1 / 30

Phishing Tales: Honestly, the problem is ‘this big’

Phishing Tales: Honestly, the problem is ‘this big’. Peter Black, Queensland University of Technology p2.black@qut.edu.au http://freedomtodiffer.typepad.com/. Outline. Phishing explained Definition Case studies Why the ‘ph’? Growth of phishing Australian legislation US position

manny
Download Presentation

Phishing Tales: Honestly, the problem is ‘this big’

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Phishing Tales:Honestly, the problem is ‘this big’ Peter Black, Queensland University of Technology p2.black@qut.edu.au http://freedomtodiffer.typepad.com/

  2. Outline • Phishing explained • Definition • Case studies • Why the ‘ph’? • Growth of phishing • Australian legislation • US position • Difficulties with a legislative response • Other methods of combating phishing

  3. 1. Phishing explained • Phishing is the creation and use of e-mails and websites in order to deceive internet users into disclosing their bank and financial account information or other personal data. • Once this information is obtained, it then used to commit fraudulent acts.

  4. Case study: Westpac • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>

  5. Case study: Westpac • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>

  6. Case study: Westpac • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/05-03-04_Westpac_(Westpac_Bank_users_warning).html>

  7. Other targets: Internet services • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/25-10-04_MSN(Your_membership_will_be_cancelled)/25-10-04_MSN(Your_membership_will_be_cancelled).html>

  8. Other targets: Internet services • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/25-10-04_MSN(Your_membership_will_be_cancelled)/25-10-04_MSN(Your_membership_will_be_cancelled).html>

  9. Other targets: Online commerce sites • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>

  10. Other targets: Online commerce sites • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>

  11. Other targets: Online commerce sites • Source: Anti-Phishing Working Group <http://www.antiphishing.org/phishing_archive/01-31-05_Amazon/01-31-05_Amazon.html>

  12. Other targets: Search engines • Source: millersmiles.co.uk: the web’s dedicated anti-phishing service <http://www.millersmiles.co.uk/report/878>

  13. Charities: United Way • Source: millersmiles.co.uk: the web’s dedicated anti-phishing service <http://www.millersmiles.co.uk/report/1201>

  14. Why phishing with a ‘ph’? • The word ‘phishing’ is derived from the analogy that internet scammers use email lures to ‘fish’ for passwords and financial information from the ‘sea’ of internet users. • The term was first used in 1996 by hackers attempting to steal America On-line (AOL) accounts.

  15. 2. Growth of phishing • Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006 <http://www.antiphishing.org/reports/apwg_report_May2006.pdf>

  16. Phishing sites hosting countries • Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006 <http://www.antiphishing.org/reports/apwg_report_May2006.pdf>

  17. Economic impact of phishing • The dollar damage from phishing is substantial. • Estimates of the loss to the consumer and online commerce being between: • $500 million a year (Ponemon Institute 2004); and • $2.4 billion in 2003 (Gartner 2004). • Phishing also exacts a significant toll on individual consumers. • See Jennifer Lynch, ‘Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’(2005) 20 Berkeley Technology Law Journal 259 at 266-67.

  18. 3. Australian legislation • Phishing could be criminally prosecuted under state legislation that deals with identity theft and fraud: • Crimes Act 1958 (Vic): obtaining property by deception (s 81(1)), and obtaining financial advantage by deception (s 82); • Crimes Act 1900 (NSW): obtaining money by deception (s 178BA), obtaining money by false or misleading statements (s 178BB), obtaining credit by fraud (s 178C), false pretences (s 179), and fraudulent personation (s 184); • Criminal Code 1899 (Qld): misappropriation (s 408C); • Criminal Code (WA): fraud (s 409(1));

  19. Australian legislation continued … • Criminal Code Act 1924 (Tas): dishonestly acquiring a financial advantage (s 252A(1)), and inserting false information on data (s 257E); • Criminal Code 2002 (ACT): obtaining financial advantage by deception (s 332), and general dishonesty (s 333); • Criminal Code (NT): criminal deception (s 227); • Criminal Law Consolidation Act 1935 (SA): false identity (s 144B), and misuse of personal identification information (s 144C).

  20. Criminal Code Act 1995 (Cth) • Part 10.8 of the Criminal Code Act, s 480.4 provides: A person is guilty of an offence if the person: • dishonestly obtains, or deals in, personal financial information; and • obtains, or deals in, that information without the consent of the person to whom the information relates. Penalty: Imprisonment for 5 years.

  21. Other relevant Commonwealth legislation • SpamAct2003 (Cth); • Trade Practices Act 1974 (Cth); • Privacy Act 1988 (Cth); • Trade Marks Act 1995 (Cth).

  22. 4. US Position • Federal offences: • Identity theft (18 U.S.C. 1028 (2000)); • Wire fraud (18 U.S.C. 1343 (2000 & Supp. II 2002)); • Access device fraud (18 U.S.C. 1029 (2002)); • Bank fraud (18 U.S.C. 1344 (2000)). • Internet users are also protected by the: • Truth in Lending Act (15 U.S.C. 1643(a)(1) (2000)); and • Gramm-Leach-Bailey Act (15 U.S.C. 6821(b) (2000)).

  23. US Position • The Identity Theft Penalty Enchancement Act, enacted in 2004, established a new crime of ‘aggravated identity theft’ – using a stolen identity to commit other crimes. • Most states have criminal and consumer protection laws that deal with identity theft. • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), enacted in 2003.

  24. Anti-Phishing Act of 2005 • Anti-Phishing Act of 2005, a bill to create two new crimes that prohibit the creation or procurement of: • a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.  • an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.

  25. 5. Difficulties with a legislative response • Phishing is difficult to deter as the normal barriers to offline crime do not apply. • Phishers are able to appear and disappear remarkably quickly, making their identification and prosecution difficult. • Jurisdictional issues. • Phishers are often found to be judgment proof.

  26. 6. Other methods of combating phishing • Information security technology solutions: • Strong website authentication; • Mail server authentication,; • Digital signatures and/or gateway verification. • Internet users should also use spam filters on email, anti-virus software and personal firewalls.

  27. 6. Other methods of combating phishing • Internet users should look for signs that the email they have received is a phishing email: • deceptive addresses; • emails addressed to a generic name rather than a username; • unsuspected requests for personal information; • alarmist warnings; • mistakes.

  28. Conclusion • Issue: legislation vs technology • Professor Lawrence Lessig has argued that architecture or ‘code’ is better than traditional law in cyberspace because law regulates ‘through the threat of ex post sanction, while code, in constructing a social world, regulates immediately’. • Lawrence Lessig, ‘The Constitution of Code: Limitations on Choice-Based Critiques of Cyberspace Regulation’, 5 CommLaw Conspectus 181, 184 (1997).

  29. Conclusion • As we wait for technological improvements, companies and consumers need to be aware of the phishing threat and use existing technology and common sense to reduce the instances of successful phishing attacks. • If companies and consumers fail to respond, phishing will have caught us hook, line and sinker.

  30. Creative Commons License This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 Australia License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/au/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

More Related