Congress, Vendors Put Phishing Under the Gun

VeriSign's new service aims to help protect against "phishing" expeditions.

Faced with an explosion in identity theft and phishing, lawmakers and vendors are taking action to increase penalties for the crimes and offer technological solutions to help stop the scams at their sources.

VeriSign Inc. this week will unveil a service that officials said will help protect enterprises from phishing attacks and, in the bargain, help law enforcement agencies track down the perpetrators. The service allows VeriSign to monitor the Internet for signs of new phishing schemes, such as phony looking e-mail messages and new malicious Web sites that play off a customers brand. VeriSign will then work with ISPs to have those sites removed, and it can help with the forensic investigations.

"Because we have long relationships with ISPs, they arent afraid to let us on their servers to help them," said Mark Griffiths, vice president of security services at VeriSign, in Mountain View, Calif.

Data about phishing attacks can be vital for law enforcement looking to track down perpetrators of online fraud, most of whom attempt to hide their tracks. The goal of phishing scams is to steal personal information, including bank account and credit card information.

/zimages/6/28571.gifPhishing scams are getting slicker and harder to defend against. Click here to read more.

VeriSigns plans mesh with efforts by the House of Representatives, which last week passed the Identity Theft Penalty Enhancement Act, authored by Rep. John Carter, R-Texas. The bill increases the sentences for ID theft and creates a new crime of aggravated ID theft, defined as using a stolen ID to commit certain crimes.

"When you steal somebodys identity, you usually do it for purposes of doing something illegal," Carter, a former district judge in Texas, told eWEEK upon passage of the bill in the House. Carter said the measure will serve as an increased deterrent against the growing problem.

Although prosecutions for phishing have been rare so far, under Carters new legislation, conviction for aggravated ID theft would come with a mandatory sentence enhancement of two years, and aggravated ID theft committed for the purpose of terrorism would come with an additional mandatory five-year penalty.

As a large percentage of ID thefts are committed by insiders—notably at health care and financial institutions—the bill also directs the U.S. Sentencing Commission to revise guidelines for punishing individuals who abuse their positions to commit ID theft.

The Senate counterpart to the bill, which was approved in March 2003, does not include an insider theft provision, but Carter said he does not anticipate significant opposition to it.

The bill does not address the responsibility of organizations to protect the personal data that they collect and store—something that many security specialists consider vital to data privacy and integrity. Initiatives to legislate security practices in the private sector have found little support.

"I would be willing to look at that," said Carter, about increasing institutions responsibility to protect personal data. "Lets see what this [legislation] does first."

While praising lawmakers for addressing the problem of ID theft, some experts on the topic say that Congress is taking the wrong approach.

"The legislation theyre proposing is strictly reactive. We need [harsher penalties], but theres nothing in there that would help prevent identity theft," said Judith Collins, associate professor in the School of Criminal Justice at Michigan State University, in East Lansing. Collins has done extensive research on the causes and consequences of ID theft.

"Legislators do not understand this problem," Collins said. "They dont understand the crime and dont know the perpetrators."

/zimages/6/28571.gifCheck out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page