Chairman, Anti-Phishing Working Group
Friday, November 19, 2004
Fraudulent phishing e-mail is forcing businesses to reconsider how they communicate with their customers online. Dave Jevans, senior vice president of Teros and chairman of the Anti-Phishing Working Group, discussed this growing form of online fraud with washingtonpost.com reporter Brian Krebs.
A transcript follows.
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Thank you for joining us today, Dave. A major theme of the many excellent questions we've received already is that consumers are baffled as to why these phishing schemes exist in the first place, and can't the banks, e-commerce companies, et. al., do more to stop these scams. Maybe you could start us off by briefly describing the complexity involved in combating phishing scams?
Dave Jevans: Thanks Brian for having me on today. The problem with phishing is that banks and e-commerce companies cannot directly control it. Phishers are setting up fake sites and emails, and sending them out to thousands or millions of consumers. There is little that a bank or e-commerce site can do to prevent the setup of a phishing scam.
One problem is that the Internet standards for email do not provide a way to verify that email is from the sender that it purports to be. Phishers put a return address that says it's from the bank, even though it is not. We cannot really address this problem without new standards and software throughout the Internet.
To combat phishing will require collaboration between ISPs, anti-spam vendors, financial institutions, e-commerce sites and law enforcement.
Kingston, Jamaica :
It's a pretty sad comment on our e-mail system that our default attitude should be to mistrust everything we see. Is there any technology on the horizon (authentication, perhaps?) that will fix e-mail to the point that we can actually trust messages from our banks, lenders, etc.? It would be a real shame if we just had to abandon it as a tool for any communication more sensitive than a smiley face.
Dave Jevans: There have been several proposals for email authentication that have been debated this year in the Internet Engineering Task Force. It's been a bit of a heated debate, but the industry seems to be coming to general agreement that we will start by deploying a combination of SPF and Sender-ID, and then follow up with a stronger form of email signing based on Domain Keys. You can look all of these up in your favorite search engine to get more details.
Small Town, Florida:
While reading the recent articles on people impacted by phishing, the victims have sworn off all internet commerce. Is shopping on web sites of brick and mortar stores still safe? My thoughts are as long as I am initiating the contact, and I am only giving information I want to give and that should be needed for the transaction. Is that a safe assumption?
Dave Jevans: It is generally quite safe to do e-commerce business with well known brick and mortar companies on their websites. Doing business with websites that you've never heard of before can open you up to being scammed.
Always be sure to use anti-spyware and anti-virus software to ensure that no keyloggers are on your computer tracking your credit card numbers. These bits of malware can track your information, even if you are on a legitimate site.
Silver Spring, MD:
I got scammed yesterday with a phony e-bay e-mail. The worst part is that I hemmed and hawed before sending my name, address, e-bay info, passwords, ssn, and Amex credit card info. I changed my e-bay ID; and cancelled my Amex. Is there anything else I can do at this point to protect myself? IM SUCH AN IDIOT!; Thanks
Dave Jevans: Call the 3 major credit reporting bureaus and put a "fraud alert" on your details. This will block most new attempts by fraudsters to sign you up for new credit cards or loans. These usually last for 1 year. You can also sign up for credit watching services that will alert you whenever someone starts trying to use your information to setup new credit accounts.
Although phishing is initiated by dishonest thieves, it is something was initiated by the companies that are now finding themselves as third party victims. The users have come accustomed to special offers, one time only deals, and generally lax security standards on what should be secure websites. As a web application developer and security consultant, I see phishing as something that can easily be overcome with some investment by the companies. Why are the companies not being held accountable in fighting this epidemic? Isn't it partially their responsibility to make non-tech savvy users safe since that makes up the majority of their target market? I don't think the jewelry store that leaves its front door unlocked at night would get much sympathy when their diamonds were stolen.
Dave Jevans: Companies that do business online should definitely take a look at how they do online marketing to their customers. Emails should always have the customer's name in the body of the email. Emails of special offers should never ask for confidential information. It's a little difficult, because the Internet is such a great inexpensive way to keep in touch with your customers.
The real problem here is that the technical standards of the Internet need upgrading to prevent spoofing of email addresses. This is in progress.
College Park, MD:
I don't have a CitizensBank account but I received a "Citizens Bank Phish" yesterday. I found out from CitizensBank's 800-number that I could forward the email to their fraud team, which I did.
Is there an universal email address that we can forward phish emails to? Wouldn't a well advertized email address, similar to the US Treasury's "419 Scam" address help the good guys trace down & get the bad guys?
Dave Jevans: You can report phishing also to firstname.lastname@example.org. As an industry we are defining data format standards for sharing phishing attack data. Unfortunately the FBI and Secret Service simply do not have the resources to track down thousands of attacks that are reported each day. Each attack requires a lot of investigation to find the origin, and in most cases, it's almost impossible to find the actual people who setup the scam.
Why is there no way to put a freeze on your credit reports before being the victim of fraud? I know putting a "fraud alert" on your reports will tell creditors to contact you before opening a new line, but my understanding is you must first be a victim of fraud. Is that true?
Dave Jevans: If you believe that your details have been compromised (ie. by a possible phishing email) you can get a fraud alert on your account. If you want it, insist on it.
There is some debate about making the credit reporting industry more "secure". This is a difficult issue, as easy to access credit is something that is core to the success of the American economy, so there is a lot of pushback.
Follow up from Kingston:
I know that there are a lot of technologies in the works, but will any of them actually solve the problem? Will we see a day when e-mail is a trustworthy, reliable medium for trading financial information?
Dave Jevans: Yes. Some variant of digitally signed email, combined with reputation systems and possibly email postage will solve the problem. But it's difficult to agree on standards and to implement across hundreds of millions of computers and a million email servers.
A number of readers have written in requesting tips on how to avoid being hooked by these phishing scams. We have posted a set of tips on how to fend off phishing attacks HERE.
Upper Marlobor, MD:
I received a bill from collection agency back in Sept. from Sprint. They were asking for the full payment of $351.80. I was stunned. I contacted the agency and told them I've never opened an account with their company. They suggested I file a complaint with the police, the FTC and the three major credit bureaus, which I did. The collection agency asked that I send them some of my personal info., current address & a copy of my SSN. A few days ago I received a letter from the collection agency stating I have been cleared of the charges. My question is, if the persons or person that opened the account have my name and SSN is possible that I could have further attack on my credit? I do no on-line banking and very little I mean very little on-line shopping.
Thanks in advance,
Dave Jevans: If you think that you name, address, SSN and/or bank account details have fallen into the wrong hands, put a fraud alert on your name at all 3 credit bureaus.
Palo Alto, CA:
I too was phished once. I am wondering for scam emails, can the problem be solved by asking the e-commerce companies to send out electronically signed/authenticated emails? That way at least we are sure the email really comes from eBay for example. How hard is it to implement this?
Dave Jevans: It can be implemented today. There are existing technologies such as S/MIME signed email or signed PDF files. The problem is that these solutions only work for about 30% of the general Internet population. This is why we are working on common standards as an industry.
Lac a Braine, Quebec:
I often peruse price comparison sites to find products I want to buy. How can I be sure that the companies that use these to vie for my business are for real? Are they?
Dave Jevans: Well, you bring up an interesting problem. In the USA, and possibly Canada, you can check with the Better Business Bureau online to see if the company is listed.
You should also see if they have a legitimate SSL certificate for secure communications from an issuer like Verisign or Geotrust.
You might also want to search online to see if other consumers are speaking positively about the company. If you cannot find any mention of the company on google, chances are it recently set up in business and might be fly-by-night.
Always pay with a major credit card. Never give out your social security number. Then, if things go wrong, you can get your money back from the credit card company, generally.
smart cookie in VA:
There always a sucker born every minute. Why are people so stupid?
Dave Jevans: There's always someone who uses the Internet for the first time every minute. These people could be teenagers, elderly, or just computer-phobes. They are not necessarily "stupid", they just don't have any experience using the Internet.
Also, sometimes a phishing email arrives randomly just after you setup a new bank account, or transfer some money. If the right scam hits your mailbox at the right time, you can fall for it. The chances might be 1 in 1 million. So the scammers will send out 50 million emails! :-)
San Francisco, CA:
Do consumers have access to any reliable software which helps detect and stop phishing security breaches on the user's home computer?
Dave Jevans: No system is perfect, unfortunately. There are some interesting tools that can help. First, have good anti-spam software or service on your email account. This can catch many phishing emails. Second, you might want to check out an anti-scam toolbar. Earthlink.com has one called ScamBlocker. GeoTrust.com has something similar. the eBay toolbar has the capability of notifying you of known fake eBay sites.
Are there state laws or federal law against this?
Dave Jevans: There has been a proposal at the federal level and in some states to make "phishing" itself illegal.
However, the act of phishing is prosecutable today under Section 18 of the criminal code. Phishing usually can be prosecuted under one or more of: wire fraud (sending money across state lines), access device fraud (having or using stolen credentials such as credit card numbers or bank account numbers), mail fraud, or aggravated identity theft.
I realize this is probably tasteless and cruel, but aren't phishing attacks roughly the equivalent of taking all the warning labels off of the internet and letting Darwin sort things out? E-commerce has changed from life as we knew it five or ten years ago, and it's important to be able to adapt rather than expect the entire web to be one big warm fuzzy. Yes, I'm a twentysomething and think I know everything, but I've been banking & purchasing online since '96 and have yet to be taken in... it really doesn't take dual degrees in psychology and computer science to figure out whether an e-mail or website is fraudulent.
Dave Jevans: Mailfrontier did a survey of over 200,000 consumers. 70% mischaracterized phishing emails. Draw your own conclusions.
New York, NY:
Is there any reason why phishers pick certain banks to use for phishing scams? It seems pretty random - CitiBank, SunTrust, US Bank, etc.
Dave Jevans: Phishers go where the big schools of phish are. :-)
They typically target the larger banks because they have millions of online customers, so their chances of catching some credentials are higher. As banks harden their sites or implement phishing takedown services, the phishers seem to move on to different targets. Smaller e-commerce sites and banks are starting to get phished.
How can consumers be expected to detect fishing when real companies violate all the good guidance given by places like the Post (eg, a real offer won't ask for your personal details by email)? Last month etrade sent me an email telling me to click on a link and submit the username and password for my bank account. I automatically assumed that this was a phishing attempt - turned out etrade was SERIOUS!; BTW- I didn't do it.
Dave Jevans: We have a long way to go in educating companies what is appropriate to send out and ask for in email.
The problem here is that the security and fraud departments of these companies might understand the issues, but their marketing departments do not. Guess who sends out the emails to customers???
I'm a former federal prosecutor who has worked on a number of phishing cases. While I agree that technical standards must be tightened, I also think we need to deter phishing through effective law enforcement. I think this means we need better international policing and better methods of following the money when phishers re-enter the market and use our stolen identities (e.g. in auction fraud and re-shipper schemes). What work is the APWG doing on the "back end" and on the international front?
Dave Jevans: You are quite right. The only effective way to capture these criminals is to "follow the money". This means tracking where and when compromised credentials are used.
Unfortunately you will understand that I cannot go into more detail about this topic here.
Thanks Dave, for pointing out Earthlink's handy ScamBlocker tool, which can help block phishing scams, even for non-earthlink customers. However, it's Earthlink.net, as one eagle-eyed reader pointed out. The direct link to the toolbar is HERE.
As I see it, no matter what the technique is, the basic flaw in security comes down to the fact that online security only implements one of the "What you know, what you have, what you are" ideas. What you know can easily be compromised using phishing or general social engineering (even dumpster diving or brute force), however it is the most convenient (and economical) way of auth. What plans do financial institutions have to implement an optional second form authentication that would offer better protection for the security conscience? To verify your response to this question, please post your Social Security Number along with your First Pet's Name. Thank you.
