RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Information on Phising and Online Fraud

["Margie Milam" <Margie.Milam@xxxxxxxxxxxxxxx>]

I agree with Lane's statements below and can provide background from the
perspective of a service provider that provides reports and shut down
services to financial institutions and other companies that are targets
of online fraudulent activities.   

With respect to online fraud such as phishing, law enforcement generally
does not get involved in the day to day battle to shut down fraudulent
bank sites that are seeking to steel the personal financial information
of consumers.    They do not have the resources or the time to respond
to shut down sites quickly.   This work is done by banks, service
providers and some non-profit groups, using WHOIS information when the
phishing attack is domain name based.   A useful report prepared by the
APWG describing the current scope of the phishing problem can be found
at 
http://www.antiphishing.org/reports/apwg_report_february_2007.pdf 

Since September 2005, there have been 300,000 phish URLs discovered.
With 16,000 phish unique websites that were launched during Feb-07,
targeting 135 different brands, this problem is simply too large for law
enforcement to tackle on a timely basis.   The APWG report indicates
that the average time a phish site is up is 4 days.  Service Providers
and Banks that are actively monitoring and shutting down phishes can do
so in hours instead of days.   This type of timely response is simply
not feasible through law enforcement due to their limited budgets and
resource allocation.   Indeed, law enforcement often works with service
providers to obtain the types of specialized WHOIS based reports that
help identify the criminals behind phishing and other criminal attacks.


Please also note that phishing attacks do not just target financial
institutions, but that other industries are targeted, including ISPs,
retail/service, auction sites, and payment services.  

Consumers and the general public benefit when fraudulent sites are shut
down quickly. Our work on sgb needs to acknowledge and facilitate the
benefits of having non-law enforcement involvement in fighting online
fraud.

Margie


-----Original Message-----
From: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
On Behalf Of mortenla@xxxxxxxxxxxxxx
Sent: Monday, May 14, 2007 10:26 AM
To: gnso-acc-sgb@xxxxxxxxx
Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

While I agree there is a clear distinction between law enforcement and a
bank's role in addressing the phishing and fraud activities, I feel
there is also a clear need for bank's anti-fraud (as well as other large
companies who are frequently spoofed by fraudsters) to have access to
registrant information in WHOIS. While law enforcement's objectives are
tyically centered on investigating, aprehending and prosecuting the
fraudsters, those activities take months or even years. The ant-fraud
groups are primarily interested in getting fraudulent sites shut down
quickly.

There simply are not enough law enforcement agents around to quickly
work on shut-downs and many (at least here in America) won't take any
action unless  the banks/companies can show that a large loss has
already ocurred.  

Most responses by victims to a fraudulent web site happen within the
first day and so it is critical to get the fraudulent site shut as
quickly as possible to minimize the risk to the consumer. It would be
great if all of the ISP's and hosting companies out there would
seriously investigate and shut down a phishing site, when they are
notified but very frequently, they are not responsive. In those cases,
it's often much easier to contact the owner of the site (who  often are
unknowingly displaying a the phishing site because of a
misconfigured/compromised web server or application). Without access to
the whois information, it is very difficult to get the fraudulent sites
shut down.


Lane Mortensen
--------------------------
Sent from my BlackBerry Wireless Handheld
 

-----Original Message-----
From: owner-gnso-acc-sgb@xxxxxxxxx <owner-gnso-acc-sgb@xxxxxxxxx>
To: gnso-acc-sgb@xxxxxxxxx <gnso-acc-sgb@xxxxxxxxx>
CC: gnso-whois-wg@xxxxxxxxx <gnso-whois-wg@xxxxxxxxx>
Sent: Fri May 11 21:10:05 2007
Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure

Dan, Palmer and all,

  Palmers comments and/or observations regarding Banks are not
accurate nor appropriate for Whois data.  Law enforcment cannot
rely on banks to do their "Leg Work" so to speak, and very few
do.  Law enforcment do use some bank data on customers for
financial investigative evidance with a warrant as required
by law in most US states and federal statute.  

  Dan's remarks have merit from where I sit as to ICANN
acting as a law enforcment or investigative agent for same.
ICANN is not suited for such a function in regards to Whois
data, nor should it be.  Incidently the Whois was never
intended as a law enforcment tool, and should not be used
as such other than incidentally.  However law enforcment
in the course of an investigation should be able to obtain
"Any" Whois data via jurisdictional due process.  Ergo
a search and sezier warrant or an equivalent dependant on
nation of origin, resaprocity, ect..

Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div.
of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
Registered Email addr with the USPS Contact Number: 214-244-4827






-----Original Message-----
>From: Dan Krimm <dan@xxxxxxxxxxxxxxxx>
>Sent: May 11, 2007 7:32 PM
>To: gnso-acc-sgb@xxxxxxxxx
>Cc: gnso-whois-wg@xxxxxxxxx
>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>
>I'll let Eric speak for himself with regard to the email he receives,
but
>the phishing scams I get are easily recognized and discarded.  (The
first
>one I ever got -- before it had become prevalent, and before there was
a
>word coined for it -- I was temporarily confused, but I was alert
enough to
>check out the domain before supplying any info.  I have been personally
>immune ever since.)
>
>While I opt-out of all uses of my info by financial institutions that I
can
>(and in California I can opt out of more than in other states or
countries,
>because of consumer-friendly state regulation), I am still troubled by
>information collected by credit reporting agencies and other sources
that I
>do not know about.  I refuse to allow DoubleClick to place cookies on
my
>browsers.  And still I know this is not enough to be secure in the
>knowledge that data about me is not being used against my interests,
>usually by private entities out to make a buck.
>
>Banks already get a lot of personal information from their immediate
>customers.  There is no reason to give them unsupervised blanket access
to
>all information in the Whois database about millions upon millions of
>people who are not their direct customers.
>
>Information used for legitimate anti-fraud efforts needs to be
>well-targeted as much as possible, and checks and balances need to be
in
>place to assure appropriateness of access as a rule, since recourse is
not
>always available in the case of abuse (and thus deterrence may be
>ineffective).
>
>If ICANN is not in position to become a fully-functional public law
>enforcement entity in and of itself, with all of the due process and
>accountability that such a role calls for (and it seems pretty clear
that
>it is not), then that dynamic needs to be in the system somewhere,
somehow,
>and it needs to be designed with some serious effectiveness, not just
as a
>cosmetic ruse.
>
>Dan
>
>
>
>At 5:54 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx wrote:
>>Those 20 or so spam emails are likely phishing emails or scams. Banks
do
>>not send spam emails. These emails you are referring to are not
legitmate
>>emails, and this is exactly what banks are trying to prevent in order
to
>>protect consumers from identity theft and fraud.  Your email
highlights
>>how significant and prevalent this problem is. 
>>
>>
>> ----- Original Message -----
>>  From: Hugh Dierker [hdierker2204@xxxxxxxxx]
>>  Sent: 05/11/2007 03:26 PM MST
>>  To: gnso-acc-sgb@xxxxxxxxx
>>  Cc: gnso-whois-wg@xxxxxxxxx
>>  Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure
>>
>>
>>This really assumes alot.  Hypothetical "who done its".  Does not
justify
>>giving out confidential information to banks.  I get 20 or so spams a
day
>>from Banks. Junk mail another 5 a day- credit cards galore.
>>I do not buy that "banks" want my info for purely secure reasons.
>>
>>Eric
>>
>>Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>>
>>
>>Dan,
>>
>>The problem is a practical one. Law enforcement has limited resources.
>>We might wish that were not the case, but it is, and, realistically,
it
>>will always be the case. Law enforcement, as I set out in my earlier
>>emails to Milton, expects banks to do the legwork before it will act.
>>Maybe it should be otherwise, but this is not the case nor will it
ever
>>be the case. In various roles, both in government and working on the
>>side of government, I have spent years working on the side of law
>>enforcement. I think it is fair to say that law enforcement's approach
>>is virtually an immutable law of nature. And frankly from law
>>enforcement's standpoint, it must set priorities given its limited
>>resources.
>>
>>If banks do not have access to the necessary information, internet
users
>>and consumers will be put at much greater risk. It would be nice to
>>think that banks and consumers could simply lodge a complaint and that
>>the complaint would be immediately acted upon. But this will never
>>happen. Law enforcement has too much on its plate. My banks can give
>>you page after page of examples to corroborate this. And remember for
>>every hour that passes, millions can be lost, including life savings.
>>
>>Please take another look at the example in my email to Milton
involving
>>the local police in a foreign jurisdiction that finally agreed to act,
>>but only after the bank had exhausted all avenues and done all the
>>legwork. Realistically, absent bank access to the local address, it is
>>unknown how many innocent consumers would have suffered losses before
>>this fraudulent website was ever closed down.
>>
