The Web    Google
Trolling For Anti-Phishing Laws

Trolling For Anti-Phishing Laws
August 11, 2004
Chris NerneyBy

The alarming growth of phishing has spawned a variety of responses, including technological, organizational and, lately, legislative.

President Bush just signed legislation to increase penalties against phishing and other identity theft-related cyber crimes. While the Identity Theft Penalty Enhancement Act, or ITPEA, doesn't win awards for having a compelling title (unless the word ''enhancement'' is a clever tip-of-the-hat to spammers), its goal is admirable: To make it harder for identity theft to pay.

Phishing is an insidious cyber scam perpetrated by identity thieves who use official-looking but bogus e-mail to lure recipients to a dummy Web site ready to steal visitors' personal and bank information (provided they hand it over). Nearly anyone online in the past year has been e-mailed repeatedly by ''eBay,'' ''MasterCard'' or their ''private bank,'' urging them to take urgent action to solve an urgent problem with their account ("Did we mention this is urgent?") by clicking on the provided Web site link.

Of course, like the e-mail, the Web site also looks ''official,'' but is instead a phishing hole, so to speak. And if you aren't careful, you could end up handing over credit card numbers, user names, passwords and other information for phishers to use or sell.

Lots of people haven't been careful -- the good scams are realistic-looking -- and the number of Americans who fall victim to identity fraud each year runs between seven million and 10 million, according to some estimates.

A scourge indeed. But for many people convicted of identity-theft crimes, punishment often comes in the form of probation, restitution, home confinement and perhaps a stern lecture from the judge -- a reliable recipe for recidivism.

ITPEA tries to toughen things up by establishing a new crime -- aggravated identity theft, which the federal government defines as using a stolen identity to commit other crimes. Convictions for aggravated identity theft would carry a mandatory two-year prison sentence.

Mandatory sentencing usually arises from several factors -- a climate of fear or urgency fueled by genuine frustration about a certain type of widespread crime, pressure on politicians to appear ''tough'' and the eternal desire for easy solutions.

The trouble with easy solutions is that they're not always ''just,'' and ''just'' should be the top priority of a ''justice'' system. The imposition of mandatory sentencing essentially replaces some bad judgment with no judgment, while providing a forum for public representatives to dispense some ''sheriff'' sound bytes.

So while the president and the ITPEA's congressional sponsors undoubtedly feel good about their tough stand on identity theft, it's not likely that phishers, especially the many based in Asia and Eastern Europe, will be scared straight.

A better piece of anti-phishing legislation was introduced to the U.S. Senate on July 9 by Sen. Patrick Leahy, D-Vt. The Anti-Phishing Act of 2004 defines phishing as a federal crime. Specifically, the proposed law prohibits spoofing a Web site in order to ''induce, request, ask or solicit any person to transmit, submit or provide any means of identification to another.''

The bill tackles the ''lure'' part of the phishing equation by outlawing the transmission of e-mail disguised to look like it's from a legitimate business, but is intended to trick online users into providing personal and financial information with the intent to commit identity theft or fraud.

Convictions under the Anti-Phishing Act of 2004 could mean up to five years in prison -- a stiff sentence -- and a $250,000 fine. Plus the bill is proactive: Charges could be filed against phishers just for attempting an online scam, so law enforcement doesn't have to wait for a victim to be defrauded.

No legislation is perfect, but as long as criminal elements roam the Internet, clearly we'll need evolving laws to deal with them. In this case, I prefer the Leahy bill because it's tough but flexible and gives federal officials the ability to pre-empt scams.

Chris Nerney is executive editor of Jupitermedia's Earthweb and IT Management Channel

  • 6/28: Agobot-KE Exploits Weak Passwords
  • 3/8: Kelvir-D an IM Worm
  • 12/6: Atak-B a Mass-Mailing Worm
  • Look Out For 3-Headed Plexus Worm
  • 1/28: Sdbot.Worm!166912 Spreading
  • Outtasking Solution to Company's Email Woes
  • 2/15: Randex-COX a Network-Aware Worm
  • Humans Still Weakest Security Link
  • Citadel's Latest Automates W2K3 Vulnerability Remediation
  • Mazu Enhances Its Anti-DDoS Appliance
  • Protect Your Passwords -- Part 1
  • Cheap Security Camera