New Phishing Tactic Leads to Calls for Stronger Safeguards

Tougher measures urged as new online tactic emerges.

Less than a week after president Bush signed into law a measure to combat cyber-identity theft, Internet con artists last week unleashed a new form of phishing bait: a double whammy of instant messages and e-mail to fool America Online Inc. subscribers into handing over their credit card numbers.

The latest phishing tactic, which spread widely across the Net over several days, was the first phishing ploy to use a combination of IM and e-mail as a lure, according to the Anti-Phishing Working Group, of Redwood City, Calif. The fraudulent scheme warns that "AOL billing information is out of date" and links to a fake site that displays the legitimate AOL URL, hiding the fake sites URL.

The increasingly insidious methods of online fraud suggest to some in the policy arena and in industry that much stronger tools are needed than those provided by the Identity Theft Penalty Enhancement Act signed into law July 15. The new law creates tough punishments for stealing IDs in conjunction with committing another crime (such as stealing money), but it does not make the process of phishing itself a crime and does not establish new safeguards for online transactions.

Setting up camp for the next front in the war on phishing, the NetChoice Coalition is calling for more rigorous standards for digital certificates. A mechanism to ensure "iron-clad validity" of digital certificates is necessary for online authentication to work, the coalition told lawmakers last week. The group, based in Washington, is lobbying for a bill that would make it illegal to assign a certificate without validating the identity and legitimacy of a sender.

Sen. John Ensign, R-Nev., last week was drafting a bill that targets fraudulent use of digital certificates, with the hope of introducing it this year, said Ensigns legislative assistant, Jesse Wadhams, in Washington.

"For the end user of the Internet, the experience is diminished," Wadhams said. "This [bill] adds a level of definition to fraud. It just makes the prosecutors job a little easier."

Meanwhile, frequent targets of phishing, including eBay, want Congress to make phishing illegal so that it can be prosecuted whether or not it leads to other crime. eBay, which was the second- most-attacked company this spring, supports a bill recently introduced by Sen. Patrick Leahy, D-Vt., which would criminalize the act of spoofing and linking to fraudulent Web sites. Under the bill, it is illegal to deliberately set up Web sites masquerading as legitimate businesses for the purpose of gathering data to commit a crime. Parody Web sites, which are not created with criminal intent, wouldnt be included.

/zimages/6/28571.gifPhishing scams are getting slicker and harder to defend against. Click here to read more.

With little time left before Congress adjourns for the fall election season, it is unlikely that Leahys bill will be debated in committee this year, but the senator intends to push it next year, said David Carle, a staffer for the senator.

"Theres little chance of action on the bill this session," Carle said. "Sen. Leahy was introducing it to build momentum this year for action in the next Congress."

Legislation that targets phishing itself may provide more relief than the new ID-theft law because it could pressure the online industry to be more vigilant in protecting personal information, said David Zumwalt, CEO of Privacy Inc., which develops consumer software that protects e-mail addresses.

"A lot of problems that have to do with identity theft really just have to do with the mismanagement of information," Zumwalt said. "Sharing of information is the way [online businesses] see their business and the way they transact business."

Privacy Inc., in Dallas, works with the banking and retail industries to help their customers safeguard e-mail addresses. Later this year, Privacy plans to roll out an enhanced service to protect virtual payments, enabling credit card transactions without divulging account information, Zumwalt said.

Michael Allen, a senior at the University of Texas, also in Dallas, who makes many financial transactions online, including banking and DVD shopping, uses Privacys service to dodge spam. Allen said that he does not expect government action to stem the tide of unwanted Internet intrusions and that users must protect themselves.

"I dont think legislation can stop it. Phishing schemes are just going to move offshore," Allen said. "I like to buy movies from China, and I really dont want to give my e-mail address to [merchants in China] because theyre known for piracy."

/zimages/6/28571.gifCheck out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page