>>You are right that this is a question of balance. And I would argue
>>that consumer protection needs to be prominently considered, not
>>dismissed as unfortunate collateral damage.
>>
>>Banks are closely regulated and monitored entities with public
>>responsibilities. Those responsibilities are examined regularly by
bank
>>examiners. As a result, I would submit, consumer protection ought to
>>prevail in light of the protections from a privacy standpoint in the
>>existing regulatory structure.
>>
>>Palmer
>>
>>-----Original Message-----
>>From: owner-gnso-acc-sgb@xxxxxxxxx
[mailto:owner-gnso-acc-sgb@xxxxxxxxx]
>>On Behalf Of Dan Krimm
>>Sent: Friday, May 11, 2007 3:43 PM
>>To: gnso-acc-sgb@xxxxxxxxx
>>Cc: gnso-whois-wg@xxxxxxxxx
>>Subject: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
>>
>>Palmer,
>>
>>If I may step in here (and shift this discussion over to the Subgroup
B
>>list where it properly belongs):
>>
>>At 1:44 PM -0500 5/11/07, Palmer Hamilton wrote:
>>
>>>Just having the IP address and registrar is not sufficient. For
>>>example, one of my banks had a case in which it had to use local
police
>>
>>>in a foreign country to visit the physical address of the website
owner
>>
>>>to get the site taken down. The bank had tried to get the registrar
to
>>
>>>shut it down without success. The bank had also tried to stop the
site
>>
>>>with the administrative contact, the technical contact, the abuse
>>>contact, and the website owner, all with no success. The registrar
was
>>
>>>also not interested in working with the local police, but the local
>>>police agreed to assist AFTED the bank provided the police the full
>>>WHOIS information plus a synopsis of its takedown efforts.
>>
>>So the question here is, when the bank is involved in valid efforts
that
>>require access to Whois data that is designated as private there
>>certainly should be a process for that data to be engaged in the
>>process, so what should that process be? No one is suggesting that the
>>bank never get any such information whatsoever. But some of us are
>>suggesting that private entities should not get direct access to the
>>Whois data, but rather get information from formally accountable LEAs
>>who have direct access.
>>
>>It doesn't mean that private agents cannot contribute to the
>>investigation process, but that private agents need only be given what
>>they need in a particular context rather than being given the full
range
>>of powers granted to publicly-accountable law enforcement. And, that
>>LEAs be responsible for providing appropriate information to private
>>agents that are participating in investigation processes. Once such a
>>policy is well-defined, it is possible to build technological systems
>>that adhere to those policies and operate efficiently without
>>unnecessary human intervention.
>>
>>And if ICANN jurisdiction is insufficient to resolve all structure
>>issues, that still may not be ICANN's responsibility to solve.
>>
>>At some point public law enforcement must step up to the plate to do
>>what needs to be done. ICANN cannot solve all the world's public
>>problems on its own, or even those problems that may relate
tangentially
>>to the technical operation of the Internet. ICANN is not a proper
venue
>>to determine and conduct public governance activities, or to authorize
>>private execution of public governance.
>>
>>
>>
>>>Having said this, the Dutch model could ultimately help fill a void
on
>>>the international level by leveraging international pressure on
>>>recalcitrant governments. But again, this is not really an
alternative
>>
>>>to what we are doing in Subgroup B, as I understand it.
>>
>>What exactly are we doing in subgroup B as you understand it?
>>
>>As I understand it, we are trying to reach some consensus on what GNSO
>>should recommend to the ICANN Board with regard to determining to whom
>>and how direct access to private Whois data under the OPoC paradigm
>>should be granted (by registries and/or registrars). This does not
>>speak to indirect access through authorized/certified LEAs.
>>
>>I have no expectation (or illusion) that what we come up with here
will
>>create a perfect world. It will certainly continue to be
systematically
>>imperfect from a privacy protection standpoint. If you are hoping to
>>find perfection, then that is undoubtedly beyond the scope of this WG
or
>>Subgroup B.
>>
>>We are not in a position to dictate a comprehensive and airtight
>>resolution to the full complexity of issues here. So at least *that*
is
>>*not* what we are doing here.
>>
>>Dan
>>
>>
>>
>>
>>Need Mail bonding?
>>Go to the
>><http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0N
TEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask
&sid=396546091>Yahoo!
>>Mail Q&A for
>><http://answers.yahoo.com/dir/index;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0N
TEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx?link=ask
&sid=396546091>great
>>tips from Yahoo! Answers users.
>