This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Anti-Phishing Enforcement and Prevention
Phishing is one of the biggest problems facing users on the internet today. Phishing has been gaining momentum uncontrollably since opening the internet for commercial use more than fifteen years ago. Due to the nature of the internet and its uncontrollability it is difficult to slow the progression of phishing, let alone stop it completely. Even with the substantial efforts from the U.S. Government, private organizations and highly recognized online companies the problems with phishing continue to worsen. Because the internet is filled with ways phishers can steal your information, Legislation, education and advanced software need to be stringently pursued.
The efforts to stop phishing include, plans for international anti-phishing legislation, phishing education programs and continued advancements in anti-phishing and anti-malware (malicious software) software. These efforts will be discussed further as well as the history of phishing and the current environment.
Background and current environment
The act of phishing is, the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack (Dictionary, 2007). Phishing is an epidemic that began nearly 15 years ago when the internet was opened to the world by the company America Online (AOL).
In the early years of phishing, hackers would steal AOL user account information to use the internet for free. These early attacks were no where near as malicious as the attacks of today which include but are not limited to, stealing bank information or other login information for financial gain. Also, since the early years the attacks have continued to increase in number, frequency, and the techniques have continued to become more complex.
A typical real world example of a phishing email is in appendix A. The email was sent out to Citibank customers asking for their personal information including account numbers and Personal Identification Numbers. The website that they want readers to follow looks legitimate but in reality it is a fraud site made to look identical to the real Citibank website. This is how phishers get people to willingly give up their information.
The current environment is a volatile place in regards to phishing. Although we are educating people about this threat, the new ways of implementing these tricks are becoming more complex and harder to spot. The thought of being caught off guard by these tricks is very scary considering that, phishing of financial services constitutes over 91% of all recorded phishing cases (APWG, 2008). Even with the recent legislation dealing with phishing, these laws have little effect on the internet as a whole because they are not being adopted world wide thus they are not being enforced. Although, legislation has had a profound effect on the way people view phishing, the passage of legislation will only help to further the cause whether it is or is not adopted world wide.
Besides legislation, software updates have been advancing regularly and are considered the front line of defense. Companies such as Mozilla, the creators of the web browser FireFox, have been on the fore front of anti-phishing and anti-malware software to protect individuals while browsing the internet. Mozilla is only one of many companies writing new software to protect us from malware and phishing. Symantec Corporation, the company that brought us Norton Antivirus, has created one of the most comprehensive anti-phishing and anti-malware programs. This program works by encrypting information making it less accessible by malware attacks and verifies a websites authenticity to protect users from fraudulent websites.
Political and Legal Issues
Laws regarding phishing have lately been scrutinized for their lack of enforceability and international presence. The Anti-Phishing Act of 2005, brought forth by Senator Patrick Leahy, states that it is a criminal act to create and procure a website or email with the intent to gather information from victims to be used for fraud or identity theft. (Gittlen, 2005) This small bit of legislation in the U.S. is a great first step. However, anti-phishing legislation has not been adopted world wide so phishing is not enforceable across all international borders. This poses a problem because many phishing attacks take place overseas by accessing U.S. servers. Since the person doing the phishing is often in another country it makes this very difficult to find the perpetrator let alone enforce the laws.
The Anti-Phishing Work Group (APWG) however is making it possible to implement global laws on phishing. The APWG is a global association of law enforcement and companies focused on eliminating identity theft and fraud. (Gittlen, 2005) The APWG is creating a framework of security using input and capabilities from internet giants such as Geo Trust, McAfee, Microsoft, and Experian. These companies not only provide these great services to small independent websites but, they are helping in the development of security to try to eliminate identity theft online. With their research and sponsor cooperation they are able to work with law enforcement and legislatures to continue to advance the introduction of a law as well as a system to enforce it.
With all of this cooperation, international legislation looks like a feasible option. But inevitably it will not be able to stop 100 percent of online crimes, the same way laws in the U.S. are unable to stop crime 100 percent. Even if it doesn't stop online crime completely it is a giant step forward to making the internet a safer place.
As a result of the slow advancement of international legislation, there has been a bigger push for new security software to protect online users instead of acts or laws. Some of the new software updates have been brought to us by the many internet web browsers which in turn are protecting people when accessing all websites. These updates have made it more difficult for people to be fooled by phishing attacks. For example, the new Mozilla Firefox 3 web browser features phishing protection that checks the validity of websites by cross referencing them to the companies registered website. Mozilla's software also has state of the art Malware (malicious software) protection that warns users when they have entered a site that is known to install spyware, Trojans, etc. (Haskins, 2008). This prevention software is the result of numerous years of development from many different software manufacturers.
Web browser security is just the beginning of the updated phishing protection; many other web services have begun to update their security in an attempt to protect users. Besides web browsers, e-mail servers are another important line of defense. E-mail servers are vital in the line of defense because they are a highly used vehicle for phishing attempts. In addition, removing spam from e-mail is effective and can also protect users from other various attacks besides phishing. With this being said, many web based e-mail services are upgrading spam security in an attempt to remove phishing attacks from e-mail inboxes before the user has a chance to open them. This method has worked with varying degrees of success because of the advancements in the complexity of phishing schemes.
