"Phishy" Feud Blocks Net Fraud Protection

We have all received them: emails allegedly from Bank of America, or Citibank, or any of a host of financial institutions warning you to update your account information at their web sites or risk losing access to those accounts. These emails, of course, contain instructions for “updating” your account information; simply click on the link in the email and your account log in screen will appear. Hopefully by now most people are aware that these emails are an insidious and all too common fraud scheme labeled “Phishing,” and what the cyber criminals are “phishing” for are user ids and passwords to your accounts.

The link in the email takes you to sites that look identical to your bank or credit union or credit card log in screens, but in reality are sophisticated imitations whose sole purpose is to capture your user ids and passwords as you enter them. Cyber criminals receive your information in real time and weeks later, when you review your credit card or bank statements, you will be shocked to discover unauthorized credit card charges and that your bank accounts have been methodically siphoned of your hard earned money.

The technology exists to eliminate these fake web sites, and would be relatively easy to implement, saving victims of this crime from the stress, time, and often money involved in restoring their accounts and eventually their identities. What is holding up the implementation of Phishing prevention on the Internet? According to a UPI report by Shaun Watterman, international distrust of the U.S. Government and global envy of its strong position to control much of the Internet’s infrastructure are the culprits, and online consumers are paying the price, literally, for the petty political spat.

The www Web addresses we are all familiar with actually represent Internet Protocol (IP) numbers that serve to direct Internet traffic to the corresponding web page requested. Faking or “spoofing” these Web addresses and IP numbers is fairly simple. I learned how to do it in minutes in a government training course years ago. The security problem that makes these fraudulent web sites possible is a lack of digital authentication that would direct traffic only to real sites.

When you manually visit your bank’s web site (not following any links to it), you can rest assured that you are visiting the authentic site. However, there is currently no system in place that prevents Phishers from using the real site IP address in the links they email to potential victims while the link actually leads to an imitation web page. As reported by UPI, the U.S. Government has funded a program to authenticate all web domain names (www Web addresses) and establishing “keys” that identify whether you are visiting the bank’s real or fake web site.

Unfortunately, the question of who will hold the keys to the authentication system is hampering the progress of this important consumer protection measure. Some concern has been raised by international Internet organizations and some governments that whoever holds the digital keys would be the lone entity in the world capable of spoofing IP addresses and domain names, without explaining why they are worried about the U.S. government doing so. This is where the anti-American sentiment comes into play, as the U.S. already controls the “Root Zone” that controls .com, .org, and other large top level domains. The U.S. proposal for global authentication does not assert that the U.S. should hold sole control of the authentication keys, and even leaves the door open for a trusted contractor to manage the Root Zone. Foreign governments, though, distrust the U.S. enough to block this important development, apparently being more concerned with obtaining a piece of the pie than with consumer protection.

It is unclear whether the international Internet organizations will ever come to an agreement over who will ultimately control the authentication keys, thus placing the implementation of such a system in jeopardy. Fortunately, the U.S. government is prepared to act unilaterally to impose Root Zone authentication on the domains under its control: .gov; .com; .org; and .us. One thing for certain is that under no circumstances will the Root Zone key be given to any Nigerian, Russian, or former Soviet state government agency or contractor, as the vast majority of these Phishing and similar identity theft related scams currently emanate from those areas.

Thankfully, as a consumer you have the power to manually authenticate the Internet sites you visit by inputting the www Web names or following links created by you or someone you trust. Keep in mind that no financial institution ever calls you by phone or sends you email requesting information they already have, such as your name, Social Security Number, account number or PIN, etc. If you receive such a phone call, capture the caller id if possible, refuse to provide any information, and report the incident to your financial institution and to the Internet Fraud Complaint Center. If you receive an email, identify it as spam to your ISP and future emails should go straight to your “junk” or “bulk” folders. Report the incident to the IFCC, linked above. Many products on the market, such as Norton Internet Security 2007, Earthlink Protection Center, and most popular newer web browsers offer built-in scam blocking or Phishing detection features that are quite effective.

When it comes to Phishing and online fraud, private sector companies such as Symantec are light years ahead of governments in the effort to provide immediate prevention tools to consumers. While Internet-wide site authentication would be a tremendous boon to Internet security and commerce, it may be years in coming due to international wrangling over the “keys.” Teenage siblings arguing over car keys seem only slightly less juvenile.