Despite the recent emergence of anti-phishing legislation, IT managers and consumers would be foolish not to continue implementing their own stringent technology measures against this persistent strain of online fraud.
On the heels of similar legislation in New Mexico, Arizona and Texas, and with federal legislation pending, Californias Anti-Phishing Act of 2005 criminalizes phishing, with a threat of steep fines.
More important, the law allows a business or consumer to file a complaint against a phisher without specifically showing damages, unless the claimed damage is more than $500,000 to a business or $5,000 to an individual. This provision takes such actions off the slow and laborious track of fraud complaints.
Whats missing from this law, as the Computer Crime Research Center notes on its Web site, is any real response to the phishers three means of evasion.
First, phishers crimes readily cross geographic borders, which makes finding phishers difficult.
Second, that same mobility impedes the establishment of jurisdiction to prosecute.
Third, phishers can readily make themselves judgment-proof by such means as declaring bankruptcy or simply failing to make appearances or payments. Phishers are ephemeral entities, not brick-and-mortar business establishments whose doors can be locked and assets seized.
To deter phishing, federal, and even international, laws are needed. Although not common, international cooperation is not unprecedented; air transportation and radio spectrum usage have both given rise to international agreements.
Nonetheless, IT managers should note how long its taken just to get a few, limited anti-phishing state laws passed, and they should continue to rely on technology measures to stay ahead of phishers.
Banks, stores and other companies that support online services must step up to the challenge of adopting and implementing tougher authentication technologies to make it harder for phishers to imitate their sites and their customers.
Multifactor authentication techniques, biometrics or ID cards, and password policies that force users to create stronger passwords and change them regularly should be used by all e-commerce sites. These measures will reduce the ease with which a phisher can adopt a legitimate customers identity based on theft of merely a user ID and password, and they will reduce the life span and therefore the value of stolen identity information.
Single sign-on is another effective step. It makes it easier for users to keep track of accounts because there is no need to manage all accounts separately, with different user names and passwords at every site. Also, if users sense that something phishy is going on, they can go back to a trusted site to immediately reset their global passwords and minimize exposure risks.
Inconvenience and cost are often deterrents for implementing enhanced site security, but considering the feeble state of anti- phishing laws and the millions or even billions of dollars that could be lost to phishing scams in future years, a proactive approach to eliminating phishing is worth the pain.
