July 14th, 2008

Anti-Phishing in Hong Kong

» , , ,

Planning for a short trip to Hong Kong tomorrow reminded me of Jonathan Shea, something I want to blog about but was waiting for the hype around the new generic TLDs to cool down. Jonathan Shea is an old friend who is in-charge of “.hk”. I have the pleasure to catch up with him in Paris ICANN meeting.

Before Jonathan, let me talk about something related that happened in Paris. At the Cross Constituency Meeting, there is a presentation by the Anti-Phishing Working Group (APWG). In summary, they were proposing working with registries to take down domain names that is suspected to be involved in phishing.

Now, I am as anti-phishing as any other reasonable person, that we should do our best to combat the scamming on the Internet. But what they are proposing raised scare the hell out of me: Take down domain names for suspected of phishing?

What happened to the legal maxim, “Innocent Until Proven Guilty”.

Now, I could hear some objections; these phishers are sneaky bastards who adopted the “hit-and-run” tactics. The entire phishing attack could be done within 24 hours or less and thus we need to react before they got more innocents victims.

That’s true but this is not an excuse to override the basic principle of legal enforcement. Just because a thief could commit their crime within less than 5min does not mean we don’t treat the suspect as innocent until proven guilty. Neither do we lock down the house or the store while we investigate, which is in a way, what was proposed.

After Wendy Seltzer raised some concerns, I stood up and asked two questions:

(1) how does APWG determine if one is a phishing domain for take down?

All I got is a a hand-waving answer that it is complicated and there is no time to go into details. I am not sure if they differentiate between an intentional phishing vs a site/domain which was hack or hijacked. I am not even sure how they determine if the site is indeed phishing. If I put up a spoof making fun of the bank’s bad service, would I be target of a take down?

(2) how effective is the domain name take down the phishers could easily use IP address instead of domain names?

Once again, he dodge the question without giving any data but at least his answer is more plausible: one should make use of all mechanism available to fight the problem. Nevertheless, i remain unconvinced that taking down domain names would deter the phishers as they could easily use IP address instead. Do we then go to RIR and ISPs to blackhole the routing for an attack that might last merely hours?

I might be more open if the takedown is temporary, as an emergency one-off measure if it significantly threaten the general public or the normal operation of the Internet. And we can proof that the best way to stop that specific attack is in the DNS.

However, I am not convince ICANN and registries is the best way to deal with the problem on the long term continuous basis. I think this is a classic case of “if we have a hammer (ie. ICANN), everything looks like a nail”.

This is not to say I don’t think registries don’t play a part in the anti-phishing. This is where I go back to Jonathan and HKIRC (.hk).

McAfee published a report on Mapping the Mal Web Revisited in May. This report said “Hong Kong (.HK) soared in 2008 to become the most risky country TLD”.

Obviously, this report upset quite a few people, including Hong Kong Internet veterans like Charles Mok and Pindar Wong (see IT360). Jonathan contested that the report is unfair because the data point for the report is based on 2007 whereas the problem have being substantially improved in early 2008.

What have being done by HKIRC is a model of what I think the registries should adopt.

1. In March 2007, HKIRC working with HKCERT and the HK Police Force on a procedures to verify whether a .hk domain name has been used for phishing. They also work with OFTA, the local regulatory body, who will provide a definite list of .hk domain names that is involved in spamvertising in Jul 2008.

2. In July 2007, HKIRC tighten their online payment (HKIRC is also the registrar) so that stolen cards and lost credit cards cannot be used. In early 2008, they also developed an internal auditing system where they would flag suspicious registrations, which would then be process manually for additional documentary proof from registrant.

An example which would trigger the flagging is when a domain name is known to be phishing site from a definite list by OFTA, the other domain names registered by the same registrants would be considered suspicious.

What was done by HKIRC is non-intrusive, nor disruptive to the registrants. Neither do they presume guilty before innocent, and take down domain names on suspicion notes. They work with regulators and polices to make sure they got the right person. They let judges do their job, of determine one guilty or innocent.

Most importantly, these have being effectively in curbing the problem.