RE: Phishing for Solutions to Online Crime

by on August 17, 2004 · 10 comments

When phishing for solutions to online crime, lawmakers are bound to reel in two favorites: expanding statutory definitions of criminality, and broadening prosecutorial powers. Senator Leahy proposes the former (S. 2636), but amendments in committee would likely incorporate the later, as well as a few Federal Trade Commission rulemakings, and maybe even a GAO study.

Those of us who are unenthused about the prospect of such government encroachment tend to offer promises of technological solutions without reflecting adequately on whether or not a market exists to support their development. Not only do less than 5 percent of targeted consumers fall victim to phishing, but the primary consumers of these would-be innovations (online businesses) can opt instead to acquire collective (state) resources from pliable lawmakers at a fraction of the cost.

This dynamic is even more pronounced in this situation because the costs of phishing are predictably concentrated among a small subset of businesses and their consumers. According to data from the Anti-Phishing Working Group, 77 percent of phishing attacks are targeted against the financial services industry, with over 44 percent of those attacks against customers of Citibank, the largest bank (in market cap) in the world. Although the phishing infrastructure (mass emails and temporary web sites) is low cost, there are economies of scale involved. And to the extent that those targeted are not only the largest, but also the most reputable online businesses, phishing is a greater threat to brand equity than the more mundane trademark infringements these businesses already spend tens of millions each year to suppress.

Public concerns that consumers will shun all internet transactions after falling victim to fraud are unlikely to be as consequential as management’s concern that consumers will avoid future internet transactions with the business whose trademark was expropriated to commit the fraud. Publicly traded corporations with shareholder equity in excess of $90 billion do not need public subsidies in the form of prosecutorial resources to assist them in maintaining brand equity. And given estimates that suggest only 27 percent of phishing web sites are hosted in the U.S., supranationals may already be better positioned to police against phishing anyway.

  • Henry Clay

    By treating this solely as a financial services industry problem, but brushing off the other 23% of victims, is there any potential that you end up increasing barriers to entry in those other industries that suffer phishing attacks? In other words, if no legislation is necessary because we’re willing to allow large entities to continue to defend their brands, what does that do to, say, an upstart competitor to eBay? Obviously that upstart won’t instantly be a target because the phishers won’t go after them until they have *some* brand ID, and perhaps that’s the answer to my question…..

    HC

  • Henry Clay

    By treating this solely as a financial services industry problem, but brushing off the other 23% of victims, is there any potential that you end up increasing barriers to entry in those other industries that suffer phishing attacks? In other words, if no legislation is necessary because we’re willing to allow large entities to continue to defend their brands, what does that do to, say, an upstart competitor to eBay? Obviously that upstart won’t instantly be a target because the phishers won’t go after them until they have *some* brand ID, and perhaps that’s the answer to my question…..

    HC

  • Anonymous

    Since phishing attacks are correlated to firm size and brand id or equity, the law would actually disadvantage larger firms relative to new entrants since it would relieve them of some of the burden of defending their brand equity.

    The costs of phishing are distributed in a disparate fashion, which makes the case for a society-wide, collective response less compelling.

  • Anonymous

    Since phishing attacks are correlated to firm size and brand id or equity, the law would actually disadvantage larger firms relative to new entrants since it would relieve them of some of the burden of defending their brand equity.

    The costs of phishing are distributed in a disparate fashion, which makes the case for a society-wide, collective response less compelling.

  • Scott Dier

    I’m sort of surprised that you think a market doesn’t exactly exist. Look at the IETF MARID group, which is quickly coming up with a standard to attempt to quash such attacks by making it hard to fake @yourbank.com. Microsoft, yahoo, pobox.com, earthlink, aol, and others are all evaluating technologies that verify that the sender is correct and will stop phishing scams that misrepresent the senders email address. It is expected that as soon as a standard is easily configured on the majority of mailservers that the major players will require it to communicate messages with their users.

    There’s a market, and the technology is coming.

    In any case, most phishing attacks are a form of fraud because of the misrepresentation of identity — I’m fairly sure that is covered (gasp!) under the CAN-SPAM act.

  • Scott Dier

    I’m sort of surprised that you think a market doesn’t exactly exist. Look at the IETF MARID group, which is quickly coming up with a standard to attempt to quash such attacks by making it hard to fake @yourbank.com. Microsoft, yahoo, pobox.com, earthlink, aol, and others are all evaluating technologies that verify that the sender is correct and will stop phishing scams that misrepresent the senders email address. It is expected that as soon as a standard is easily configured on the majority of mailservers that the major players will require it to communicate messages with their users.

    There’s a market, and the technology is coming.

    In any case, most phishing attacks are a form of fraud because of the misrepresentation of identity — I’m fairly sure that is covered (gasp!) under the CAN-SPAM act.

  • Allison Trump

    This is cool, you have to try it. I guessed 66218, and this game guessed it! See it here – http://www.funbrain.com/guess/

  • Allison Trump

    This is cool, you have to try it. I guessed 66218, and this game guessed it! See it here – http://www.funbrain.com/guess/

  • http://www.mama.com KyleX

    Great stuff. Your blog is cool to read. KyleX

  • http://www.mama.com KyleX

    Great stuff. Your blog is cool to read. KyleX

Previous post:

Next post: