Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
United States CDA News

Phishers Face Jail Time Under New U.S. Bill 262

An anonymous reader writes "Democrat Patrick Leahy has introduced a new federal anti-phishing bill that would impose jail terms up to five years and fines up to $250,000 for criminals creating fake web site designed to con consumers in to giving them their personal information. 'Some phishers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded - that leaves plenty of time to cover their tracks. Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing.' said Leahy in a statement regarding the Anti-Phishing Act of 2005."
This discussion has been archived. No new comments can be posted.

Phishers Face Jail Time Under New U.S. Bill

Comments Filter:
  • by LiquidCoooled ( 634315 ) on Friday March 04, 2005 @08:05AM (#11843219) Homepage Journal
    I hope I don't get arrested for phishing in the wardrobe after a night out.
  • I'm glad about this (Score:5, Interesting)

    by Deekin_Scalesinger ( 755062 ) * on Friday March 04, 2005 @08:06AM (#11843227)
    Assuming it works and is enforceable, of course. I think phishing is a pretty low way to live your life - preying on the gullible. Been done for thousands of years, true, but taking advantage of people is no way to live your life IMO.
    • by kaellinn18 ( 707759 ) on Friday March 04, 2005 @08:13AM (#11843262) Homepage Journal
      taking advantage of people is no way to live your life IMO

      Then I recommend you not pursue a career in the federal government.
    • by foobsr ( 693224 )
      Been done for thousands of years, true, but taking advantage of people is no way to live your life IMO.

      This in a strange way reminds me of THE DISPOSSESSED [motherbird.com] by Ursula K. LeGuin.

      CC.
  • Great..... (Score:4, Insightful)

    by Capt James McCarthy ( 860294 ) on Friday March 04, 2005 @08:10AM (#11843247) Journal
    Congress is all over it. Now the problem is sure to be solved. :-/ I'm afraid that this lip service will once again make the general public think this will solve the problem. Nope. It may slow down folks within the US borders, but we all know the true result of bills like this. It just won't work.
  • by aconn ( 709312 ) on Friday March 04, 2005 @08:10AM (#11843248)
    This one will join CANSPAM in the Legislative Hall of Fame under the necessary but useless category.
    • Necessary? How so? We already have laws against fraud that could easily be used rather than having to draft up entirely new legislation.
      • This is true, but those laws primarily go into effect after the fraud has been committed. What they are going after here is not the fraudulent act itself but the attempt. Sort of like assault and battery. Assault is the threat, battery is the action. Battery carries the heavier charge.

        Currently, other than possibly copyright violations, there is nothing truly illegal about setting up a phishing site. Yes, you have intent, but that is very difficult to prove. To make a case really worthwhile to go after, yo
  • NO! (Score:5, Funny)

    by StevenHenderson ( 806391 ) <stevehenderson@NOspam.gmail.com> on Friday March 04, 2005 @08:11AM (#11843252)
    Uh oh! Does this mean they are going to jail Prince Ombutu Nagala of Nigeria? He was going to split $28M with me!!!!!!!!1
    • Since Prince Ombutu lives in Nigeria, wouldn't you have to extradite him to the US to nail him with this law?

      • Re:NO! (Score:2, Funny)

        by Penguin ( 4919 )
        Since when has it been a showstopper for the US to enforce US law in other countries? :)
      • All depends on the treaty conditions signed with said country. Though, to speak of late, if they don't respect the terms of the treaty, we're likely just to go in an occupy their country, but I digress.

        It's the reason why we have extridition treaties, so that we can inforce our laws in other countries when the end result affects a US citizen. Is it right? In some cases, yes. Like anything else, there's always a broad range of exceptions.
    • You too!?

      He's such a nice guy!

    • The Nigerian 419 fraud isn't phishing. The idea is to promise you huge amounts of money and at a later stage in the "transaction" they ask for a processing fee or bribe in order to get the money to your account. Guess what - you never hear from the perps again once you've sent the fee (basically whatever they reckon you can afford, a particularly stupid cousin of my wife lost 50,000UKP).