Dave Jevans: Stronger authentication is certainly something that is needed.
In Europe, many banks didn't roll out online banking until they had strong authentication systems available. Consumers have a token or a small device like a calculator, and it generates one-time-passwords that are used to log into the online bank sites, and to authenticate any funds transfers.
In North America, we took a much more "free market" approach. There was no regulation about how to authenticate users, and the real push was to increase convenience and reduce costs by getting as many consumers online as possible.
In the credit card world, both Visa and Mastercard have systems that ask for a second password whenever a merchant processes a transaction. This is somewhat more immune to phishing, but not entirely. The system can be enhanced to require digital certificates, which is much stronger. However, most merchants to not use these systems yet.
For online banking, financial institutions are looking into cost-effective ways to more strongly authenticate users. In fact, most corporate banking systems do already require strong authentication in the form of a token or SecureID card.
The challenge is how to find a solution that can be rolled out to tens of millions of users, does not have big technical issues with device drivers and ports etc etc, and is not overly inconvenient.
Phase 2 of the Financial Services Technology Consortium project on counter-phishing (www.fstc.org) will be looking deeper into this issue.
Banks are also working on the Electronic Authentication Partnership, which is a federated identity scheme for authentication to financial services and e-government services. Check it out.
Banks need to get on the stick. I am a Bank of America customer, but I never open a single e-mail that claims to be from that company because I have no way of knowing it's authentic.
What are banks doing?
Dave Jevans: Banks are working at multiple levels. They are quite involved in tactical technical and operational solutions that can identify phishing sites and scams and get them taken down quickly.
As for authenticating communications from banks to customers, many banks are actively engaged in projects to evaluate the possible ways to do this. The Financial Services Technology Consortium (www.fstc.org) has a Counter-Phishing project that brings banks and technology vendors together to work through the requirements and options for email authentication. They will be publishing the results of their Stage 1 project in a few weeks.
I saw some survey that indicated people under 30 are actually some of the most victimized, despite being more tech-savvy. They seem to take phishing as a part of the wired life, not to mention they don't have any money to steal. But this is the rising generation -- could it mean people will just see phishing as a nuisance that we tolerate, like dubiously needy panhandlers?
Dave Jevans: Phishing harms the brand equity of companies and the trust that consumers have in e-commerce. It will not be tolerated.
Also, phishers are becoming more tech-savvy and are moving into keylogging and DNS takeovers. These are extremely dangerous. It's got to be stopped.
Pt. Richmond, CA:
I can understand why an individual can be badly affected by these scams. I can also understand why law enforcement agencies wouldn't help a single person who lost, say, $100 to $1000. But can you explain why there isn't more organized government involvement in catching these criminals when many, many people are scammed by them? This pattern of criminality affects so much more than one person.
Dave Jevans: Great question. I can assure you that the FBI and Secret Service take these things very seriously. The Electronic Crimes Taskforce of the Secret Service is deeply involved in anti-phishing activities.
The problem here is that there are thousands of reports per day. Most do not include anywhere near enough information to be able to track down the server that originated the emails, or sometimes even the server where the data is being collected.
The next problem is that in the USA you must subpoena an ISP or company to surrender the data. This can take 30-60 days. By then, the trail is cold.
There has been some good arrests of phishing and carder gangs recently. In fact, take a look a www.shadowcrew.com This is a well known site for exchanging stolen credentials. You will see that the Secret Service took it down a few weeks ago and has made many arrests.
What is the economic part of this equation for banks, ISPs and others fighting phishing? It's a rule of the marketplace that companies don't usually deal with a problem until it starts to cost more than the solution.
So what is the cost? Are these companies losing customers? Are people getting less trustful of online business, meaning they are doing less of those things that bring these companies a few pennies per click? Are they trying to head off future liability problems, or government interference?
Dave Jevans: Gartner group estimates $1.2B in losses from phishing. Ponemon institute estimated $500M. These do not take into account the business costs of customer support, call centers, etc.
