerns.The new Identity Theft Penalty Enhancement Act (HR-1731) addresses the core tactic of Internet scammers; it prohibits the creation of e-mail that represents itself as a legitimate message to trick the recipient into divulging personal information with the intent to steal the recipient’s identity.
Everyone, especially law enforcement, hopes that this new legislation will enable a quicker turnaround time for arrests, and more important, the ability of the courts to convict. Although HR-1731 still requires enforcement to wait for a person to be victimized before action can be taken against the phisher, conviction carries a mandatory two-year sentence.This means that reporting phishing activity to law enforcement could simply fill up their incoming mailbox, unless an individual reported the crime after they had naively fell for the scam.
Other pending new legislation that specifically targets phishing:
■ Anti-Phishing Act of 2004, S2636
■ The SpyBlock Act, S2145
■ Safeguard Against Privacy Invasion Act (or SpyAct), HR-2929
■ Social Security Number Privacy and Identity Theft Prevention Act of 2003, HR-2971
Senator Patrick Leahy (D-Vermont) recently proposed the Anti-Phishing Act of 2004 (http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname =108_cong_bills&docid=f:s2636is.txt.pdf ), which states that the act of phishing would be considered a federal crime.This bill would ban the act of spoofing a Web site for the purpose of acquiring another person’s identity. Although this bill will enable law enforcement to react to specific phishing attacks in a more timely fashion, will it actually aid in tracking the phishers more efficiently and ultimately lead to arrests? This is a question with both technical and legal ramifications.
Technical Ramifications
The reason that phishers are often not being prosecuted today involves many factors. Simply put, from a technical perspective, phishing is a very fast-paced criminal activity.The act of phishing can be performed instantaneously; as fast as phishers strike, they vanish back into cyberspace.There is no getaway car to chase, no literal fingerprints to lift, and no face for a witness to identify. By the time traditional forensics teams become involved, far too much damage has occurred and the trail is long cold.
The phony Web sites are now very rapidly migrating from one server to another, in their effort to stay one step ahead of Internet service providers (ISPs) and law enforcement. Secure Science has observed new phishing sites becoming active within as little time as six hours and as long as 10 days. Proactive detection and tracking of victim-zero, or when the phishers perform their first target test, is the key to being able to stop phishing attacks, regardless of their intended payload (malware/spam).
Legal Ramifications
Simply enacting new legislation with hefty penalties and ramping up law enforcement alone are not enough to stop phishing.The current approach requires a person to become victimized before law enforcement and prosecution can take action against the phisher. Even when a technically savvy Internet user forwards suspected e-mail fraud to the DOJ or FTC, no enforcement can take place until a victimized individual can be identified.
Since a phisher’s entire intent is to commit fraud, why shouldn’t a phisher be punishable before someone is victimized? The majority of current spyware legislation may be too broad to actually do much more than create a mountain of litigation between legitimate e-commerce business owners and the state(s). Antivirus and antispam vendors are included in this litigation, since their traditional collecting of data over the Internet to analyze and prevent virus attacks by providing online updates is construed as illegal under Utah’s SB-323 spyware law.
The Anti-Phishing Act of 2004 (S2636) is the first legislation of its kind that truly addresses the entire scam.This includes creation of fraudulent Web sites and sending fraudulent e-mail. Freedom of speech issues are averted by simply stipulating that the perpetrator has the specific criminal purpose of committing a crime of fraud or identity theft.This bill makes it illegal to knowingly send a spoofed e-mail that is linked to a fraudulent Web site, with the intention of committing a crime, and it criminalizes the operation of a fraudulent Web site. If the bill were to become law, each identifiable element of a phishing scam would become a felony, subject to five years in prison and/or a fine up to $250,000.
But even if the Anti-Phishing Act were to become law, there is still much work to be done on an international basis. Most phishing scams operate outside North America, and it is exceedingly difficult and time consuming to attempt to prosecute an individual residing in a foreign country. Even if law enforcement successfully track a phishing site outside the United States, not only do the cost and time associated with making an arrest on a quickly vanishing perpetrator become prohibitive, but effective collaboration between international law enforcement agencies needs much work.
Overall trust in the Internet for secure communications for not only ecommerce but all forms of electronic interchange is simply not addressed by current legislation. Antivirus and antispam companies that offer Internet mail filtering will face an increasing level of sophistication from phishers that could ultimately inhibit vendors’ ability to filter legitimate communications from the fraudulent ones.
Collaboration among the general public Internet user, ISPs, third parties, and law enforcement will be the key to successfully stopping phishers in the near future. | 
Disclaimer
