Saturday, February 25, 2006

Phishing for Dollars

Origins of phishing attacks

When I worked in a hospital, I was once given a task that led me literally through every non-patient room on every floor. What I used instead of an identification card or uniform was a clipboard and an air of determination. I was unchallenged that entire week, even though an apparent sixteen-year-old kid was rummaging through drug supplies and furtively going into back rooms like Harrison Ford in The Fugitive. The nurses were too busy to care, the doctors were far too busy to care, and most importantly, I had a clipboard.

Phishing works in the same way. Computer programmers used to smile at the way that merely having something printed out by a computer made it true. Well, now the entire credulous world is starting to come online, and it's a fine, profitable time to be an online con-artist. From now until April, there will be an increase in the fake IRS phishing attacks. The Anti-Phishing Working Group put up a 15-page Trends in Phishing report (15 page, PDF) with a few of the details. The bottom line? The incidents have doubled since they started monitoring them a year ago.

This is a difficult issue that won't go away soon, because it's a profitable, low-risk crime. As an individual, I am at risk of identity theft, and phishing is the flip side of that issue for corporations. A company I trust, like Schwab, has all of its hard-won authority abused by strangers who will winkle money out of my wallet.

I've struggled with what to tell my non-technical friends and family about this issue. "Believe nothing you get online" is a good shorthand, but then I still get multiple emails with silly cell-phone rumors. It would be nice to be more detailed. However, one elderly relative mentioned in passing to me that she was going to shut down her account with eBay because she was tired of getting those emails asking for her credit card over and over. My mother-in-law called me to ask what was wrong with her computer because every night the network traffic went crazy and the hard drive light was flashing nonstop. These are not people I can instruct to verify SSL certificates.

I don't know what the answer is. Even the security experts are amazed by the skill of some of the recent attacks. I know some people are working very hard now on authentication issues, but for now, it takes effort just to decide who to trust.

(Photo from


Post a Comment

Links to this post:

Create a Link

<< Home

Blog Flux Directory