The old saw has it that “there’s a sucker born every minute.” But the circus carnies in P.T. Barnum’s time fleeced them the old-fashioned way – one hick at a time. These days, a poisoned e-mail attack called ‘phishing’ allows criminals to reach millions of potential victims at once.
The typical phishing expedition is an attempt to steal money. But it is safe to assume criminals and terrorists will use the technique to create and maintain new identities.
In phishing, official-looking e-mail directs recipients to official-looking Web sites, where they are asked to type in passwords, PIN numbers and other data.
Many phishing attacks are as crude as the infamous “Nigerian letters,” with misspellings and return e-mail addresses made up of random letters, but others appear startlingly genuine. Even if just a few suckers step forward to spin the wheel of chance, the potential winnings far outweigh the expense and risk. And there are a lot of suckers. Estimates of the number of people who respond to phishing e-mails range as high as 20 per cent, a figure that would make any legitimate direct-mailer very happy.
Along with banks and credit card companies, genuine e-commerce sites like PayPal, Amazon or eBay are commonly used in phishing messages. But government agencies are beginning to show up as well. One attack in the United States last year invoked the authority of the Department Of Homeland Security, telling recipients that their federal deposit insurance had been cut off pending an investigation of Patriot Act violations. The victims were advised to put things right immediately by going to an apparently genuine Web site and filling out an IDVerify form. The stakes are high, for governments as well as private financial institutions. Phishing is already a billion-dollar business, and potential consequences certainly include an inevitable loss of confidence in the Internet as a way of doing business.
If a government department’s business case looks to online interaction with citizens for its return on investment, that business case now needs a second look. In fact, the security company Symantec Inc. says phishing has caused more than one-third of people surveyed who bank online to change their behaviour.
At the beginning of this year, the Anti-Phishing Working Group, an alliance of major businesses, reported a month-to-month increase in new, unique attacks of 52 per cent. MessageLabs Inc., another security company, said it saw phishing attacks increase from less than 300 a month to more than 200,000 between September and March. Sooner or later, that kind of growth rate will cast a dark shadow over both e-commerce and e-government. Technology created phishing. Can technology fix it? Maybe.
Symantec is working with major ISPs and banks to stop fraudulent e-mails as they move across the Internet by setting up phony e-mail addresses of their own – millions of them. Symantec detects false information in arriving messages and quickly sends out filters for those messages to e-mail gateways. For their part, banks can then put pressure on ISPs to stop the criminal traffic originating on their networks. Other vendors are rolling out their own solutions, many of which look like consumer-friendly versions of Virtual Public Networks or Public Key Infrastructures, with variants involving key tokens and smart cards.
At first glance, these responses are not only expensive, they mean much greater complexity for the citizen – when the whole idea is to make transactions easier, not harder. Adding more decisions, downloads and keystrokes to the process makes it that much more likely the user will abandon the effort.
So far, advice from governments has provided little comfort, falling somewhere between well intentioned and ineffectual. In the United States, the Treasury Department tells financial institutions to “personalize” their e-mails to customers, by making sure their name is somewhere in the e-mail message, and to register domain names that look similar to their own, to prevent their use by criminals. Hardly a stirring call to action.
Here in Canada, the RCMP Web site says: “Beware of all e-mail messages pretending to be from your bank, PayPal or e-Bay accounts.” (The unwritten words there could well have been, “or from your municipal, provincial and federal governments.” The Mounties’ recommendation: “If you receive any e-mail that requests personal information, for example from your bank, do not provide it on-line. Contact the institution by telephone using a phone number that you obtained via an independent source (i.e. not from the suspect e-mail!).”
So things aren’t always what they seem. For example, P.T. Barnum never said, “There’s a sucker born every minute.” His rival David Hannum did, after Barnum’s fake fossilized human drew a bigger audience than his.
Richard Bray ([email protected]) is an Ottawa journalist who specializes in information technology issues.