In my view, much of the cost of phishing is passed through to the online merchants in the form of chargebacks when consumers find unauthorized transactions on their credit cards. This is a very difficult number to quantify.
The nature of phishing and keylogging is that they are distributed crimes - meaning it's not criminals breaking into a bank. It's criminals stealing identities one at a time and using them at thousands of different online sites. It's a tough problem
One of our readers from New York just wrote in with an interesting - yet ill-advised tip: Phish Tip: "If you're really really not sure about a site login with a wrong name and password. If you get in, you're getting phished."
As our Brief History of Phishing timeline shows, several scams have emerged that submit stolen username and password information to a real site to verify its authenticity. If the phished data fails to generate a successful login, the victim is prompted to enter a valid user name and password.
Phishers also have used information available to legitimate merchants to check whether stolen credit card numbers are valid for customers of the targeted bank or credit card company.
Is it worthwhile to forward fake emails to the company, ie eBay and PayPal. I get several each week and send them but have no idea if it is worth my effort or if I should just delete them. Fritz
Dave Jevans: It's worthwhile forwarding them. You must forward the entire headers of the email. eBay and PayPal take fraud very seriously. eBay in particular adds new phishing sites to their toolbar anti-fraud screen, so that consumers can be aware if they visit a known eBay spoof site.
Unfortunately these companies get millions of spoof emails a month, so they cannot personally respond to your submissions.
Both phishing and identity theft are possible because the security of our financial systems is based on the false premise that our personal information can be kept secret. Since thieves have multiple ways to get at this information, do you believe that banks and other financial institutions should be forced to adopt stronger measures to authenticate people's identities, such as one-time password tokens, or even scratch-cards similar to lottery tickets that provide a different password each time? Do you think better personal authentication would be more effective than customer education and authenticated emails in preventing fraud?
Dave Jevans: Certainly better authentication of consumers to their banks, banks and e-commerce sites to their consumers, and email authentication will dramatically improve the situation.
One interesting experiment that is happening now, is that America OnLine (AOL) is offering consumers the option of purchasing RSA SecureID tokens for stronger authentication. This is a great test of whether consumers are willing to pay for more security.
You know, something that would have as much or maybe more positive impact is if consumers kept their PCs free of viruses and trojans. A lot of phishing emails, and spam for that matter, is sent from zombies running on consumer PCs that are connected to DSL lines. Consumers don't even realize that their computers are being used to send spam and phishing in the background and at night, without their knowledge.
Falls Church, VA:
I probably receive 2-3 phishing e-mail messages a month with most coming from Suntrust (my bank, ironically). I have noticed, however, that when I forward these messages to Suntrust (or the appropriate fraud department for review) with a copy to myself, most of the information appears to be missing. This includes links and the message headers. Does it really do any good to send these messages for review, or is it best to simply delete them?
For what it's worth, one of the few times that I was happy that my wife did not know her ATM card PIN was when she was responding to an e-mail from the 'FDIC' which asked for DOB, bank account #, CVV code, etc. not realizing that this was enough information to rob just about every dollar we had.
Dave Jevans: You really do need to forward the entire headers. You cannot just "forward" the email for it to effectively include all the required information.
Our report phishing page has a brief description of how best to forward an email.
My friend is a recent victim -- his mother thought she was registering him on line to vote (without his permission, but that's another story), but found out later from the state attorney general that the website was a known identity theft scam. The mother gave them everything -- her son's SSN, her maiden name, credit cards numbers, etc. My friend has done everything he can think of to protect himself. He's notified all his credit cards, the three credit bureaus, and he's closed out all his bank accounts and plans to use his fiance's. My question is, because these thieves have his SSN and mother's maiden names, is my friend ever safe? Can he ever be sure that he is protected or will the thieves be able to open accounts using his SSN for the rest of his life?
Dave Jevans: Your friend needs to enable a fraud alert at all 3 credit reporting bureaus. Sometimes stolen credentials are used 1 or 2 years later to open false lines of credit, car loans or even second mortgages.
Sorry for the bad news.
If the email appears to be from a source that you know, contains your name, but asks you to click on a link where you will be asked to provide sensitive information, should you assume it is a phishing expedition?
What if the link takes you to what appears to be a trusted site and asks you for your regular user ID and password for that site? Is it safe to proceed?
Dave Jevans: Fortunately, emails like you describe are usually safe. However, I open a new window in my Web browser and type in the address directly.
There are "spear phishers" out there who get your name and email address and create targeted emails to defraud people. Classically this can happen if a scammer steals eBay credentials and gets a list of all the people that a merchant has done business with. Or, a hacker may obtain a list of names and email addresses from hacking an ecommerce merchant. This allows them to create convincing emails like you describe.
Not a question but a thank-you for alerting WP readers - including tbe millions of us, all over the world, who read it on line - to this serious problem.
And this suggestion, which I wish Brian Krebs had included in his otherwise excellent article yesterday. When in doubt about the authenticity of any request, whether by e-mail, phone or letter, to "update" personal info, ask the requester to send you the info he/she already has on file. The phisher, of course, won't reply.
Brian Krebs: Thank you, and thanks for the advice. However, I'd like to reiterate: It's best not to communicate with these scumbags at all. DO NOT reply to these e-mails, and DO NOT click on links in emails that are even remotely suspicious. It's just not worth it.
When consumers get hurt due to unsafe products or drugs, they can usually sue to recover damages. Large numbers of lawyers are now figuring out how to sue for Vioxx damages. Why doesn't the same apply to phishing/identity theft? That is, why aren't lawyers suing the banks on behalf of consumers or merchants who lose money due to these scams? Can't banks be forced to provide better authentication, etc, for their customers in this way?
Dave Jevans: Yikes!!!
Generally banks will make their customers whole for losses that are shown to be from fraud. In my view, consumers don't need to sue anyone.
I always respond to phish e-mail. I either fill out the form with obscene information (if I'm feeling childish) or reasonable looking information (to keep them trying different combinations, assuming I made a typo somewhere).
What measures do you suggest?
This reader asks a decent question, and we have provided links in this chat to other resources that people can use to avoid phishing scams, if not fight them directly. For what it's worth, I'm told several banks and vigilant security folk actually do this sort of thing, it's called "stuffing."
But If I could add my two cents here, I'd like to offer the following advice again to ALL of our readers - don't click on any e-mail links if you have even the slightest doubt about its origin or authenticity. Many computer viruses are now spread via nothing more than a link in an email, and people use EXTREME caution in clicking on links in e-mail. Besides, you don't want to give these crooks any more information about you than they may already have.
Dave Jevans: It's a nice thing to poison phishing sites with fake data. But I agree with Brian on this one. *Do NOT* click on the links. There are all kinds of nasty malware out in the last few months that can install with just one click, and sometimes even if you simply view an image on a website.
These malwares, written by phishers and other scammers, install keyloggers that monitor everything you type and send your passwords and credit card details to scammers. The latest nasty malware reprograms certain DNS entries on a PC so that you think you are going directly to a bank, but you are going to a fake bank site. These are extremely difficult to detect.
Be careful out there!
Cherry Hill, NJ:
Happy to hear that the banks are active. What are they telling their customers, meanwhile? Where's the big ad campaign? Where are the TV and radio spots? People like me don't know what you're doing behind closed door. What is the PR strategy?
Dave Jevans: Citibank and Fidelity are doing a great job of educating consumers, as are other companies. But I agree that a co-ordinated campaign of public awareness is needed.
To that end, the Anti-Phishing Working Group (www.antiphishing.org) has teamed up with Truste (www.truste.org) and Wired Safety (www.wiredsafety.org) to organize a co-ordiated public awareness campaign with the financial institutions. Look for it coming soon.
Also, the American Bankers Association and the Federal Trade Commission are doing some public outreach.
That's all the time we have for today. Thank you, Dave, for your time and for your excellent responses. To our readers, a big thanks for all of your thoughtful questions. I'm just sorry we couldn't get to more of them.
© 2004 Washingtonpost.Newsweek Interactive