Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Creationism ]   |  Phish or Phisher?  |   [ Man Bites Phish ] >>

Weekly Column

Phish or Phisher?: It Is Time to Put Phishing Scams Out of Business

Status: [CLOSED]
By Robert X. Cringely

We all get them, messages from our bank or mortgage company, from eBay or PayPal, telling us there is a glitch in their system, our account data has been lost, and if we don't immediately update our customer information, some dire consequences will happen. It is a scam, of course. The message isn't coming from eBay or PayPal, but from a crook trying to get you to go to their look-alike web site and hand over enough personal information to loot your bank account or impersonate you in fraudulent credit card transactions. There are tens of millions of such messages crossing the Net every day, which says to me that at least a few people are being fooled, that these so-called "phishing" scams are profitable for the people who perpetrate them.

But have you ever read a news story or heard about anybody being sent to jail for this crime, which Gartner says cost U.S. businesses $1.2 billion in 2003?

I haven't.

In one sense, phishing ought to be the easiest of online crimes to punish because the criminal needs you to visit their house in order for them to rob you. Tracing ownership of the bogus web site used to steal personal data ought to link straight back to the crooks, themselves. Only it generally doesn't, either because that web site has been hijacked or because it is in some country beyond the reach of law enforcement.

Figuring out exactly who is bilking your hard-earned plastic money out of you is actually quite tough. Add to that the inter-jurisdictional insanity of trying to decide whether it's the FBI or the USPIS that gets to go to Kazakhstan and try to arrest the perps, assuming Kazakhstan is even the right address.

Another problem is that a large group of phishing victims -- banks and credit card companies -- don't want to publicize their losses, which might lead to a loss of business as customers start to worry about being victimized. But it goes even further, because the financial institutions are only on the hook for reported thefts. So by not making a big deal of it, maybe you won't notice that extra $30 charge and won't demand that your credit card company cover the loss. Being upfront about phishing could easily double corporate losses because of it by forcing these outfits to actually assume the risk that they say they'll assume.

So nobody talks about it, and the costs of phishing are generally hidden in the average eight percent that credit card companies figure they'll lose through theft, bankruptcies, etc. In a business with interest charges often going above 20 percent, phishing is tolerable.

Companies don't WANT to lose money. But when you forward your phishing messages on to or any comparable site, and they write back confirming that the message is bogus, that they have reported it to authorities and they are pursuing the bad guys, what really happens? Generally nothing.

That may be changing, though. The AntiPhishing Working Group has been trying to put together some tools to help fight phishing. Working with the APWG, an Austin, Texas, company called InternetPerils has recently introduced something called PerilScope, which purports to track down phishing web sites automatically.

Netcraft, the British company famous for its web server surveys, has introduced a security toolbar for Internet Explorer and FireFox browsers that gives a security rating for every web site you visit, ostensibly warning you away from phishing sites IF YOU ARE PAYING ATTENTION.

BayTSP, the California company that monitors illegal file sharing for record companies and movie studios, will later this summer introduce its own anti-phishing service that they'll sell to victimized companies. Like the PerilScope, the BayTSP service will use continuous monitoring to identify phishing scams as they are sent out, and trace them back to their sources. Going further, BayTSP president Mark Ishikawa says his service, which gets its data from a global network of phishing honeypot servers, will send the information directly to the appropriate law enforcement agency.

Ishikawa points out that phishing is in many ways like picking pockets in that there are generally two bad guys involved -- one who sends the message and another who receives the information -- and stopping just one crook isn't usually enough.

Finally, this week the U.S. Federal Trade Commission announced that it would be working with similar agencies in 16 other countries to force ISPs to monitor excessive mail production by what are most likely zombie servers, and shut them down.

This last initiative, which on the face of it really ought to be the most effective, is the one that causes me great concern. Is the government now going to be telling me I'm sending too much e-mail? How much mail is too much? And what are they doing monitoring my e-mail, anyway? Will they next be clamping down on my unhealthy propensity for forwarding Jenna Bush jokes?

Thinking there must be a better solution I contacted Max Levchin, who used to chase phishers for a living as co-founder and CTO of PayPal, a company he left a few months after it was bought by eBay back in 2002.

"The way to nail phishing," says Max, "is for the companies being impersonated to offer cash bounties -- to the first person to report the incident, the first person to call the free host and take down the site, the first person who figures out the identity of the perp. This would mean admitting that the matter is much more serious than most people realize, but that's going to have to happen, sooner than later, if columns like yours continue to give coverage to the matter. On the other hand, it's peanuts, financially, for the companies involved. There is the adverse selection problem -- why not set up phishing sites, report them, and collect the bounties? -- but it's easy to mitigate this by making the pay-outs contingent on all kinds of personal information from the good samaritan, and making the bounties really significant financially only when criminal charges are brought against the perpetrators. In fact, about a year ago, I was thinking of starting a site that would be an independent agency, holding the bounty money in escrow, ensuring the actual payments, and providing the war-room-style up-to-the-second information about what the latest phishing scams were. In the end, I decided this was a project not too different from my PayPal work, and I could do more fun things with my personal time, but still think the idea is sound."

So do I. Let's face this problem for what it is and solve it ourselves before some solution is forced upon us that is worse than the problem.

Comments from the Tribe

Status: [CLOSED] read all comments (0)