From Crypt-O-Gram by Bruce Schneiner
Phishing
Earlier this month, California became the first state to enact a law
specifically addressing phishing. Phishing, for those of you who have been away
from the Internet for the past few years, is when an attacker sends you an
e-mail falsely claiming to be a legitimate business in order to trick you into
giving away your account info -- passwords, mostly. When this is done by hacking
DNS, it's called pharming.
Financial companies have until now avoided taking on phishers in a serious way,
because it's cheaper and simpler to pay the costs of fraud. That's unacceptable,
however, because consumers who fall prey to these scams pay a price that goes
beyond financial losses, in inconvenience, stress and, in some cases, blots on
their credit reports that are hard to eradicate. As a result, lawmakers need to
do more than create new punishments for wrongdoers -- they need to create tough
new
incentives that will effectively force financial companies to change the status
quo and improve the way they protect their customers' assets. Unfortunately, the
California law does nothing to address this.
The new legislation was enacted because phishing is a new crime. But the law
won't help, because phishing is just a tactic. Criminals phish in order to get
your passwords, so they can make fraudulent transactions in your name. The real
crime is an ancient one: financial fraud.
These attacks prey on the gullibility of people. This distinguishes them from
worms and viruses, which exploit vulnerabilities in computer code. In the past,
I've called these attacks examples of "semantic attacks" because they exploit
human meaning rather than computer logic. The victims are people who get e-mails
and visit websites, and generally believe that these e-mails and websites are
legitimate.
These attacks take advantage of the inherent unverifiability of the Internet.
Phishing and pharming are easy because authenticating businesses on the Internet
is hard. While it might be possible for a criminal to build a fake
bricks-and-mortar bank in order to scam people out of their signatures and bank
details, it's much easier for the same criminal to build a fake website or send
a fake e-mail. And while it might be technically possible to build a security
infrastructure to verify both websites and e-mail, both the cost and user
unfriendliness means that it'd only be a solution for the geekiest of Internet
users.
These attacks also leverage the inherent scalability of computer systems.
Scamming someone in person takes work. With e-mail, you can try to scam millions
of people per hour. And a one-in-a-million success rate might be good enough for
a viable criminal enterprise. In general, two Internet trends affect all
forms of identity theft. The widespread availability of personal information has
made it easier for a thief to get his hands on it. At the same time, the rise of
electronic authentication and online transactions -- you don't have to walk into
a bank, or even use a bank card, in order to withdraw money now -- has made that
personal information much more valuable.
The problem of phishing cannot be solved solely by focusing on the first trend:
the availability of personal information. Criminals are clever people, and if
you defend against a particular tactic such as phishing, they'll find another.
In the space of just a few years, we've seen phishing attacks get more
sophisticated. The newest variant, called "spear phishing," involves
individually targeted and personalized e-mail messages that are even harder to
detect. And there are other sorts of electronic fraud that aren't technically
phishing.
The actual problem to be solved is that of fraudulent transactions.
Financial institutions make it too easy for a criminal to commit fraudulent
transactions, and too difficult for the victims to clear their names. The
institutions make a lot of money because it's easy to make a transaction, open
an account, get a credit card and so on. For years I've written about how
economic considerations affect security problems. They can put security
countermeasures in place to prevent fraud, detect it quickly and allow victims
to clear themselves. But all of that's expensive. And it's not worth it to them.
It's not that financial institutions suffer no losses. Because of something
called Regulation E, they already pay most of the direct costs of identity
theft. But the costs in time, stress, and hassle are entirely borne by the
victims. And in one in four cases, the victims have not been able to completely
restore their good name.
In economics, this is known as an externality: It's an effect of a business
decision that is not borne by the person or organization making the decision.
Financial institutions have no incentive to reduce those costs of identity theft
because they don't bear them.
Push the responsibility -- all of it -- for identity theft onto the financial
institutions, and phishing will go away. This fraud will go away not because
people will suddenly get smart and quit responding to phishing e-mails, because
California has new criminal penalties for phishing, or because ISPs will
recognize and delete the e-mails. It will go away because the information a
criminal can get from a phishing attack won't be enough for him to commit fraud
-- because the companies
won't stand for all those losses.
If there's one general precept of security policy that is universally true, it
is that security works best when the entity that is in the best position to
mitigate the risk is responsible for that risk. Making financial institutions
responsible for losses due to phishing and identity theft is the only way to
deal with the problem. And not just
the direct financial losses -- they need to make it less painful to resolve
identity theft issues, enabling people to truly clear their names and credit
histories. Money to reimburse losses is cheap compared with the expense of
redesigning their systems, but anything less won't work.
California law:
<http://www.msnbc.msn.com/id/9547692/>
Definitions:
<http://en.wikipedia.org/wiki/Phishing>
<http://en.wikipedia.org/wiki/Pharming>
<http://www-03.ibm.com/industries/financialservices/doc/content/news/mag
azine/1348544103.html> or <http://tinyurl.com/b32dh>
<http://www-03.ibm.com/industries/financialservices/doc/content/news/pre
ssrelease/1368585103.html> or <http://tinyurl.com/9rkas>
Who pays for identity theft:
<http://www.informationweek.com/showArticle.jhtml?articleID=166402700>
Me on semantic attacks:
<http://www.schneier.com/crypto-gram-0010.html#1>
Me on economics and security:
<http://www.schneier.com/book-sandl-intro2.html>
Me on identity theft:
<http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html>
Discussion of my essay:
<http://it.slashdot.org/article.pl?sid=05/10/06/199257&tid=172&tid=98>
This essay originally appeared in Wired:
<http://www.wired.com/news/politics/0,1283,69076,00.html>