Features

net.wars: Shooting phish in a barrel

Two recent incidents have reminded me of the column from some months back when I wrote about the need for two-way authentication between us individual consumers and the banks, Web retailers, credit card companies, governments, and other institutions we deal with.

At the moment, all these big folks seem to assume that they're the ones who need to be protected against fraud, not us.

Most mainstream media seem to have bought into this, too: we're always seeing TV segments and print articles advising us how to protect ourselves from identity theft. It's our fault, of course.

One of these incidents is the quiet  mention yesterday in the blog of British network manager Howard Durdle of a new! improved! phishing technique that bounces the scam off the company's real server and redirects the clicking user to a site of the scammer's choice. Of course, it's not hard to look for "Redirect" in the string that makes up the URL you're being asked to click on, but first it has to occur to you to do so. Like viruses - the last couple of weeks have seen, finally, the long-predicted first mobile phone virus infections - phishing scams keep becoming more sophisticated.

If you think you're really good at spotting these scams, you might want to try  this test and see how you do. For the purposes of the test you will, of course, have to pretend you have accounts with all those folks.

You'd think that by now the banks (and eBay, Amazon, Paypal, et al) would have worked out that they must come up with a solution to this situation. I routinely ignore every emailed communication I get from anyone, whether or not I do business with them, that requests an account update or attempts to notify me of a problem with my account. As businesses more and more expect to save on customer service by making everything electronic, the inability to communicate with their customers by email is going to be anything from inconvenient to expensive. Though I imagine that, as usual, it will be the customers' fault.

Which leads me to the other incident, the indirectly related mess at Choicepoint. This is a US-based data broker that last week admitted it had sold personal information including medical and financial about more than 140,000 people to identity thieves. The buyers were folks who used previously stolen business identities to buy data, ostensibly for "legitimate" purposes. Like marketing, which is certainly annoying enough but, let's face it, isn't in and of itself dangerous to your health or wealth.

Europe's more comprehensive data protection laws do offer some help. But they are not by themselves enough, especially now that ultra-cheap telecommunications have persuaded American companies that telemarketing to European customers is a great idea.

On the face of it, the Choicepoint situation is, again, a question of customers authenticating themselves to the business they're buying from. Choicepoint and other companies like it should, it seems obvious, be subject to regulation with respect to the data they handle just as banks and credit agencies are, and if the company is going to sell.

But the similarity is that again the assumption is that the businesses are all right, and the scams are getting smarter. There is never a point where the buyer, seller, or processor of our data is required to authenticate itself to us, the people whose data they hold, or state its policies. We have no right to prohibit the sale of our data to them, at least in the US. It was only a matter of time before someone worked out how to infiltrate these companies' standard business processes - that's the "smarter" part. Why go to all the trouble of hiring a hacker to break in and copy the data when you can just buy it through legitimate channels?

It's extraordinary, really. Identity theft has been the fastest growing crime for a couple of years now, and yet we seem to have advanced hardly at all in terms of preventing it from happening. The only two preventive strategies we hear about are issuing everyone with ID cards (an idea the  Scottish Parliament has voted against) and educating the consumer.

As the eBay scam detailed above shows, educating people about a moving target is damn difficult. And issuing ID cards… well, if you want to make identity theft possible on a grand scale, bring in a form of ID that everyone is taught to trust and issue it to everybody.

To a great extent these problems exist because ever-larger companies treat employees as interchangeable by policy - doing so means it's cheaper to replace anyone who leaves or becomes too expensive to pay. Buy from small, local businesses whose staff you know personally, and the problem goes away.

Unfortunately, there is no such thing (any more) as a small bank or eBay. It's going to take a commitment to consumer protection and better technology to solve. But until the costs of identity theft start hitting those companies' bottom line, they don't have to care. There oughtta be a law...