Slashdot Mirror
Phishers Face Jail Time Under New U.S. Bill
An anonymous reader writes "Democrat Patrick Leahy has introduced a new federal anti-phishing bill that would impose jail terms up to five years and fines up to $250,000 for criminals creating fake web site designed to con consumers in to giving them their personal information. 'Some phishers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded - that leaves plenty of time to cover their tracks. Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing.' said Leahy in a statement regarding the Anti-Phishing Act of 2005."
I hope I don't get arrested for phishing in the wardrobe after a night out.
liqbase
Assuming it works and is enforceable, of course. I think phishing is a pretty low way to live your life - preying on the gullible. Been done for thousands of years, true, but taking advantage of people is no way to live your life IMO.
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
Parody sites do not usually require you to give up account numbers of other information.
Any that do should be rightfully concerned.
liqbase
Congress is all over it. Now the problem is sure to be solved. :-/
I'm afraid that this lip service will once again make the general public think this will solve the problem. Nope. It may slow down folks within the US borders, but we all know the true result of bills like this. It just won't work.
There are no loopholes. It's either legal or it's not.
This one will join CANSPAM in the Legislative Hall of Fame under the necessary but useless category.
Uh oh! Does this mean they are going to jail Prince Ombutu Nagala of Nigeria? He was going to split $28M with me!!!!!!!!1
I'm glad to see that phishing is being taken seriously! Just because it happens on the internet, doesn't mean it's not as serious as any other type of scam.
Not a bad thing, but I think actual fraud or clear intent should have to be proven. Opportunity and unproven intent should not be weigh beyond a reasonable doubt.
"Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing.' said Leahy in a statement regarding the Anti-Phishing Act of 2005."
Please explain why. New laws suck. 99% of the time the old existing laws are completely capable of handling the problem... just enforce the laws we have.
From exisitng conspiracy to commit fraud crimes?
Why do we need a new law when an existing one will do?
Senator Leahy is engaged in a legislative battle against online scammers, and he needs your support. If you would like to help, click on this link. To ensure that you are a registered voter, you will be asked to verify your name, address, and social security number. You may then make a donation online, right from your checking account!
Evil is the money of root.
The crime is tricking someone into giving up sensitive information such as bank account info so that their money can be stolen (as one example). Building the web site is a tool to accomplish the theft. I don't believe, however, that the legislation will outlaw websites in general.
http://www.busyweather.com/
I already start up an app to poison their databases every time I get one ofthose paypal,ebay or lately, the yahoo greeting card phishing scams.
point a particular java app at the url and let her fly filling in all the form fields over and over and over again with what looks like real but is generated from files crap.
if the asshats have to sift through 300 bad records to find something useable, at least I slowed them down a bit.
If more people in the know did this to them instead of the worthless action of reporting them it would make a bigger impact. the last one I reported to ebay was still up days later. My second alert to ebay was responded with "we cant deal with them all, go away" but in nicer words.
Do not look at laser with remaining good eye.
just so long as they leave my free ipod scam alone...
There is a major difference between a parody web site and a web site that was created with the intention of fooling people into giving away information that can lead to criminal usage. I've never seen a parody web site ask for a social security number, bank number, etc.
Additionally, all parody sites I've seen either are blatantly obvious parodies or state somewhere on the site that they're parodies. Phishing sites won't do that because they're trying to convince you that they're genuine.
Apples and oranges.
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
I've not read the bill (only this article), but I wonder if this could be used to prosecute other internet low-life that try to gather personal data for purposes not sanctioned by the submitter of the information. And taking over someone's computer without their knowledge would certainly seem to be a type of fraud under this bill.
Two wrongs don't make a right, but three lefts do.
As a new federal law called "The Anti-Phishing Act of 2005" is being pushed by the U.S. legislative, hackers everywhere celebrate their victory over the English language.
."0ur n3x7 74rg47z 4r3 "h4x0r", "l337" 4nd "pwn3d". 0ur l0bbj gr0up iz z7r0ng, 4nd w3 b3li3v3 d4j will 4lz0 b3 in7r0duc3d bj d4 3nd 0ph d4 j34r."
"W3 pl4n 2 in7r0duc3 z00n 0d4r l337 w0rdz in d4 c0n73mp0r4n v0c4bul4rj", said the appointed speaker for the "H4x0rz" community, who prefers to remain anonymous
Just
This is a first shot across the bow. The bill will probably undgergo substantial debate and amendment as it moves through Congress, but I expect this has a chance to become law.
I've met Sen. Leahy. He's an old-school Vermont Democrat who's held pretty much every state-level elected office except governor and lieutenant governor. I've had a couple of e-mail exchanges with him on CAN-SPAM. When that law first passed, he was cautiously backing it as a reasonable first step. He's realized lately, however, that it's been largely ineffective. The anti-phishing bill is his first real leading charge at cyber-scamming and it reflects some of his earlier frustration with Congress's inability to deal effectively with Internet issues.
(Or much else, in many people's opinion.)
Leahy ruffled some feathers in the online community by supporting RIAA-sponsored legislation on copyrights. It's possible this is a canny political attempt to balance the books a bit. Then again, he's a decent guy with 80% support in a state that's 33% Republican. Even in the minority, he's got a lot of clout. On this issue he'll probably get bi-partisan support, so it's likely this bill will, in some form, eventualy become law.
Besides, anyone high on Dick Cheney's hate list can't be all bad.
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
Are most if not nearly all perps of this this non US based? Last time I looked, the scammers were mostly from Nigeria right?
Of course, whether they will become involved or not is subject to debate.
Apparently Patrick Leahy is ignoring just how easy it is to move phishing opperations off shore. This looks more like a means to keep Leahy in the news rather than an effective crime-fighting law. In the horse and buggy days people learned not to walk right behind a horse unless willing to get kicked. When automobiles came out everyone learned to look both ways before crossing the street. As any new technology appears, a new set of safety rules comes with it, and each individual needs to learn the new rules. Many institutions are busy educating their users and now law is needed to force them to do this as it is already in their best interest.
This bill stops Bad Guys® from stealing the inexperienced users' life savings before they actually steal anyone's money. It does not outlaw building any website, just those designed with the intent and purpose to steal your bank password.
How many of you have actually traced down an IP address to find its origin? I know I'm not the only one. The first thing you find out is that the IP address is registered in Latin America or some other part of the world where we have no jurisdiction. The second thing you find out is that there is no way to do anything about their perceived illegal activities. I say perceived, because it may be un-legislated activity where they come from.
I say all of this because I don't think there's a single thing we can do to prevent those outside our country from doing this over and over and over again.
Practically useless, if you ask me.
Now accepting PayPal donations!
Isn't there already a law that can be applied? Doesn't this basically amount to fraud or something? I think the biggest problem with Phishing is that it's a little hard to track down who is doing it. If you know who's doing it, you can easily arrest them. The problem is, is that mostly these phishers try to remain anonymous, and probably don't have their operations set up in the US.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
And also people who try to ensure interoperability of bank sites with "non-standard" browsers.
Don't laugh... it did actually happen!
Say no to software patents.
The sooner people accept responsibility for their own lives and their own personal information, the sooner people realise that with every Bill or Law that gets passed, the more they hand over the controls of their lives to the nanny state.
If the stupid people can't be bothered to protect their private information, if they can't simply delete emails they don't 100% trust the source of, if they can't invest in a paper shredder, if they believe all those glossy adverts about the security of their chosen operating system, then more fool them.
But please don't let us smart people also lose our personal liberties as a result of their stupidity.
No phishing scam has ever got me and they never will.
Gentoo Linux - another day, another USE flag.
This bill stops Bad Guys® from stealing the inexperienced users' life savings before they actually steal anyone's money.
Theft and fraud are already illegal. Who says that this law will do anything against phishers? The reason why phishing thrives is not because it is legal, but because it's hard to investigate and/or police just can't be bothered.
It does not outlaw building any website, just those designed with the intent and purpose to steal your bank password.
How do you prove intent? And what is the exact wording of the bill? If the intent is truly to steal and defraud, we've already got laws. We don't need any laws either forbidding to "carry weapons with intents of threatening peasants to give up their wallets". Mugging is already forbidden, and anything such a hypothecal law might achieve is inconvenience the butcher who brings a new knife to his shop...
A Luxembourgish Linux user got threats from a bank because he featured a look-alike login page on his Website. Purpose of that login page: strip an obnoxious browser check. But that's not how the bank tried to spin it.
Say no to software patents.
I don't get some of these phishing guys. Just got this in my inbox. Sure, there are some phishes that look believable but are the phishers really as stupid as the people that click on them? Would anyone who'd create a brain-dead phish like this one actually be afraid of jail time and/or a fine?
--
Subject: E-gold secutity patchHBhdGNo
Dear E-gold user, we receive many complaints concerning unsunctioned taking the money
off the balance of our users recently, thus we earnestly ask you to install the
following service-pack onto your Personal Computer.
- This innovation blocks all known Trojans which let take the money off your account
without your consent. We earnestly ask you to install this service-pack in order
to keep your money safe and sound.
- In case of the lost of your money, E-gold *DOES NOT* bear any responsibility if the
service-pack had not been installed on your computer before.
- The installation archivated file of the service-pack is attached to this letter.
Is it just me or is doing something illegal in the cyber-world more dangerous than the real world? How is it possible that I get more jail time for cracking into and defacing a web page than I'd get for shooting someone?
For our 'cyber-laws' we should be taking precidence from our existing laws. Instead of levying new fines for phishing, add this definition onto our current fraud and identity theft laws. Instead of creating crazy fines for spammers (although I want to see them pay just like everyone else) and model the punishments similarly to the do-no-call lists?
Law-makers don't see the internet as an extension of the physical world, and in term of law it should be seen in this light. Extend Current laws, don't make them up in a flight of fancy.
"Engineers do the work of man, Physicists do the work of God"
Small theives have laws against them. Big theives have laws that regulate them. Really big theives have laws for them.
I think, to be quite honest, it takes the cake to criticise a law you haven't read and have no reason to believe is overbroad for being overbroad or badly worded. Yeah, it might be. Likewise the law on murder might be so overbroad that you can be prosecuted under it for eating beef. But that's not the case, and there's no reason, at this stage, to believe the anti-phishing law is overbroad either. Criticise it when it's actually got something in it to criticise.
You are not alone. This is not normal. None of this is normal.
Presumably, therefore, credit card fraud in the future will not only require the obtaining of a credit card by fraudulent means but also some kind of hardware hack to use a cloned card.
Does that mean there could be a new crime of "phish and chipping"?
I'll get my coat...
Gentoo Linux - another day, another USE flag.
How is the US Goverment going to press charges when its occuring out of its jurisdiction?
Just my 2c...
- Think for yourself, question authority.-
The Supreme Court overturns very few laws. Congress passes plenty of laws. You have no idea what you're talking about, and should stop wasting everyone's time by posting such stupid messages.
Don't blame me; I'm never given mod points.
Hehe...sounds like someone watched that crappy-ass movie "Hackers" (even though Angelina Jolie was hot as ever in it)...
Hacker 1: I need to get in the system and list this guy as deceased.
Hacker 2: Well, just click here on 'hack' and you're in.
Anti-phishing Act of 2005 (Introduced in Senate)
.
.
S 472 IS
109th CONGRESS
1st Session
S. 472
To criminalize Internet scams involving fraudulently obtaining personal information, commonly known as phishing
IN THE SENATE OF THE UNITED STATES
February 28, 2005
Mr. LEAHY introduced the following bill; which was read twice and referred to the Committee on the Judiciary
A BILL
To criminalize Internet scams involving fraudulently obtaining personal information, commonly known as phishing
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Anti-phishing Act of 2005'.
SEC. 2. FINDINGS.
Congress finds the following:
(1) American society is increasingly dependent on the Internet for communications, entertainment, commerce, and banking.
(2) For the Internet to reach its full potential in these and other respects, it must continue to be a trustworthy medium. This means, for example, that Internet users should be able to trust the stated origin of Internet communications and the stated destination of Internet hyperlinks.
(3) Internet users are increasingly subjected to scams based on misleading or false communications that trick the user into sending money, or trick the user into revealing enough information to enable various forms of identify theft that result in financial loss.
(4) One class of such scams, called `phishing' , uses false e-mail return addresses, stolen graphics, stylistic imitation, misleading or disguised hyperlinks, so-called `social engineering', and other artifices to trick users into revealing personally identifiable information. After obtaining this information, the `phisher' then uses the information to create unlawful identification documents and/or to unlawfully obtain money or property.
(5) These crimes victimize not only the individuals whose information is stolen, but the entire online community, including millions of people who rely on the integrity of the Internet's system of addresses and hyperlinks.
SEC. 3. CRIMINAL OFFENSE.
(a) In General- Chapter 63 of title 18, United States Code, is amended by adding at the end the following:
`Sec. 1351. Internet fraud
`(a) Website- Whoever knowingly, with the intent to carry on any activity which would be a Federal or State crime of fraud or identity theft--
`(1) creates or procures the creation of a website or domain name that represents itself as a legitimate online business, without the authority or approval of the registered owner of the actual website or domain name of the legitimate online business; and
`(2) uses that website or domain name to induce, request, ask, or solicit any person to transmit, submit, or provide any means of identification to another;
shall be fined under this title or imprisoned up to 5 years, or both.
`(b) Messenger- Whoever knowingly, with the intent to carry on any activity which would be a Federal or State crime of fraud or identity theft sends any electronic mail message that--
`(1) falsely represents itself as being sent by a legitimate online business;
`(2) includes an Internet information location tool that refers or links users to an online location on the World Wide Web that falsely purports to belong to or be associated with such legitimate online business; and
`(3) induces, requests, asks, or solicits a recipient of the electronic mail message directly or indirectly to provide, submit, or relate any means of identification to another;
shall be fined under this title or imprisoned up to 5 years, or both.
`(c) Definitions- In
Don't blame me; I'm never given mod points.
I ran across a phishing site on a client's system while cleaning it up. The HOSTS file had 6 entries in it, redirecting any requests for 5 British banks and one Brazilan banco, to a IP at EV1.net. I busted my ass in a effort to get EV1.net's support team and administrative suits to pull the IP, but all I got was canned replies: "Forward the information to the abuse department". So I did so.
Two weeks passed, and EV1.net did not take any action whatsoever. So, I sent the report to the big Brit banks, which included The Bank of England, Barclays, and the legendary Lloyds. I got immediate replies, personal ones, NOT canned, that they would immediately take legal action agianst the offending CSP.
I checked the IP shortly after receiving the replies and got a DNS error.
It seems to me that EV1.net, which is based in Houston, has merc tendencies when it comes to site hosting.
First rule of holes; When in one, stop digging.
One thing to watch out for though is that this law might be abused by those claiming against parody sites. A parody site would have a similar look+feel (or heck, perhaps just a similar URL), but obviously a different focus/content. Now if there were a login option on the parody site, the primary site might be able to claim they were phishing for usernames/passwords...
Just this past week I received the same phishing email (fake Key Bank login) 5 days in a row. I was surprised the site was able to stay up for so long. Who does one report this type of thing to? the FBI? the Secret Service? the FCC?? There needs to be some sort of clear statement on this from the government.
"Maaaaan, this music sucks!"