NOTE:
Gearblog has morphed into Gibbsblog. All new postings, same great Gibbs. Come on over!
Will the the Anti-Phishing Act make a difference?
By Gearhead, NetworkWorld.com, 03/18/05
Under the proposed Anti-Phishing Act of 2005, introduced on February 28th, 2005, by Senator Patrick Leahy (D-Vermont), phishers and pharmers would face fines up to $250,000 along with up to five years in the slammer.
Leahy's introduction in the bill reads: "Today I am introducing a bill, the Anti-Phishing Act of 2005, which targets a serious threat to the security of the Internet." Strikes us as a curious way to put it -- the threat is to the privacy of consumers not the security of the Internet but we doubt whether the good senator penned his own words so we probably shouldn't be surprised.
The proposal reads: "The Anti-Phishing Act of 2005 would enter two new crimes into the U.S. Code. The first prohibits the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. The second prohibits the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft."
The question is will this bill actually make a difference?
Well, you can divide the phishers into two groups: The amateurs and the professionals. The amateurs are, at best, moderately skilled and most likely not overly clever when it comes to covering their tracks. These low level miscreants are the ones who should be deterred by the bill's penalties.
But the professionals are a different matter entirely. Professional phishers are, by all accounts, involved with international organized crime. The hosting and connectivity services they use operate outside of US jurisdiction and they have enough knowledge and skill to make finding them, let alone arresting them, extremely difficult if not impossible.
Here's an interesting thing: Let's say that the amateurs are responsible for a significant proportion of all phishing and pharming attempts (say more than 50%). Remove them from the equation and the press will trumpet "Leahy Act Reduces On-line Crime!" The result? The public will feel much safer when in fact they will be anything but.
The problem will be that the professionals will be left whose phishing attempts are much more sophisticated and convincing, If this group is smart enough to not take up the slack created by the amateurs giving up (in other words, not increase the number of phishing attempts significantly) then they stand a good chance of being even more successful because the perception of reduced risk!
As with so many technology issues the problems of phishing and pharming are not things you can solve by legislation. What's needed are better defensive technologies and better informed consumers. The former are slowly developing but not fast enough. Achieving the latter depends on how the banks, retailers, and so on interact with their customers -- what we need are standards for how institutions will interact with their customers.
But there is a solution that will solve much of the problem: Send identification. If everyone were to start using messaging systems that validated the identity of the sender not only would phishing become much less effective but spam would become a minor problem. Perhaps what we need is a bill the mandates that government departments can only receive e-mail that supports sender ID then within a couple of years sender ID would be commonplace and phishing and spam would become historical footnotes.
Back to Gearblog
Comments