Computer Crime Research Center

staff/mohamed.jpg

Phishing in Cyberspace: Issues and Solutions

Date: August 19, 2006
Source: Computer Crime Research Center
By: Mohamed CHAWKI

... to be from a bank asked the users to dial a phone number regarding a technical problem with their bank account. [38] Once the phone number was dialed, prompts told users to enter their account numbers and PIN. The number was provided by a Voice over IP provider. [39]

Another effective tool that is being used nowadays by phishers is the Botnet. This is a jargon term for a collection of software robots, or bots, which run autonomously. [40] This can also refer to the network of computers using distributed computing software.

Botnets are used in several purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. [41] The botnet controllers features a constant and struggle over who has the most bots, the highest overall bandwidth, and the largest amount of “high-quality” infected machines.[42]

Accordingly a 63-year-old man in Suffolk, a 28-year-old man in Scotland, and a 19 year-old man in Finland were arrested on June 27, 2006 in connection with an international conspiracy to infect computers using botnets. [43] The Metropolitan Computer Crime Unit, the Finnish National Bureau of Investigation (NBI Finland) and the Finnish Pori Police Department collaborated to arrest the men, who are all suspected of being members of the M00P cybercriminal gang. [44]

3. Online phishing proposed solutions: Legislative approaches
From logical, and pragmatic perspectives, knowing the problem, risks associated therewith, and the ills resulting from online phishing is an important step towards a possible solution. Furthermore, such determination constitutes an integral part of devising effective vaccines and serums to eradicate and prevent this crime. Having described the problem and the diverse types of online phishing, we shall now address some of the potential solutions thereto. Thus, we shall first analyze the American approach, then the European one before we move to the technical solutions that aim to enhance privacy and provide a secure medium for data transfer in a manner that protects the confidentiality and integrity of personal information.

3.1 The American approach
Many federal laws are applicable to online phishing, some of which may be used for the prosecution of identity theft offences, and some of which were adopted specially to combat online phishing.

The main identity theft statute is 18 U.S.C. § 1028(a)(7). It was enacted on October 30, 1998, as part of the Identity Theft and Assumption Deterrence Act. [25] This act was needed because 18 U.S.C. § 1028 previously addressed only the fraudulent creation, use, or transfer of identification documents, and not the theft or criminal use of the underlying personal information. [46] This new act added Section §1028(a)(7) which penalizes fraud in connection with the unlawful theft and misuse of personal identifying information, regardless of whether the information appears or is used in documents.

Section 1028(a)(7) provides that it is unlawful for anyone who: “ Knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law...”

The Identity Theft Act amended the penalty provisions of §1028(b) by extending its coverage to offenses under the new §1028(a)(7) and applying more stringent penalties for identity thefts involving property of value. [47] Furthermore, the Identity Theft Act added §1028(f) which provides that attempts or conspiracies to violate §1028 are subject to the same penalties as those prescribed for substantive offences under §1028. [48]

Finally, the Identity Theft Act is intended to cover a variety of individual identification information that may be developed in the future and utilized to commit identity theft crimes. [49] The Identity Theft Act also directed the United States Sentencing Commission to review and amend the Sentencing Guidelines to provide appropriate penalties for each offence under Section §1028. [50] Other federal crimes that could be committed through involvement in a phishing scheme are wire fraud (18 U.S.C. § 1343), credit card fraud (18 U.S.C. § 1029), bank fraud (18 U.S.C. § 1344), and computer fraud 18 U.S.C. § 1030(a)(4). [51]

For example, the wire fraud act prohibits “Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice”. [52] The offender “shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both”.

When the criminal uses computer virus or worms to commit his crime, this may violate other provisions of the computer fraud and abuse statute relating to damage to computer systems and files {18 U.S.C. § 1028 (a)(5)}. [53]

On March 1, 2005, Democratic Senator Patrick Leahy introduced the Anti – Phishing Act of 2005. [54] According to this bill, criminals who create fake web sites and spam bogus emails in order to defraud consumers could receive a fine up to $ 250, 000 and receive jail terms of up to five years. [55]

Finally, phishing crimes may violate several State statutes. For example, California’s anti- phishing law makes it illegal for “any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business”. [56] The State of Connecticut “ prohibits using the Internet or an e-mail message to solicit or induce another to provide identifying information by pretending to be an on-line Internet business and provides civil and criminal penalties”. [57] Florida’s anti – phishing act “prohibits inducing, requesting, or soliciting identifying information with an intent to engage in conduct involving the fraudulent use or possession of another person's identifying information; authorizes civil actions for violations; provides for; provides for nonapplication to certain entities' good faith handling of identifying information”. [58] Moreover the act prohibits the “fraudulent use of a web page or Internet domain name to obtain personal identifying information from a resident of Florida; prohibits the fraudulent use of electronic mail to obtain personal identifying information from a resident of Florida; provides a civil action for injunction and damages”. [59]

On April 18, 2006 Louisiana passed a new Anti – Phishing Act which prohibits the “use of the Internet to obtain identifying information of another person for a fraudulent purpose and provides for civil relief”.[60] New Jersey’s Anti – Phishing Act “ makes it an unlawful practice for any person, through the use of the Internet, to take any action to induce another person to provide personal information by representing oneself, either directly or by implication, to be a business without the authority or approval of that business”. [61]

On May 17, 2006 New York State Senate gave the final legislative approval to the “ Anti – Phishing Act of 2006”. [62] The act prohibits “ the misuse of the internet to obtain identifying information by misrepresenting oneself as an online business; authorizes the Attorney General, internet service providers, and those owning a web page or trademark, who are adversely affected by such conduct to bring an action for injunctive relief and damages”. On April 17, 2006 the Governor of Oklahoma signed a new Anti – Phishing Act. [63] It prohibits persons from creating and using web pages with certain fraudulent intent; allows certain persons to bring civil actions for violations of the act; provides damages; makes unlawful acts under act violations of the Oklahoma Consumer Protection Act; and exempts certain actions by telecommunications providers or Internet service providers from the act. [64] Finally, the Governor of Tennesse signed on May 1, 2006 the “Anti – Phishing Act of 2006”. [65] It penalizes persons who, without authorization or permission of subject of identifying information, obtain, record, access or distribute identifying information of another person through use of Internet, e-mail or wireless communication; establishes that any violation shall be construed to be an unfair or deceptive act or practice affecting trade or commerce; and provides for civil relief. [66]

3. 2 European approach
The Council of European Union has adopted a Directive of the European Parliament and the Council on data retention, [67] amending Directive 2002/58/EC. [68] The Directive aims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications service or of public communications networks with respect to the retention of certain data which are generated or processed by them. [69] In any phishing case, the Directive...
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo