Caught in a phishing trap

(continued from previous page)

of different organizations, including credit-trackers Experian, software giant Microsoft and credit card stalwart Visa.

Earlier this month, the group gave its endorsement to a global e-mail authentication strategy. It believes the project can help create technologies for Internet-protocol (IP) validation and digital signatures that will thwart spam and phishing attacks.

Phishing haul

Three successes in law enforcement's fight against online fraud.

ANDREW SCHWARMKOFF

Charged with: Using phishing scam to funnel money to Russian mob

Busted by: Massachusetts state authorities and U.S. Marshals

Charged: Nov. 9, 2004

Status: Held on $100,000 bail, awaiting trial

ZACHARY KEITH HILL

Charged with: Sending phishing e-mails that targeted customers of AOL and eBay

Busted by: Federal Trade Commission and the Department of Justice

Indicted: March 2004

Status: Pleaded guilty to multiple counts of fraud and was sentenced to almost four years in prison

ALEC PAPIERNIAK

Charged with: Sending phishing e-mails targeting customers of PayPal

Busted by: Minnesota state authorities

Charged: February 2004

Status: Pleaded guilty to multiple counts of fraud

Peter Cassidy, secretary general of APWG, said the group is trying to balance the interests of consumers and businesses in finding a way to protect both. He believes lessons learned from earlier fraud efforts are key to discouraging phishing.

"The rate that we're seeing phishing attempts increase by is currently 50 percent per month, and it's moving to new platforms such as peer-to-peer computing, which is pretty spooky to think about," Cassidy said. "We have to take the same approach that credit companies took in the 1970s when fraud was crippling the catalogue business."

One of the main thrusts of the general antiphishing effort is consumer education. The MailFrontier phishing test completed by Krabill does make its point--in many cases, the phishing e-mails generated by online criminals are very hard to discern from the real thing.

"Consumers simply have to become savvier about phishing and other forms of fraud," said Mike Cunningham, senior vice president of fraud management at Chase Card Services, the credit card services division of JPMorgan Chase. Financial services companies "can do everything in our power to quickly identify these attacks and shut down the Web sites. But getting the customer to know what to expect from a credit card issuer, and what to expect from these criminals, is what's truly going to make a difference."

At online auction site eBay, customer awareness is starting to take root, company spokesman Hani Durzy said. On eBay's message boards for registered customers, people frequently post details of emerging phishing campaigns before the company has heard about them, he said. In addition, more and more members are reporting fraud activity and are talking among themselves about it.

"Our community has been very vigilant about passing around information, and asking for each others' advice and opinions whether things are legitimate or spoofs," Durzy said. "Over the last two years, phishing has really exploded, but people are becoming more aware of the threat."

On the technology side, eBay employs a complex system of software applications designed to flag any activity on its site that indicates one of its users' accounts has been hijacked. Much like the fraud prevention systems used by credit card companies, the tools look for irregularities such as a dramatic change in location or in the size of bids.

In addition, eBay and its PayPal billing unit share a fraud investigation team, whose full-time job is to track down illegitimate operations using the PayPal and eBay names.

Industry efforts such as these and cooperation with law enforcement agencies has resulted in high-profile arrests and the prosecution of fraudsters such as Zachary Hill, who was sent to prison for almost four years in connection with an eBay scam.

Despite these successes and the push to improve technology, experts agree that the best way to foil phishing campaigns is to encourage more cautious consumers. JPMorgan's Cunningham emphasizes that people need to delete suspicious messages and to resist the urge to ever transmit personal data.

"Just don't do it, don't reply," he said. "It's really that simple."

[Marcus Westrup]

People are the problem

Even the best of us can make a mistake, and these days you only need to make one to loose control of your identity. How many log into an account, but forget to log out when we leave the room? Would you open the email from a trusted friend, even though the email was infected? Can you even trust your bank?
What we need are computers that are taught not to trust people. Not anybody. A truly paranoid system can't be caught off guard, and will adapt faster to new tricks than humans.
If anyone can figure out how to do this, tell me how.

[Marcus Westrup]

People are the problem

Even the best of us can make a mistake, and these days you only need to make one to loose control of your identity. How many log into an account, but forget to log out when we leave the room? Would you open the email from a trusted friend, even though the email was infected? Can you even trust your bank?
What we need are computers that are taught not to trust people. Not anybody. A truly paranoid system can't be caught off guard, and will adapt faster to new tricks than humans.
If anyone can figure out how to do this, tell me how.

Let the phishers continue

Like AOL users, people who trick out their civics, and business majors, this is yet another opportunity to weed out people from the gene pool.

Like the situations mentioned above, people who allow themselves to be scammed online should get the word stupid tattooed on their foreheads, sterilize them, and sterilize any children they have blundered into so far.

[Ubber geek]

AOL users

<a class="jive-link-external" href="http://www.analogstereo.com/jeep_cherokee_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/jeep_cherokee_owners_manual.htm</a>

Let the phishers continue

Like AOL users, people who trick out their civics, and business majors, this is yet another opportunity to weed out people from the gene pool.

Like the situations mentioned above, people who allow themselves to be scammed online should get the word stupid tattooed on their foreheads, sterilize them, and sterilize any children they have blundered into so far.

[Ubber geek]

AOL users

<a class="jive-link-external" href="http://www.analogstereo.com/jeep_cherokee_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/jeep_cherokee_owners_manual.htm</a>

GET BACK

What would happen if we all replied to the phishers with erroneous information. wrong account number, wrong credit card number, wrong name, wrong taxid number, wrong pin. Evenually doing what spammers do to us, overload them. They won't be able to determinine what's good and what's bad. They would be caught easier with them trying to use erroneous numbers. Right now they get some to answer with valid information and others don't answer. Flood them with more then they can handle and make them figure out what's good and what's bad, rather then us!

GET BACK

What would happen if we all replied to the phishers with erroneous information. wrong account number, wrong credit card number, wrong name, wrong taxid number, wrong pin. Evenually doing what spammers do to us, overload them. They won't be able to determinine what's good and what's bad. They would be caught easier with them trying to use erroneous numbers. Right now they get some to answer with valid information and others don't answer. Flood them with more then they can handle and make them figure out what's good and what's bad, rather then us!