Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Phish or Phisher? ]   |  Man Bites Phish  |   [ Going for Broke ] >>

Weekly Column

Man Bites Phish: The Best Way to Stop These Scams Is by Drowning the Phish

Status: [CLOSED]
By Robert X. Cringely

I was interviewed for a few seconds this week on CNN as part of their 25th birthday celebration for the network. My qualification for being interviewed appears to be the fact that I was alive in 1980 and remember fleeting patches of it. A camera crew came to our house to shoot the interview, and my son Channing, who was minus 22 in 1980, was very impressed -- so impressed that he proposed that he, rather than me, be interviewed. He had something to say to America.

"Help me!" he told the camera.

Channing isn't the only one who needs help. I wondered last week why we never hear of criminals being convicted of phishing -- inducing us to go to bogus web sites and give over enough financial details to loot our bank accounts or steal our identities. Well, I was wrong, it turns out: A phisher was convicted last year in Texas and another was convicted in 2003 in Virginia.

Feel safer now?

Here is a crime that touches every person who reads this column, yet we can find only TWO convictions? That qualifies phishing as a growth industry.

Phishing is something I don't think can be left to the professionals. PayPal, eBay, your bank and mine don't really have the ability to stop this crime, so that leaves it up to the victims to do something to stop it. That's us, baby.

Talking with some professional phish-hunters, it looks like the general trend to solving this problem will be through the simple expedient of eliminating e-mail entirely from our relationships with these organizations. Of course, this has the equal effect of drawing us tighter into our commercial relationships. If I'm comfortable with eBay, for example, because eBay moves all its communications off e-mail, well then I'll be less likely to do business with another auction site. Clever, eh? Here's how it was described to me by a cyber law enforcement person:

"What does eBay do, exactly? The company does what any corporation does: passes on all the information to relevant legal authorities. What more can eBay do? They rely on the law to take action, just as you do if you are ever a victim of a crime, which I hope never happens to you."

"The trouble is, people expect eBay Customer Support to slap on a badge, go to the guy's house in the US, and arrest the bad guy. People are very poorly educated about spoof messages, on average, and much less educated on proxy servers, IP masking, hijacked websites and how it is that the guy they thought was in Chicago is actually in Russia, Romania, Italy, the UK, Indonesia, Nigeria, whatever."

"The solution is not what (Max Levchin) mentioned, the solution for corporations is to move messaging off email and onto an internal system. eBay has My Messages to do this. By moving messages off of email, it becomes much harder for scammers to do what is otherwise an easy task because email is inherently insecure: send spoof messages."

"The second part of the solution is mass education by corporations, and word-of-mouth, once those internal messaging systems are in place. People sign into their accounts and get their priority messages. The only email they need to receive, then, is a plain-text email with no links that instructs them to sign onto any given account and check their messages on that company's trusted website."

"This solution is much more effective than relying on members/users to report spoof websites. It is not enough for companies to rely on customers to report spoofing activity, companies have to introduce a new paradigm that is spoof-resistant."

Well, maybe.

I'm not so impressed by professional law enforcement. While they may do a fair job of deterring and minimizing endemic physical crimes, there are severe problems with this law enforcement model when applied to the Internet. There is the simple matter of numbers: The bad guys outnumber the cybercops by probably 1,000-to-1. Law enforcement also is, by definition, reactive and that reaction can be a LONG time in coming. The cops' loyalty is toward society rather than the individual, so retrieving MY lost stuff or identity is less important than discouraging criminals from doing further damage to others. And, finally, law enforcement relies on crime and criminals for its very existence, which sure looks like a symbiotic relationship to me. No wonder they don't enlist our help in any truly constructive way.

Of course, there has to be a better answer to this problem, and five readers in the past week have suggested it. Forget Max Levchin's idea of using bounties. But let's embrace what was at the essence of Max's idea, which is enlisting millions of Internet users in the cause.

If the bad guys out-number the cops by 1,000-to-1, Internet users must outnumber the bad guys by 100,000-to-1 or more.

Fear of punishment won't deter phishing, yet that's all traditional law enforcement has to offer. It's fear of UNPROFITABILITY that will finally work.

The simple way to kill phishing is by making it harder for the phisher to make money from it. Right now, a phisher sends out a million e-mails and gets back 100 replies that yield positive data. There is almost no effort involved in sending out the e-mails after the first one, and the quality of the return data is very high. No wonder this is such a popular business!

Let's change that. If you get phishing e-mail, go the web sites and enter false data. Make up everything -- name, sign-on name, password, credit card numbers, everything. Instead of one million messages yielding 100 good replies, now the phisher will have one million messages yielding 100,000 replies of which 100 are good, but WHICH 100?

This technique kills phishing two ways. It certainly increases the phishing labor requirement by about 10,000X. But even more importantly, if banks and e-commerce sites limit the number of failed sign-on attempts from a single IP address to, say, 10 per day, theft as an outcome of phishing becomes close to impossible.

No bounties are required, no cops, no parallel webmail systems that force us to log-in to e-commerce sites when they tell us to. Phishing just becomes a very unprofitable business, which it should be.

Are you in?

Comments from the Tribe

Status: [CLOSED] read all comments (0)