Phishers Face Jail Time Under New U.S. Bill

An anonymous reader writes "Democrat Patrick Leahy has introduced a new federal anti-phishing bill that would impose jail terms up to five years and fines up to $250,000 for criminals creating fake web site designed to con consumers in to giving them their personal information. 'Some phishers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded - that leaves plenty of time to cover their tracks. Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing.' said Leahy in a statement regarding the Anti-Phishing Act of 2005."

Re:The crime is creating a website?

[LiquidCoooled]

Parody sites do not usually require you to give up account numbers of other information.

Any that do should be rightfully concerned.

Great.....

[Capt James McCarthy]

Congress is all over it. Now the problem is sure to be solved. :-/ I'm afraid that this lip service will once again make the general public think this will solve the problem. Nope. It may slow down folks within the US borders, but we all know the true result of bills like this. It just won't work.

Good!

[Kimos]

I'm glad to see that phishing is being taken seriously! Just because it happens on the internet, doesn't mean it's not as serious as any other type of scam.

Please explain why

[Anonymous Coward]

"Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing.' said Leahy in a statement regarding the Anti-Phishing Act of 2005."

Please explain why. New laws suck. 99% of the time the old existing laws are completely capable of handling the problem... just enforce the laws we have.

How is this different...

[91degrees]

From exisitng conspiracy to commit fraud crimes?

Why do we need a new law when an existing one will do?

Re:The crime is creating a website?

[erick99]

The crime is tricking someone into giving up sensitive information such as bank account info so that their money can be stolen (as one example). Building the web site is a tool to accomplish the theft. I don't believe, however, that the legislation will outlaw websites in general.

Re:The crime is creating a website?

[WidescreenFreak]

There is a major difference between a parody web site and a web site that was created with the intention of fooling people into giving away information that can lead to criminal usage. I've never seen a parody web site ask for a social security number, bank number, etc.

Additionally, all parody sites I've seen either are blatantly obvious parodies or state somewhere on the site that they're parodies. Phishing sites won't do that because they're trying to convince you that they're genuine.

Apples and oranges.

This may actually help

[wingspan]

Phishing exists because the phisher has a favorable risk/reward relationship. This legislation will help change that relationship by allowing law enforcement to get involved earlier. Today, LE has to wait for a fraud to occur and someone to complain. If my understanding is correct, under this legislation LE can get involved much earlier, when phishing or pharming is first detected. Earlier involvement means less time for the phish site to be operating (reducing return), and less time to destroy evidence (increasing risk).

Of course, whether they will become involved or not is subject to debate.

Hot air

[glyn.phillips]

Apparently Patrick Leahy is ignoring just how easy it is to move phishing opperations off shore. This looks more like a means to keep Leahy in the news rather than an effective crime-fighting law. In the horse and buggy days people learned not to walk right behind a horse unless willing to get kicked. When automobiles came out everyone learned to look both ways before crossing the street. As any new technology appears, a new set of safety rules comes with it, and each individual needs to learn the new rules. Many institutions are busy educating their users and now law is needed to force them to do this as it is already in their best interest.

Re:The crime is creating a website?

[josh3736]

Christ, take off your tinfoil! This is an entirely reasonable and proper use of legislative power.

This bill stops Bad Guys® from stealing the inexperienced users' life savings before they actually steal anyone's money. It does not outlaw building any website, just those designed with the intent and purpose to steal your bank password.

And all Phishing sites are US-based too. Whew!

[mattspammail]

How many of you have actually traced down an IP address to find its origin? I know I'm not the only one. The first thing you find out is that the IP address is registered in Latin America or some other part of the world where we have no jurisdiction. The second thing you find out is that there is no way to do anything about their perceived illegal activities. I say perceived, because it may be un-legislated activity where they come from.

I say all of this because I don't think there's a single thing we can do to prevent those outside our country from doing this over and over and over again.

Practically useless, if you ask me.

Re:Please explain why

[ednopantz]

Somebody should develop a tool to bombard their websites with junk data. They want acct #s and passwords? Give em 10,000 fake ones for every real one. Let them try and figure out which is which. It could even be a distributed app: FoilPhishers@Home.

But yeah, send 'em to Federal PMITA prison at first opportunity too.

Re:Please explain why

[glyn.phillips]

Don't forget Illegal Use of Trademark.

Re:Please explain why

[ThogScully]

I'll second that point of view... it seems to me that even if the old laws somehow don't just make scamming in general illegal, then perhaps those laws should be adjusted so that they do.

That way, we can have one law that says scamming people is illegal rather than one law that says scamming people over the phone is illegal and another for scamming people on the internet, and another for scamming people in person, etc...

It's all the same crime - there's no reason to distinguish at the legal level, only in the methods of prosecution and gathering proof.
-N

Re:The crime is creating a website?

[BlueUnderwear]

Anyone else find that a bit scary? People with parody sites should be probably be worried a little.

And also people who try to ensure interoperability of bank sites with "non-standard" browsers [knaff.lu].

Don't laugh... it did actually happen!

Re:Hot air

[Steve B]

Apparently Patrick Leahy is ignoring just how easy it is to move phishing opperations off shore.

The host computer can be moved offshore, but the phisher himself can still be nabbed as long as he stays in the US (or a country with an extradition treaty). As a few people pointed out on spammer thread [slashdot.org] the other day, not many of the crooks are willing to actually go live in Elbonia so they can hide from the law.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Please explain why

[RobotRunAmok]

Leahy is a lawmaker. Lawmakers make laws. There is no glamor for him in enforcing existing (i.e., someone else's) laws.

How many congresspeople do you know who run for re-election on a platform of, "Hey, y'know, we've pretty much got a law for every possible crime imaginable, I just spent my term minimizing bureacracy so Justice, the cops and the courts could do their thing" ?

It's all about the re-election. "Hey, lookit me! The hip Anti-Phish Candidate! A year ago it wasn't even a word, but last week I wrote a law against it!! Who's your Re-Electable Daddy?!"

It's the same headline-generating mentality that prompts these bozos to make cellphone-specific anti-driving-while-distracted laws.

Re:Evidence

[Anonymous Coward]

That shouldn't be difficult.

Creating a website that looks like that of an existing bank or commercial concern using graphics and layouts harvested from said bank or commercial concern's website and asking for account numbers and PINs, SSNs and other personal information should be ample proof of intent. Using browser address bar and security certificate spoofs/hacks should cement the proof of intent.

An individual or group who collects usernames and passwords like that doesn't do so for curiosity's sake.

Re:better solution.

[Speare]

I agree...the more we "police" the internet ourselves, the less the government will need to regulate it.

An' if we take 'em out o'the holdin' cell afore their trial, an' string 'em up inna tree, then the liberal activist judges cain't set 'em free! Who's wit' me? Grab yer hoods an' meet me by the libary at half past midnight. We're gonna do some justice.

Why can I murder someone for less jail time?

[IpsissimusMarr]

Is it just me or is doing something illegal in the cyber-world more dangerous than the real world? How is it possible that I get more jail time for cracking into and defacing a web page than I'd get for shooting someone?

For our 'cyber-laws' we should be taking precidence from our existing laws. Instead of levying new fines for phishing, add this definition onto our current fraud and identity theft laws. Instead of creating crazy fines for spammers (although I want to see them pay just like everyone else) and model the punishments similarly to the do-no-call lists?

Law-makers don't see the internet as an extension of the physical world, and in term of law it should be seen in this light. Extend Current laws, don't make them up in a flight of fancy.

Theives

[northcat]

Small theives have laws against them. Big theives have laws that regulate them. Really big theives have laws for them.

Re:Please explain why

[dasunt]

Please explain why. New laws suck. 99% of the time the old existing laws are completely capable of handling the problem... just enforce the laws we have.

Here's my theory what happens:

Imagine a congressman or congresswoman wants to appear to be doing something. Or perhaps they are just naive. Either way, they come up with a new law which more or less covers an existing law. We'll use a hypothetical "Violence against Women Act 2005", which makes kidnapping a woman across state lines a federal offense.

Now, its already illegal to kidnap someone across state lines, as we all should know. However, considering that there is a 2006 election just around the corner, the average member of congress will not vote against this act -- just imagine the attack ads if he did!

Look at the AARP -- they are being attacked by USA Next for supporting gay marriage. What really happened is that Ohio was passing a constitutional amendment to ban gay marriage. The bill was broad enough to apply to unmarried cohabiting heterosexual seniors. The AARP, acting in the best interests of its members opposed the bill, and now we see ads about how AARP is for gay marriage.

So, let me ask you one question: Why are you against punishing criminals? Your opponent will be asking you this question in 2006.

As always, there is a Simpson's quote [simpsoncrazy.com] for this. Episode 2F11, where Bart discovers a comet that happens to be directly headed towards Springfield:

KENT BROCKMAN

With our utter annihilation imminent, our federal government has snapped into action. We go live now via satellite to the floor of the United States congress.

SPEAKER
Then it is unanimous, we are going to approve the bill to evacuate the town of Springfield in the great state of--

CONGRESSMAN
Wait a second, I want to tack on a rider to that bill - $30 million of taxpayer money to support the perverted arts.

SPEAKER
All in favor of the amended Springfield-slash-pervert bill?

FLOOR
Boo!

SPEAKER
Bill defeated.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Please explain why

[GigsVT]

The new law doesn't change the old law anyway.

"Whoever knowingly, with the intent to carry on any activity which would be a Federal or State crime of fraud or identity theft--"

For this law to even apply, the prosecution has to show intent to commit fraud as it is already defined. This is the same as just charging someone with attempted fraud, as far as I can tell.

Re:More nannying by the state.

[Anonymous Coward]

Muggers use mugging because there are weak people to steal money from. No weak people, no profit from mugging, no reason to mug in the first place.

[blather deleted]

But please don't let us strong people also lose our personal liberties as a result of their weakness.

I've never been mugged and I never will be.

Re:New *Introduced* Bill

[geoffspear]

Not only are you cynical, you're completely delusional, too.

The Supreme Court overturns very few laws. Congress passes plenty of laws. You have no idea what you're talking about, and should stop wasting everyone's time by posting such stupid messages.

Re:Please explain why

[plague3106]

I don't see why thats a problem really. Would you want to be dragged into court (and prision) because the state said you hurt someone, but could not produce said person? The need to have someone hurt is there because the accused has the right to face their accuser in open court.

Re:I'm glad about this

[foobsr]

Been done for thousands of years, true, but taking advantage of people is no way to live your life IMO.

This in a strange way reminds me of THE DISPOSSESSED [motherbird.com] by Ursula K. LeGuin.

CC.

Danger. Potential abuse

[phorm]

One thing to watch out for though is that this law might be abused by those claiming against parody sites. A parody site would have a similar look+feel (or heck, perhaps just a similar URL), but obviously a different focus/content. Now if there were a login option on the parody site, the primary site might be able to claim they were phishing for usernames/passwords...

Re:Please explain why

[BackInIraq]

I'll second that point of view... it seems to me that even if the old laws somehow don't just make scamming in general illegal, then perhaps those laws should be adjusted so that they do.

First, there are many different ways to "scam," and the law, much like coding, is very syntax sensitive. So often times things need to be more specifically defined. In addition, you don't want any particular law to be so darn complex that trying it becomes that much more difficult, so often they break them up so they can just charge you with the part *you* broke. At least, thats how it has always seemed to me.

That way, we can have one law that says scamming people is illegal rather than one law that says scamming people over the phone is illegal and another for scamming people on the internet, and another for scamming people in person, etc...

One major difference between internet scamming (such as phishing) and, say, phone or in-person scamming is that the latter are very labor intensive, whereas the former can run more on auto-pilot. Kinda like foot soldiers vs. simply planting land-mines. Which leads into...

It's all the same crime - there's no reason to distinguish at the legal level, only in the methods of prosecution and gathering proof.

My guess is that they want to differentiate between phishing online and offline scamming because of the speed with which one can gather information illicitly on the internet. Otherwise generally it is better to wait until you have a victim (assuming we're talking non-violent crime, of course), because it makes it vastly easier to prosecute. Online, they can't afford to wait that long, both because you end up with far too many victims, and the perps can disappear (and reappear) much more quickly.

Re:Please explain why

[plague3106]

Yet there are plenty of laws where there is no "victim"

'Well I've already killed 10 people, so killing another one wouldn't be wrong.' Nice logic.

Laws against activities which are deemed to be against the good of the public

Often without really proving they ARE against the public good.

soliciting a prostitute

How does that harm 'the public'? It wasn't until fairly recently that people didn't acknowlege that having prostitution legal WAS a benefit.

drunk driving

I have no problem adding to a sentence if the driver is drunk. But if they haven't harmed anyone or damaged any property, I find it hard to justify a punishment.

selling drugs

Yes, thats why amsterdamn is falling apart, and Europeans are alcoholics because their drinking ages are lower. And lets ignore prescription drugs too, which can be problem causers too. I forgot, is it ok to sell drugs or not?

insider trading

If said insider trading hamrs another party, I don't see a problem with a law regarding it.

usually have no tangible victim associated with them

And I think they should be rewritten so they are unenforcable until harm is done to someone.

The accuser in those cases is usually the government (or rather "the people") and that is whom the accused faces in the courtroom.

Well I don't like dogs, so I'm going to work to have owning dogs made illegal. Then every dog owner can face 'the people' as their accuser. Why? Because the dog COULD bite someone.

Re:Legislative Hall of Fame

[Ryosen]

This is true, but those laws primarily go into effect after the fraud has been committed. What they are going after here is not the fraudulent act itself but the attempt. Sort of like assault and battery. Assault is the threat, battery is the action. Battery carries the heavier charge.

Currently, other than possibly copyright violations, there is nothing truly illegal about setting up a phishing site. Yes, you have intent, but that is very difficult to prove. To make a case really worthwhile to go after, you have to have the theft.

This bill (which I admittedly have not read yet) would seek to make the attempt illegal and easier to prosecute. Like CAN-SPAN, it will be very difficult to enforce, but the good effort is there at least.