Furthermore, the inability to correct all of the problems has prompted another layer of defense. A high percentage of phishing attacks are focused on the industry of financial institutions. Financial Institutions that offer online banking have begun using a form of authentication. (Expalin what they are using as authentication) With this proactive approach to user protection companies are able to provide a safer environment for clients. These online services benefit clients by proving that the website they are visiting is truly the real website and not a fraud. This is especially important for financial institutions because of the sensitivity of the information in their databases and the possibility of identity theft. One example of simple authentication is the site key system used by Bank of America. The site key program lets the client pick a distinct picture that is associated with their account login. Every time the client logs in, they can verify by sight they have entered the authentic website and are not using a fraudulent website that looks similar. This use of authentication still has some weak links but it is moving in the right direction to protect online bank users.
While independent software changes are great, the Anti-Phishing Work Group (APWG), discussed earlier regarding legal actions, is also a collection of sponsor sites and companies that offers the most comprehensive security solution directory. This directory is a list of companies that provide security solutions to websites that do not have funds or man power to create their own. This allows for a more cost effective way for smaller websites to be secure, by offering services such as detection and analysis of phishing attacks and software based authentication. While websites like Bank of America have funds to create their own types of security, smaller websites that sell homemade products or provide online services are not as fortunate to have these kinds of resources. This is where the APWG is able to help by compiling a list of helpful sponsor sites that a website of any size can afford. In turn even the smallest sites can protect their members from the effects of phishing.
The final important topic is phishing prevention education programs. Educating web users on what to watch out for when surfing the internet is one of the most proactive ideas. However, the actual implementation of the programs could prove to be a difficult task. One complication with phishing education according to Carnegie Mellon University is that it is difficult to find a method that works because of the diversity of people who use the Web (Montalbano, 2007). Since everyone learns differently this could make educating the masses difficult. If only one method is chosen there will be people who will not learn the information as well as others leaving them vulnerable to an attack. Also, another complication may take place; phishers themselves might participate in the education programs to simply find weaknesses in the teachings. For example if educators emphasize that users install security software and stay current with the latest patches, then phishers may send out an e-mail saying Here is the latest patch prompting nervous users to click the link simply to make sure that their security is up to date thus making themselves vulnerable. (Montalbano, 2007)
Even with these possible problems education is still essential to keeping users aware of the ever changing techniques and dangers of phishing. Educators at Carnegie Mellon University created a game that helps users learn to recognize fraudulent websites through experience and practice all while playing a fun and engaging game. The representative from Carnegie Mellon University says this game is a great way of teaching because everyone likes games and everyone likes to win. (Montalbano, 2007) This is an innovative way to teach people of all ages and has been proven to be very effective.
Speculation on the future
The advancement of anti-phishing laws, protection software and education are making phishers become more imaginative and create more complex schemes and malicious software. The phishers of today are making the security solutions from years past look like child's play and are taking advantage of those whom have not upgraded security. With every new generation of phishing attacks there will need to be a new generation of anti-phishing software as well as education to combat the more sophisticated ways of information theft.
The internet of tomorrow is going to be a very unsafe place if proper measures are not taken to keep up with the evolution of phishing. However, there have been advancements overseas that we in the United State and Canada have not seen. The latest protection for online banking has turned to cell phones. Users whom are accessing their accounts are given a password every time they login through a simple text message. Once the user passes a 'challenge' (where were you born, your first pets name, etc.) a password is sent directly to their cell phone giving them access to their accounts for the day. After each day a new password is sent each time a user logs into the system thus making it difficult for phishers to steal passwords.
Sadly, this process also has weak links that will likely need to be fixed in the future. The biggest problem is that passwords are sent to your phone with no encryption protection so if a hacker could intercept your text they could possibly log in to your account. While this may be far fetched now, it may not be so hard for hackers ten to fifteen years from now.
While software is being updated, hopefully international law will be as well. With security becoming more important software advancements need to be backed with some type of enforcement. The enforcement needed is an international law that has the ability to reach across borders to find and arrest these attackers. With the law that is in place now, anyone outside of the U.S. borders can't be touched because they have not committed the crime on our soil.
Software and Laws are great but without education they may never work to their full potential. Simple education techniques that do not involve teaching about third party software are the way of the future. The game created by Carnegie Mellon University is perfect because it teaches the user what to look out for and when to suspect a problem. This type of education doesn't rely on updated patches and virus scanners, it only teaches the user to be aware of what they click and where they roam on the net.
Summary and Conclusions
- APWG. (n.d.). Retrieved March 3, 2008, from http://www.antiphishing.org/.
- Gittlen, S. (2005, March 29). New Anti-Phishing Law Lacks Global Weight. Retrieved March 8, 2008, from http://itmanagement.earthweb.com/secu/article.php/3493596.
- Haskins, W. (2008, February 16). Linux News: Applications: Inside Firefox 3's Latest Beta Update, Part 1. Retrieved March 6, 2008, from http://www.linuxinsider.com/story
- Montalbano, E. (2007, Oct. 11). Researchers: Current education inadequate to fight phishing - washingtonpost.com. Retrieved March 11, 2008, from http://www.washingtonpost.com/wp-dyn/content/article/2007/10/11/AR2007101100028.html.
- Phishing. (n.d.). Webster's New Millennium Dictionary of English, Preview Edition (v 0.9.7). Retrieved March 01, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/phishing
- Tuliani, D. (2004, Mar. 5). The Future of Phishing. Retrieved Mar. 13, 2008, from http://www.net-security.org/article.php?id=672&p=1.
Subject: Verify your E-mail with Citibank
This email was sent by the Citibank server to verify your E-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit
Card number and PIN that you use on ATM.
This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it.
To verify your E-mail address and access your bank account, click on the link below: