By Bruce Schneier
Oct. 06, 2005
Last week California became the first state to enact a law
specifically addressing phishing. Phishing, for those of you who have
been away from the internet for the past few years, is when an
attacker sends you an e-mail falsely claiming to be a legitimate
business in order to trick you into giving away your account info --
passwords, mostly. When this is done by hacking DNS, it's called
Financial companies have until now avoided taking on phishers in a
serious way, because it's cheaper and simpler to pay the costs of
fraud. That's unacceptable, however, because consumers who fall prey
to these scams pay a price that goes beyond financial losses, in
inconvenience, stress and, in some cases, blots on their credit
reports that are hard to eradicate. As a result, lawmakers need to do
more than create new punishments for wrongdoers -- they need to create
tough new incentives that will effectively force financial companies
to change the status quo and improve the way they protect their
customers' assets. Unfortunately, the California law does nothing to
The new legislation was enacted because phishing is a new crime. But
the law won't help, because phishing is just a tactic. Criminals phish
in order to get your passwords, so they can make fraudulent
transactions in your name. The real crime is an ancient one: financial
These attacks prey on the gullibility of people. This distinguishes
them from worms and viruses, which exploit vulnerabilities in computer
code. In the past, I've called these attacks examples of "semantic
attacks" because they exploit human meaning rather than computer
logic. The victims are people who get e-mails and visit websites, and
generally believe that these e-mails and websites are legitimate.
These attacks take advantage of the inherent unverifiability of the
internet. Phishing and pharming are easy because authenticating
businesses on the internet is hard. While it might be possible for a
criminal to build a fake bricks-and-mortar bank in order to scam
people out of their signatures and bank details, it's much easier for
the same criminal to build a fake website or send a fake e-mail. And
while it might be technically possible to build a security
infrastructure to verify both websites and e-mail, both the cost and
user unfriendliness means that it'd only be a solution for the
geekiest of internet users.
These attacks also leverage the inherent scalability of computer
systems. Scamming someone in person takes work. With e-mail, you can
try to scam millions of people per hour. And a one-in-a-million
success rate might be good enough for a viable criminal enterprise.
In general, two internet trends affect all forms of identity theft.
The widespread availability of personal information has made it easier
for a thief to get his hands on it. At the same time, the rise of
electronic authentication and online transactions -- you don't have to
walk into a bank, or even use a bank card, in order to withdraw money
now -- has made that personal information much more valuable.
The problem of phishing cannot be solved solely by focusing on the
first trend: the availability of personal information. Criminals are
clever people, and if you defend against a particular tactic such as
phishing, they'll find another. In the space of just a few years,
we've seen phishing attacks get more sophisticated. The newest
variant, called "spear phishing," involves individually targeted and
personalized e-mail messages that are even harder to detect. And there
are other sorts of electronic fraud that aren't technically phishing.
The actual problem to be solved is that of fraudulent transactions.
Financial institutions make it too easy for a criminal to commit
fraudulent transactions, and too difficult for the victims to clear
their names. The institutions make a lot of money because it's easy to
make a transaction, open an account, get a credit card and so on. For
years I've written about how economic considerations affect security
problems. They can put security countermeasures in place to prevent
fraud, detect it quickly and allow victims to clear themselves. But
all of that's expensive. And it's not worth it to them.
It's not that financial institutions suffer no losses. Because of
something called Regulation E, they already pay most of the direct
costs of identity theft. But the costs in time, stress and hassle are
entirely borne by the victims. And in one in four cases, the victims
have not been able to completely restore their good name.
In economics, this is known as an externality: It's an effect of a
business decision that is not borne by the person or organization
making the decision. Financial institutions have no incentive to
reduce those costs of identity theft because they don't bear them.
Push the responsibility -- all of it -- for identity theft onto the
financial institutions, and phishing will go away. This fraud will go
away not because people will suddenly get smart and quit responding to
phishing e-mails, because California has new criminal penalties for
phishing, or because ISPs will recognize and delete the e-mails. It
will go away because the information a criminal can get from a
phishing attack won't be enough for him to commit fraud -- because the
companies won't stand for all those losses.
If there's one general precept of security policy that is universally
true, it is that security works best when the entity that is in the
best position to mitigate the risk is responsible for that risk.
Making financial institutions responsible for losses due to phishing
and identity theft is the only way to deal with the problem. And not
just the direct financial losses -- they need to make it less painful
to resolve identity theft issues, enabling people to truly clear their
names and credit histories. Money to reimburse losses is cheap
compared with the expense of redesigning their systems, but anything
less won't work.
InfoSec News v2.0 - Coming Soon!