Phishing Tales: Honestly, the problem is ‘this big’ Peter Black, Queensland University of Technology

Outline 1. Phishing explained Definition Case studies Why the ‘ph’? 2. Growth of phishing 3. Australian legislation 4. US position 5. Difficulties with a legislative response 6. Other methods of combating phishing

1. Phishing explained Phishing is the creation and use of s and websites in order to deceive internet users into disclosing their bank and financial account information or other personal data. Once this information is obtained, it then used to commit fraudulent acts.

Case study: Westpac Source: Anti-Phishing Working Group

Case study: Westpac Source: Anti-Phishing Working Group

Case study: Westpac Source: Anti-Phishing Working Group

Other targets: Internet services Source: Anti-Phishing Working Group

Other targets: Internet services Source: Anti-Phishing Working Group

Other targets: Online commerce sites Source: Anti-Phishing Working Group

Other targets: Online commerce sites Source: Anti-Phishing Working Group

Other targets: Online commerce sites Source: Anti-Phishing Working Group

Other targets: Search engines Source: millersmiles.co.uk: the web’s dedicated anti-phishing service

Charities: United Way Source: millersmiles.co.uk: the web’s dedicated anti-phishing service

Why phishing with a ‘ph’? The word ‘phishing’ is derived from the analogy that internet scammers use lures to ‘fish’ for passwords and financial information from the ‘sea’ of internet users. The term was first used in 1996 by hackers attempting to steal America On-line (AOL) accounts.

2. Growth of phishing Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006

Phishing sites hosting countries Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006

Economic impact of phishing The dollar damage from phishing is substantial. Estimates of the loss to the consumer and online commerce being between: $500 million a year (Ponemon Institute 2004); and $2.4 billion in 2003 (Gartner 2004). Phishing also exacts a significant toll on individual consumers. See Jennifer Lynch, ‘Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’(2005) 20 Berkeley Technology Law Journal 259 at

3. Australian legislation Phishing could be criminally prosecuted under state legislation that deals with identity theft and fraud: Crimes Act 1958 (Vic): obtaining property by deception (s 81(1)), and obtaining financial advantage by deception (s 82); Crimes Act 1900 (NSW): obtaining money by deception (s 178BA), obtaining money by false or misleading statements (s 178BB), obtaining credit by fraud (s 178C), false pretences (s 179), and fraudulent personation (s 184); Criminal Code 1899 (Qld): misappropriation (s 408C); Criminal Code (WA): fraud (s 409(1));

Australian legislation continued … Criminal Code Act 1924 (Tas): dishonestly acquiring a financial advantage (s 252A(1)), and inserting false information on data (s 257E); Criminal Code 2002 (ACT): obtaining financial advantage by deception (s 332), and general dishonesty (s 333); Criminal Code (NT): criminal deception (s 227); Criminal Law Consolidation Act 1935 (SA): false identity (s 144B), and misuse of personal identification information (s 144C).

Criminal Code Act 1995 (Cth) Part 10.8 of the Criminal Code Act, s provides: A person is guilty of an offence if the person: a) dishonestly obtains, or deals in, personal financial information; and b) obtains, or deals in, that information without the consent of the person to whom the information relates. Penalty:Imprisonment for 5 years.

Other relevant Commonwealth legislation 1. Spam Act 2003 (Cth); 2. Trade Practices Act 1974 (Cth); 3. Privacy Act 1988 (Cth); 4. Trade Marks Act 1995 (Cth).

4. US Position Federal offences: 1. Identity theft (18 U.S.C (2000)); 2. Wire fraud (18 U.S.C (2000 & Supp. II 2002)); 3. Access device fraud (18 U.S.C (2002)); 4. Bank fraud (18 U.S.C (2000)). Internet users are also protected by the: Truth in Lending Act (15 U.S.C. 1643(a)(1) (2000)); and Gramm-Leach-Bailey Act (15 U.S.C. 6821(b) (2000)).

US Position The Identity Theft Penalty Enchancement Act, enacted in 2004, established a new crime of ‘aggravated identity theft’ – using a stolen identity to commit other crimes. Most states have criminal and consumer protection laws that deal with identity theft. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), enacted in 2003.

Anti-Phishing Act of 2005 Anti-Phishing Act of 2005, a bill to create two new crimes that prohibit the creation or procurement of: 1. a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. 2. an that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.

5. Difficulties with a legislative response 1. Phishing is difficult to deter as the normal barriers to offline crime do not apply. 2. Phishers are able to appear and disappear remarkably quickly, making their identification and prosecution difficult. 3. Jurisdictional issues. 4. Phishers are often found to be judgment proof.

6. Other methods of combating phishing Information security technology solutions: 1. Strong website authentication; 2. Mail server authentication,; 3. Digital signatures and/or gateway verification. Internet users should also use spam filters on , anti-virus software and personal firewalls.

6. Other methods of combating phishing Internet users should look for signs that the they have received is a phishing deceptive addresses; s addressed to a generic name rather than a username; unsuspected requests for personal information; alarmist warnings; mistakes.

Conclusion Issue: legislation vs technology Professor Lawrence Lessig has argued that architecture or ‘code’ is better than traditional law in cyberspace because law regulates ‘through the threat of ex post sanction, while code, in constructing a social world, regulates immediately’. Lawrence Lessig, ‘The Constitution of Code: Limitations on Choice-Based Critiques of Cyberspace Regulation’, 5 CommLaw Conspectus 181, 184 (1997).

Conclusion As we wait for technological improvements, companies and consumers need to be aware of the phishing threat and use existing technology and common sense to reduce the instances of successful phishing attacks. If companies and consumers fail to respond, phishing will have caught us hook, line and sinker.

Creative Commons License This work is licensed under the Creative Commons Attribution-NonCommercial- ShareAlike 2.5 Australia License. To view a copy of this license, visit sa/2.5/au/ or send a letter to Creative Commons, 543 Howard Street, 5 th Floor, San Francisco, California, 94105, USA. sa/2.5/au/