      There is an occasional phishing-like variation where the boys from Lagos want your bank details to try and clean out the

  • Good! (Score:2, Insightful)

    by Kimos ( 859729 )
    I'm glad to see that phishing is being taken seriously! Just because it happens on the internet, doesn't mean it's not as serious as any other type of scam.
  • Evidence (Score:3, Interesting)

    by retards ( 320893 ) on Friday March 04, 2005 @08:14AM (#11843268) Journal
    Not a bad thing, but I think actual fraud or clear intent should have to be proven. Opportunity and unproven intent should not be weigh beyond a reasonable doubt.
    • Re:Evidence (Score:3, Insightful)

      by Anonymous Coward
      That shouldn't be difficult.

      Creating a website that looks like that of an existing bank or commercial concern using graphics and layouts harvested from said bank or commercial concern's website and asking for account numbers and PINs, SSNs and other personal information should be ample proof of intent. Using browser address bar and security certificate spoofs/hacks should cement the proof of intent.

      An individual or group who collects usernames and passwords like that doesn't do so for curiosity's sake.
    • Not a bad thing, but I think actual fraud or clear intent should have to be proven. Opportunity and unproven intent should not be weigh beyond a reasonable doubt.
      • In general I'd agree with you but this is Phishing. They've set up a fake website designed to look exactly like a banks. They've also sent out fake messages designed to look like they're from said bank saying that the customer needs to login to their account for some contrived reason and providing a link to the spoofed site for the login link
  • Please explain why (Score:5, Insightful)

    by Anonymous Coward on Friday March 04, 2005 @08:15AM (#11843274)
    "Traditional wire fraud and identity theft statutes are not sufficient to respond to phishing.' said Leahy in a statement regarding the Anti-Phishing Act of 2005."

    Please explain why. New laws suck. 99% of the time the old existing laws are completely capable of handling the problem... just enforce the laws we have.
    • Somebody should develop a tool to bombard their websites with junk data. They want acct #s and passwords? Give em 10,000 fake ones for every real one. Let them try and figure out which is which. It could even be a distributed app: FoilPhishers@Home.

      But yeah, send 'em to Federal PMITA prison at first opportunity too.
    • by glyn.phillips ( 826462 ) on Friday March 04, 2005 @08:28AM (#11843347)
      Don't forget Illegal Use of Trademark.
    • I'll second that point of view... it seems to me that even if the old laws somehow don't just make scamming in general illegal, then perhaps those laws should be adjusted so that they do.

      That way, we can have one law that says scamming people is illegal rather than one law that says scamming people over the phone is illegal and another for scamming people on the internet, and another for scamming people in person, etc...

      It's all the same crime - there's no reason to distinguish at the legal level, only in
    • by RobotRunAmok ( 595286 ) * on Friday March 04, 2005 @08:39AM (#11843411)
      Leahy is a lawmaker. Lawmakers make laws. There is no glamor for him in enforcing existing (i.e., someone else's) laws.

      How many congresspeople do you know who run for re-election on a platform of, "Hey, y'know, we've pretty much got a law for every possible crime imaginable, I just spent my term minimizing bureacracy so Justice, the cops and the courts could do their thing" ?

      It's all about the re-election. "Hey, lookit me! The hip Anti-Phish Candidate! A year ago it wasn't even a word, but last week I wrote a law against it!! Who's your Re-Electable Daddy?!"

      It's the same headline-generating mentality that prompts these bozos to make cellphone-specific anti-driving-while-distracted laws.
      • How many congresspeople do you know who run for re-election on a platform of, "Hey, y'know, we've pretty much got a law for every possible crime imaginable, I just spent my term minimizing bureacracy so Justice, the cops and the courts could do their thing" ?

        Its rather unfortunate they don't run on that platform. I would probably vote for that candidate. Hell, I can't do any worse. I live in a conservative area, and, not being a conservative, every last person I voted for in the 2004 election lost (save
        • You're not a conservative, but you favor keeping all of the laws exactly how they are so Justice can be served?

          Umm, ok.

          • No, no, no!

            I am not for adding layer upon layer of useless laws when old laws will do just fine. This reminds me of the guy who likened the federal code to trying to maintain the same source for over 200 years.

            Its high time for a complete rewrite.
      • I don't think that being the "Anti-Phish Candidate" would win too many votes in Vermont.

        Besides, Trey Anastasio is way cooler than Pat Leahy anyday.

    • by dasunt ( 249686 ) on Friday March 04, 2005 @08:56AM (#11843526)
      Please explain why. New laws suck. 99% of the time the old existing laws are completely capable of handling the problem... just enforce the laws we have.

      Here's my theory what happens:

      Imagine a congressman or congresswoman wants to appear to be doing something. Or perhaps they are just naive. Either way, they come up with a new law which more or less covers an existing law. We'll use a hypothetical "Violence against Women Act 2005", which makes kidnapping a woman across state lines a federal offense.

      Now, its already illegal to kidnap someone across state lines, as we all should know. However, considering that there is a 2006 election just around the corner, the average member of congress will not vote against this act -- just imagine the attack ads if he did!

      Look at the AARP -- they are being attacked by USA Next for supporting gay marriage. What really happened is that Ohio was passing a constitutional amendment to ban gay marriage. The bill was broad enough to apply to unmarried cohabiting heterosexual seniors. The AARP, acting in the best interests of its members opposed the bill, and now we see ads about how AARP is for gay marriage.

      So, let me ask you one question: Why are you against punishing criminals? Your opponent will be asking you this question in 2006.

      As always, there is a Simpson's quote [simpsoncrazy.com] for this. Episode 2F11, where Bart discovers a comet that happens to be directly headed towards Springfield:

      KENT BROCKMAN

      With our utter annihilation imminent, our federal government has snapped into action. We go live now via satellite to the floor of the United States congress.

      SPEAKER
      Then it is unanimous, we are going to approve the bill to evacuate the town of Springfield in the great state of--

      CONGRESSMAN
      Wait a second, I want to tack on a rider to that bill - $30 million of taxpayer money to support the perverted arts.

      SPEAKER
      All in favor of the amended Springfield-slash-pervert bill?

      FLOOR
      Boo!

      SPEAKER
      Bill defeated.
    • by MindStalker ( 22827 ) <mindstalker AT gmail DOT com> on Friday March 04, 2005 @09:06AM (#11843606) Journal
      Current law requires there to be victims. So if you are unsuccesful or they simply can't find your victims, they could not arrest you under current law. Of course there are laws like trademark infringment but that would require the cooperation of the people you are copying.
      • I don't see why thats a problem really. Would you want to be dragged into court (and prision) because the state said you hurt someone, but could not produce said person? The need to have someone hurt is there because the accused has the right to face their accuser in open court.
      • IANAL, but I have a question: What about "conspiracy to commit X" and "attempted X." Can't they still charge you with that even if you don't manage to pull off "X"?
    • by GigsVT ( 208848 )
      The new law doesn't change the old law anyway.

      "Whoever knowingly, with the intent to carry on any activity which would be a Federal or State crime of fraud or identity theft--"

      For this law to even apply, the prosecution has to show intent to commit fraud as it is already defined. This is the same as just charging someone with attempted fraud, as far as I can tell.
  • by 91degrees ( 207121 ) on Friday March 04, 2005 @08:15AM (#11843276) Journal
    From exisitng conspiracy to commit fraud crimes?

    Why do we need a new law when an existing one will do?
  • by Scratch-O-Matic ( 245992 ) on Friday March 04, 2005 @08:15AM (#11843278)
    Senator Leahy is engaged in a legislative battle against online scammers, and he needs your support. If you would like to help, click on this link [senate.gov]. To ensure that you are a registered voter, you will be asked to verify your name, address, and social security number. You may then make a donation online, right from your checking account!
  • better solution. (Score:5, Interesting)

    by Lumpy ( 12016 ) on Friday March 04, 2005 @08:17AM (#11843284) Homepage
    I already start up an app to poison their databases every time I get one ofthose paypal,ebay or lately, the yahoo greeting card phishing scams.

    point a particular java app at the url and let her fly filling in all the form fields over and over and over again with what looks like real but is generated from files crap.

    if the asshats have to sift through 300 bad records to find something useable, at least I slowed them down a bit.

    If more people in the know did this to them instead of the worthless action of reporting them it would make a bigger impact. the last one I reported to ebay was still up days later. My second alert to ebay was responded with "we cant deal with them all, go away" but in nicer words.
    • I bet all they do is log them to a file and then they use a computer-aided approach just like yours to attempt to transfer a random amount of money from each account.

      That's what I'd do anyway. Still, your approach is much better than nothing.

      When playing a game, always put yourself in the mind of the opponent and work out what they would least like you to do. So, fellow slashdotters, what would really annoy these people?

      Justin.
    • give us a link to it then... fancy just mentioning this app and then leaving us all dangling... ;)
    • Reporting to ebay does little good, obvious because they can't deal with that many site and they don't have control of the sites. Personally I've found that I can generally track down the ISP with a litte bit of work, reporting to them gets the site taken down in matter of hours. Of course this is a lot tougher when the site in question is foreign I've found.
    • Why wouldn't they just check the IP address the requests came from and chunk your 300 requests in one go?
  • by Anonymous Coward
    just so long as they leave my free ipod scam alone...
  • by G4from128k ( 686170 ) on Friday March 04, 2005 @08:20AM (#11843301)
    I've not read the bill (only this article [internetnews.com]), but I wonder if this could be used to prosecute other internet low-life that try to gather personal data for purposes not sanctioned by the submitter of the information. And taking over someone's computer without their knowledge would certainly seem to be a type of fraud under this bill.
  • by Laurentiu ( 830504 ) on Friday March 04, 2005 @08:21AM (#11843311)
    As a new federal law called "The Anti-Phishing Act of 2005" is being pushed by the U.S. legislative, hackers everywhere celebrate their victory over the English language.

    "W3 pl4n 2 in7r0duc3 z00n 0d4r l337 w0rdz in d4 c0n73mp0r4n v0c4bul4rj", said the appointed speaker for the "H4x0rz" community, who prefers to remain anonymous ."0ur n3x7 74rg47z 4r3 "h4x0r", "l337" 4nd "pwn3d". 0ur l0bbj gr0up iz z7r0ng, 4nd w3 b3li3v3 d4j will 4lz0 b3 in7r0duc3d bj d4 3nd 0ph d4 j34r."
  • Phishing Bill Issues (Score:5, Informative)

    by Gallenod ( 84385 ) on Friday March 04, 2005 @08:21AM (#11843312)
    This is a first shot across the bow. The bill will probably undgergo substantial debate and amendment as it moves through Congress, but I expect this has a chance to become law.

    I've met Sen. Leahy. He's an old-school Vermont Democrat who's held pretty much every state-level elected office except governor and lieutenant governor. I've had a couple of e-mail exchanges with him on CAN-SPAM. When that law first passed, he was cautiously backing it as a reasonable first step. He's realized lately, however, that it's been largely ineffective. The anti-phishing bill is his first real leading charge at cyber-scamming and it reflects some of his earlier frustration with Congress's inability to deal effectively with Internet issues.

    (Or much else, in many people's opinion.)

    Leahy ruffled some feathers in the online community by supporting RIAA-sponsored legislation on copyrights. It's possible this is a canny political attempt to balance the books a bit. Then again, he's a decent guy with 80% support in a state that's 33% Republican. Even in the minority, he's got a lot of clout. On this issue he'll probably get bi-partisan support, so it's likely this bill will, in some form, eventualy become law.

    Besides, anyone high on Dick Cheney's hate list can't be all bad.
  • Are most if not nearly all perps of this this non US based? Last time I looked, the scammers were mostly from Nigeria right?
  • by wingspan ( 113604 ) on Friday March 04, 2005 @08:22AM (#11843318) Homepage
    Phishing exists because the phisher has a favorable risk/reward relationship. This legislation will help change that relationship by allowing law enforcement to get involved earlier. Today, LE has to wait for a fraud to occur and someone to complain. If my understanding is correct, under this legislation LE can get involved much earlier, when phishing or pharming is first detected. Earlier involvement means less time for the phish site to be operating (reducing return), and less time to destroy evidence (increasing risk).

    Of course, whether they will become involved or not is subject to debate.

  • Hot air (Score:3, Insightful)

    by glyn.phillips ( 826462 ) on Friday March 04, 2005 @08:22AM (#11843322)
    Apparently Patrick Leahy is ignoring just how easy it is to move phishing opperations off shore. This looks more like a means to keep Leahy in the news rather than an effective crime-fighting law. In the horse and buggy days people learned not to walk right behind a horse unless willing to get kicked. When automobiles came out everyone learned to look both ways before crossing the street. As any new technology appears, a new set of safety rules comes with it, and each individual needs to learn the new rules. Many institutions are busy educating their users and now law is needed to force them to do this as it is already in their best interest.
    • Re:Hot air (Score:4, Insightful)

      by Steve B ( 42864 ) on Friday March 04, 2005 @08:38AM (#11843397)
      Apparently Patrick Leahy is ignoring just how easy it is to move phishing opperations off shore.

      The host computer can be moved offshore, but the phisher himself can still be nabbed as long as he stays in the US (or a country with an extradition treaty). As a few people pointed out on spammer thread [slashdot.org] the other day, not many of the crooks are willing to actually go live in Elbonia so they can hide from the law.

  • by mattspammail ( 828219 ) on Friday March 04, 2005 @08:26AM (#11843337)

    How many of you have actually traced down an IP address to find its origin? I know I'm not the only one. The first thing you find out is that the IP address is registered in Latin America or some other part of the world where we have no jurisdiction. The second thing you find out is that there is no way to do anything about their perceived illegal activities. I say perceived, because it may be un-legislated activity where they come from.

    I say all of this because I don't think there's a single thing we can do to prevent those outside our country from doing this over and over and over again.

    Practically useless, if you ask me.

  • by CastrTroy ( 595695 ) on Friday March 04, 2005 @08:32AM (#11843369)
    Isn't there already a law that can be applied? Doesn't this basically amount to fraud or something? I think the biggest problem with Phishing is that it's a little hard to track down who is doing it. If you know who's doing it, you can easily arrest them. The problem is, is that mostly these phishers try to remain anonymous, and probably don't have their operations set up in the US.
    • Current fraud laws [probably] require someone arleady defrauded to come forward and press charges. This would allow for the cops to go after them just for the fraud scheme itself without any victims having come forward yet.
    • Doesn't this basically amount to fraud or something?
      i had thought the same thing...IANAL but if my understanding is correct it is indeed fraud, but the problem is that fraud cannot be prosecuted until someone complains, and so the actual fraud might not occur until after the phisher closes down their website and covers their tracks. what this law is trying to do is allow law enforcement to go after them before they get any complaints about fraud or identity theft and hopefully before all the evidence is d
  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Friday March 04, 2005 @08:39AM (#11843404)
    Comment removed based on user account deletion
    • Yeah! And the damn nanny state needs to get rid of the stupid anti-burglary laws too!

      If people are stupid enough to live in homes that aren't as secure as a military installation, they deserve to have their stuff stolen. How dare the state infringe the civil liberties of smart people like me by making it illegal to break into your house and steal stuff, if you're dumb enough to have glass windows that I can just shatter with a brick?

  • I don't get some of these phishing guys. Just got this in my inbox. Sure, there are some phishes that look believable but are the phishers really as stupid as the people that click on them? Would anyone who'd create a brain-dead phish like this one actually be afraid of jail time and/or a fine?

    --
    Subject: E-gold secutity patchHBhdGNo

    Dear E-gold user, we receive many complaints concerning unsunctioned taking the money
    off the balance of our users recently, thus we earnestly ask you to install the
    following
  • by IpsissimusMarr ( 672940 ) * on Friday March 04, 2005 @08:49AM (#11843457) Journal
    Is it just me or is doing something illegal in the cyber-world more dangerous than the real world? How is it possible that I get more jail time for cracking into and defacing a web page than I'd get for shooting someone?

    For our 'cyber-laws' we should be taking precidence from our existing laws. Instead of levying new fines for phishing, add this definition onto our current fraud and identity theft laws. Instead of creating crazy fines for spammers (although I want to see them pay just like everyone else) and model the punishments similarly to the do-no-call lists?

    Law-makers don't see the internet as an extension of the physical world, and in term of law it should be seen in this light. Extend Current laws, don't make them up in a flight of fancy.
    • How is it possible that I get more jail time for cracking into and defacing a web page than I'd get for shooting someone?

      For this proposed law, the maximum jail time is 5 years. I'm pretty sure the maximum penalty for murder is a bit longer than that.

