Phishing worries me. In fact, identity theft in general is one of my major concerns (and is the reason I refuse to do any more business with Halifax Bank of Scotland, one of the UK’s largest banks, who will not respond to letters or e-mails requesting that they remove my online access even though I have closed all of my accounts with them).

According to IT Week:

“The anti-phishing working group (APWG), which comprises security vendors, ISPs and financial institutions, has been serving as a clearing-house for information on attacks and trends for more than a year [and has] reported a 24% increase in phishing each month from August to December [2004]”.

Now a group of leading IT companies, including Microsoft and eBay (two companies which have themselves been affected by high-profile phishing attacks), along with electronic payment specialist Visa and security solution provider WholeSecurity have joined forces to create an early warning network for new attacks called the Phish Report Network.

Another Internet security and payment specialist, Verisign, has warned, in its fifth Internet security intelligence briefing, that phishing attacks are the biggest threat to online business, with just over 40% of phishing sites hosted in the US but further sites identified in a total of 37 countries. According to IT Week, Verisign added that effective action against phishing would require international co-operation between Internet service providers (ISPs) and law enforcement agencies.

The problem of identity theft is broader than phishing. Since my mother’s credit card details were used fraudulently a couple of years back (identified, to their credit, by the same bank that I criticised at the head of this post), all of my family have been very careful about how we dispose of sensitive information, but that doesn’t stop me from having my card copied in a restaurant (in the UK, cards are rarely swiped using a mobile card payment terminal, as they would be in many countries – instead, they are taken away and returned with a slip for a signature a few minutes later, although this is changing with the introduction of chip and PIN technology). In his recent article, hook, line and stinkers, which appeared in IT Week, David Neal notes that:

“Identity theft, enabled by a lackadaisical approach to filing and a loose relationship with paper-shredding machines, is big business these days. In fact incidents of stolen identities have rocketed from shoulder-shrugging insignificance in 1999 to a 10 on the ‘Holy Moly’ scale this year”.

UK consumer watchdog Which? recently reported that a quarter of UK adults have either had their identity stolen or knew someone who has been a victim of ID fraud.

One of the most common cases of identity theft is credit card fraud, which cost UK banks £160 million last year and someone has to pay for this (you guessed it – ultimately it is us, the consumers), and the UK is ranked second for the number of fraudulent transactions (whist online trade grew by 88% in Q4 2004, compared with the same quarter in 2003).

The Association for Payment Clearing Services (APACS) has launched Card Watch, a website providing advice to consumers, retailers, police and media about card fraud. Meanwhile, credit card issuer, Capital One has started offering fraud protection services (somewhat embarrassingly, and unfortunately for him, the star of Capital One TV adverts, impersonator Alistair McGowan, had his own rubbish searched by a tabloid journalist who obtained a significant number of items which could be used to steal his identity).

Whilst secure and accountable systems are a must, some gullible users will always fall foul of the type of fraud which most of us delete from our inbox without reading. The IT industry is taking action, with anti-phishing capabilities promised for a new Netscape browser and Microsoft promising anti-phishing tools in Internet Explorer 7. Meanwhile, legislation is also being considered, with the US Senate debating its proposed Anti-Phishing Act and the UK is considering its own legislation, with early draft regulations as possibility as early as the end of this year.

The financial services companies which I transact online with (First Direct and Egg) will not correspond with me by e-mail about anything which requires personal information (i.e. only marketing information) – instead they have a private messaging system embedded within their secure websites. It’s a pain in the backside as I like to keep copies of my correspondence within my e-mail client long after my relationship with a company (and hopefully its secure website – take note HBoS) ends. Now other companies such as eBay are following the same path, but as Ken Young pointed out recently in IT Week:

“The power of email, after all, is that it arrives in your lap. How many of us would trundle down to the Post Office on the off-chance [that there may be some mail waiting there for us]? And therein lies the big problem with private e-mail services – it is a far more restricted form of the real thing. It’s safer, but much less useful.”

Young also notes that such systems represent a challenge to fraudsters who are likely to send out e-mails to entice users to fake inbox sites (with the intention of harvesting personal information), or to use keystroke logging software to gain access to users inboxes.

Whatever happens, its clear that this issue will not disappear overnight. What is needed is consumer education, legal protection and increased use of multi-factor identification – for example extending chip and PIN to the home PC.

Links
Gone phishing (IT Week)
Card Watch
Phish Report Network