On the hook of the criminal phishery

It has been a bad week for webmail service providers. First came the story that some 10,000 Microsoft Hotmail e-mail accounts had had their passwords compromised.

It has been a bad week for webmail service providers.

First came the story that some 10,000 Microsoft Hotmail e-mail accounts had had their passwords compromised.

Within hours, the number of accounts with leaked passwords had risen to close to 30,000, and the victimized service providers had grown to include Yahoo Mail, Gmail, AOL, Earthlink and Comcast.

Given the hundreds of millions of e-mail accounts managed by this collection of companies, 30,000 “leaked” accounts is statistically trivial; but it is also indicative of a growing danger to personal security about which too many internet users remain dangerously uninformed.

The accounts in question apparently had their password information captured through what is called a “phishing” scam, whereby naive users are duped into going to bogus but authentic-looking websites and entering their usernames, passwords, and sometimes other personal information.

This “phishing” (a word which is really just a joke spelling for “fishing,”) is in fact a common peril on the internet today.

What is unusual about the recent incident is not that the e-mail accounts had their security compromised (there are probably hundreds of thousands, if not millions, of such compromised accounts), but that the perpetrators in this instance, in an act of pure bravura, decided to make a public display of some of their purloined goods.

Given the commonness of the problem, and its very real danger, I was a little astonished, over the past week, at how many people I talked to who had no idea what “phishing” is, or why they should care about it.

By way of public service, then, I will here give those of you not in the know a brief summary of what the phishing scam involves, and why people do it.

I will also explain why I think the phishing scheme, though it represents a real danger at present, probably represents a diminishing threat in the internet future.

First, what phishing is.

In brief, phishing is just an online version of the age-old confidence trick, whereby somebody contacts you pretending to be acting on behalf of a company you trust (your bank, your insurance company) and bamboozles you into giving out personal information that person can use to rip you off, or to assume your identity while he or she rips off somebody else.

In the old days, this was called “human engineering,” and was carried out by telephone calls, or by people approaching you with fake business cards and the like.

These days, it is usually accomplished by e-mail, where someone purporting to represent your e-mail service provider, or your bank, sends you an e-mail asking you to change or update your account information.

That e-mail usually includes a link to what appears to be a genuine page on the World Wide Web, except that the official look is a forgery, and the internet address you are going to is a hacker’s site in disguise.

Once they have your information, they can do things run up your credit card, or pretend to be you while engaging in illegal activities on the internet.

Though there are some big operators out there, the phishing scam is so easy to run these days – you do not need much by way of expertise, and you can buy phishing tools for cheap on hacker sites – that it is becoming a favourite of petty thieves.

Given that crooks don’t file income tax returns, and given that a lot of the theft involved goes either unnoticed or unreported, estimates of how big the problem is, or how much money is involved, vary so widely as to be pretty much useless.

Nevertheless, virtually all estimates show that the phishing scam is burgeoning on the internet at present.

In the short term, that may be scary news; but, as some Microsoft researchers have pointed out, it may actually turn out to be a good thing, in the long run.

In a paper called A Profitless Endeavour: Phishing as a Tragedy of the Commons, Cormac Herley and Dinei Florencio make a study of the economics of phishing, comparing it to – what else? – the economics of commercial fishing.

(You can find their paper on a web search site by just typing in the title.)

As they point out, the classic ecological rule of “the tragedy of the commons” seems as likely to apply to criminal phishing as it proved to apply to the commercial fishery: If too many people are given free and unlimited access to a common resource with limited replenishment ability, the result is poverty for all concerned, and destruction of the resource.

It was this ecological rule (first described by the ecologist Garrett Hardin in 1969) that explains why peasants in the middle ages (the age of the village commons) were so poor, and why the global commercial fishery has produced mostly destitute fishing villages and extinct fish species.

The hopeful speculation the Microsoft researchers offer is that same rule probably applies to the criminal phishery today – too many people able to plunder the same limited resource, with the result that they all end up poor, and the resource dries up.

If they are right (and their arguments look reasonable), the phishing scam will probably run its course, become less and less profitable, and then cease to be very significant.

On the other hand, the immediate damage they are doing – not just to individuals but to the internet system itself – is very real.

As their activities expand, and as they gain more attention in the news, as they did this week, more and more internet users will get spooked about electronic commerce, and even about using e-mail and the web itself.

Their worries may not be entirely rational, but they are very real, and likely to become more pronounced as acts of larcenous showmanship like the one staged this week become more common.

The long range solution, of course, lies in helping users be more informed and cautious, without degenerating into paranoia; in the short term, about all you can do is change your e-mail password when in doubt, and keep a cool head about you.

Rick Steele is a technology junkie

who lives in Whitehorse.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

In a Feb. 17 statement, the City of Whitehorse announced it had adopted the what3words location technology used for emergency response. (Haley Ritchie/Yukon News)
Three words could make all the difference in an emergency

City of Whitehorse announced it had adopted the what3words location technology

Jesse Whelen, Blood Ties Four Directions harm reduction councillor, demonstrates how the organization tests for fentanyl in drugs in Whitehorse on May 12, 2020. The Yukon Coroner’s Service has confirmed three drug overdose deaths and one probable overdose death since mid-January. (Crystal Schick/Yukon News file)
Three overdose deaths caused by “varying levels of cocaine and fentanyl,” coroner says

Heather Jones says overdoses continue to take lives at an “alarming rate”

Wyatt's World for Feb. 24, 2021.

Wyatt’s World for Feb. 24, 2021.

Approximately 30 Yukoners protest for justice outside the Whitehorse courthouse on Feb. 22, while a preliminary assault hearing takes place inside. The Whitehorse rally took place after the Liard Aboriginal Women’s Society, based in Watson Lake, put out a call to action over the weekend. (Crystal Schick/Yukon News)
Courthouse rally denounces violence against Indigenous women

The Whitehorse rally took place after the Liard Aboriginal Women’s Society put out a call to action

Then Old Crow MLA Darius Elias speak’s in the community centre in Old Crow in 2016. Elias died in Whitehorse on Feb. 17. (Maura Forrest/Yukon News file)
Condolences shared for former Vuntut Gwitchin MLA Darius Elias

Elias is remembered as a proud parent, hockey fan and politican

Susie Rogan is a veteran musher with 14 years of racing experience and Yukon Journey organizer. (Yukon Journey Facebook)
Yukon Journey mushers begin 255-mile race

Eleven mushers are participating in the race from Pelly Crossing to Whitehorse

Yukon Energy in Whitehorse on Aug. 4, 2020. A site on Robert Service Way near the Alaska Highway has been selected as the future home of Yukon Energy’s energy storage project. (Crystal Schick/Yukon News file)
Site selected for Yukon Energy battery project

Planned to be in service by the end of 2022

The Yukon government and the Yukon First Nations Chamber of Commerce have signed a letter of understanding under the territory’s new procurement policy. (Crystal Schick/Yukon News file)
First Nation business registry planned under new procurement system

Letter of understanding signals plans to develop registry, boost procurement opportunities

US Consul General Brent Hardt during a wreath-laying ceremony at Peace Arch State Park in September 2020. Hardt said the two federal governments have been working closely on the issue of appropriate border measures during the pandemic. (John Kageorge photo)
New U.S. consul general says countries working closely on COVID-19 border

“I mean, the goal, obviously, is for both countries to get ahead of this pandemic.”

Legislative assembly on the last day of the fall sitting in Whitehorse on Nov. 22, 2018. (Crystal Schick/Yukon News file)
Start of spring sitting announced

The Yukon legislature is set to resume for the spring sitting on… Continue reading

Whitehorse City Hall. (Joel Krahn/Yukon News file)
City hall, briefly

A look at decisions made by Whitehorse City Council this week

History Hunter: Kwanlin Dün — a book of history, hardship and hope

Dǎ Kwǎndur Ghày Ghàkwadîndur: Our Story in Our Words is published by… Continue reading

(File photo)
RCMP arrest Saskatchewan murder suspect

Yukon RCMP have arrested a man suspected of attempted murder from outside… Continue reading

Most Read