      Instead of creating crazy fines for spammers (although I want to see them pay just like everyone else) and model the punishments similarly to the do-no-call lists?

      The fine for violating the do-not-call registry is $11,000 per call. Spamming a million emails

  • Surely we will be safe with all these new laws to protect us.

    (sarcasm)

  • Theives (Score:2, Insightful)

    by northcat ( 827059 )
    Small theives have laws against them. Big theives have laws that regulate them. Really big theives have laws for them.
  • Nuclear disaster fine: $60,000
    Phishing fine: $250,000

    It's cheaper to poison people with radiation and then take their credit card #'s then it is to trick them into giving you their credit card #'s.
  • Does this mean phishing is perfectly legal in the U.S. until specific legislation is passed against it?

  • I think it's fasctinating how "hacker" terminology has entered the mainstream, making it all the way up to the highest levels of government. Granted, the bill in question is dealing with a highly technical topic, but still I'm amazed that the acronym junkies in the Capitol basement didn't come up with a more governmentesque term for phishing.

    So far, we've got Spam, Phishing, anybody recall other techno-terms that have made it into the government lexicon?
  • by account_deleted ( 4530225 ) on Friday March 04, 2005 @09:26AM (#11843782)
    Comment removed based on user account deletion
  • by RaZ0r ( 145723 )
    because a large percentage of this fraud is originating outside of the USA.

    How is the US Goverment going to press charges when its occuring out of its jurisdiction?

    Just my 2c...

  • I'm not sure if the bigger trial has finished for those other news people who are refusing to give up their sources names.. if not then it's up to that higher court to decide.
  • great now do something about those 419 scammers and maybe you'll put a small dent in online fraud. support 419eaters.com [419eaters.com] if you haven't already stopped by. These guys are doing a great job reversing the scam on these nigerian fraudsters. Some funny stories in the forum as well
  • Big Fat Whoop (Score:3, Interesting)

    by TheHawke ( 237817 ) <rchapin@NOSPam.stx.rr.com> on Friday March 04, 2005 @10:30AM (#11844284)
    I ran across a phishing site on a client's system while cleaning it up. The HOSTS file had 6 entries in it, redirecting any requests for 5 British banks and one Brazilan banco, to a IP at EV1.net. I busted my ass in a effort to get EV1.net's support team and administrative suits to pull the IP, but all I got was canned replies: "Forward the information to the abuse department". So I did so.

    Two weeks passed, and EV1.net did not take any action whatsoever. So, I sent the report to the big Brit banks, which included The Bank of England, Barclays, and the legendary Lloyds. I got immediate replies, personal ones, NOT canned, that they would immediately take legal action agianst the offending CSP.

    I checked the IP shortly after receiving the replies and got a DNS error.

    It seems to me that EV1.net, which is based in Houston, has merc tendencies when it comes to site hosting.
  • Funding training for law enforcement so that they know how to pursue and prosecute these people under the laws they're already breaking instead? Or possibly establishing a single federal agency that would serve as a single point of contact for all Internet crime?
  • It has been held that investigators can misrepresent themselves in order to obtain information from citizens. I believe there was one case where a stalker used an investigator to track down a person who he later killed. The mother attempted to have the investigator held liable in that he called her and got information from her because she thought he was some official or whatnot. He was held not liable.

    Similarly, law enforcement get confessions sometimes on the basis of misrepresenting what they know or

  • by phorm ( 591458 ) on Friday March 04, 2005 @10:52AM (#11844476) Journal
    One thing to watch out for though is that this law might be abused by those claiming against parody sites. A parody site would have a similar look+feel (or heck, perhaps just a similar URL), but obviously a different focus/content. Now if there were a login option on the parody site, the primary site might be able to claim they were phishing for usernames/passwords...
  • Just this past week I received the same phishing email (fake Key Bank login) 5 days in a row. I was surprised the site was able to stay up for so long. Who does one report this type of thing to? the FBI? the Secret Service? the FCC?? There needs to be some sort of clear statement on this from the government.
  • by TheLittleJetson ( 669035 ) on Friday March 04, 2005 @02:45PM (#11846851)
    "Maaaaan, this music sucks!"

You know you've landed gear-up when it takes full power to taxi.

Working...