On the hook of the criminal phishery

It has been a bad week for webmail service providers. First came the story that some 10,000 Microsoft Hotmail e-mail accounts had had their passwords compromised.

It has been a bad week for webmail service providers.

First came the story that some 10,000 Microsoft Hotmail e-mail accounts had had their passwords compromised.

Within hours, the number of accounts with leaked passwords had risen to close to 30,000, and the victimized service providers had grown to include Yahoo Mail, Gmail, AOL, Earthlink and Comcast.

Given the hundreds of millions of e-mail accounts managed by this collection of companies, 30,000 “leaked” accounts is statistically trivial; but it is also indicative of a growing danger to personal security about which too many internet users remain dangerously uninformed.

The accounts in question apparently had their password information captured through what is called a “phishing” scam, whereby naive users are duped into going to bogus but authentic-looking websites and entering their usernames, passwords, and sometimes other personal information.

This “phishing” (a word which is really just a joke spelling for “fishing,”) is in fact a common peril on the internet today.

What is unusual about the recent incident is not that the e-mail accounts had their security compromised (there are probably hundreds of thousands, if not millions, of such compromised accounts), but that the perpetrators in this instance, in an act of pure bravura, decided to make a public display of some of their purloined goods.

Given the commonness of the problem, and its very real danger, I was a little astonished, over the past week, at how many people I talked to who had no idea what “phishing” is, or why they should care about it.

By way of public service, then, I will here give those of you not in the know a brief summary of what the phishing scam involves, and why people do it.

I will also explain why I think the phishing scheme, though it represents a real danger at present, probably represents a diminishing threat in the internet future.

First, what phishing is.

In brief, phishing is just an online version of the age-old confidence trick, whereby somebody contacts you pretending to be acting on behalf of a company you trust (your bank, your insurance company) and bamboozles you into giving out personal information that person can use to rip you off, or to assume your identity while he or she rips off somebody else.

In the old days, this was called “human engineering,” and was carried out by telephone calls, or by people approaching you with fake business cards and the like.

These days, it is usually accomplished by e-mail, where someone purporting to represent your e-mail service provider, or your bank, sends you an e-mail asking you to change or update your account information.

That e-mail usually includes a link to what appears to be a genuine page on the World Wide Web, except that the official look is a forgery, and the internet address you are going to is a hacker’s site in disguise.

Once they have your information, they can do things run up your credit card, or pretend to be you while engaging in illegal activities on the internet.

Though there are some big operators out there, the phishing scam is so easy to run these days – you do not need much by way of expertise, and you can buy phishing tools for cheap on hacker sites – that it is becoming a favourite of petty thieves.

Given that crooks don’t file income tax returns, and given that a lot of the theft involved goes either unnoticed or unreported, estimates of how big the problem is, or how much money is involved, vary so widely as to be pretty much useless.

Nevertheless, virtually all estimates show that the phishing scam is burgeoning on the internet at present.

In the short term, that may be scary news; but, as some Microsoft researchers have pointed out, it may actually turn out to be a good thing, in the long run.

In a paper called A Profitless Endeavour: Phishing as a Tragedy of the Commons, Cormac Herley and Dinei Florencio make a study of the economics of phishing, comparing it to – what else? – the economics of commercial fishing.

(You can find their paper on a web search site by just typing in the title.)

As they point out, the classic ecological rule of “the tragedy of the commons” seems as likely to apply to criminal phishing as it proved to apply to the commercial fishery: If too many people are given free and unlimited access to a common resource with limited replenishment ability, the result is poverty for all concerned, and destruction of the resource.

It was this ecological rule (first described by the ecologist Garrett Hardin in 1969) that explains why peasants in the middle ages (the age of the village commons) were so poor, and why the global commercial fishery has produced mostly destitute fishing villages and extinct fish species.

The hopeful speculation the Microsoft researchers offer is that same rule probably applies to the criminal phishery today – too many people able to plunder the same limited resource, with the result that they all end up poor, and the resource dries up.

If they are right (and their arguments look reasonable), the phishing scam will probably run its course, become less and less profitable, and then cease to be very significant.

On the other hand, the immediate damage they are doing – not just to individuals but to the internet system itself – is very real.

As their activities expand, and as they gain more attention in the news, as they did this week, more and more internet users will get spooked about electronic commerce, and even about using e-mail and the web itself.

Their worries may not be entirely rational, but they are very real, and likely to become more pronounced as acts of larcenous showmanship like the one staged this week become more common.

The long range solution, of course, lies in helping users be more informed and cautious, without degenerating into paranoia; in the short term, about all you can do is change your e-mail password when in doubt, and keep a cool head about you.

Rick Steele is a technology junkie

who lives in Whitehorse.