Interviewed by Philbert Shih, theWHIR.com
This article appeared in the April/May issue of Web Host Industry Review magazine. Click here for a free subscription.
May 5, 2005 — (WEB HOST INDUSTRY REVIEW) — Established in 2003, The Anti-Phishing Working Group (anti-phishing.org) is an industry association focused on the elimination of identity theft and fraud developing as a result of the growing phishing and email spoofing problems. The APWG provides a forum for the discussion of phishing issues and testing of potential solutions. Archives of phishing scams and other valuable information and resources are available through the organizations Web site.
Peter Cassidy is the secretary general of the APWG. He manages the organizations day-to-day operations and is involved with conference development and management, speaking, membership expansion, organizational growth, and development of the directional orientation of APWGs research and data collection services.
Web Host Industry Review: It seems like the APWG has been making some important strides in terms of membership. What does the involvement of banks and other groups targeted by phishing add to the APWG?
Peter Cassidy: A deep understanding of how the threat affects them in reality and how it affects them in terms of customer relations, and how it affects them in terms of the decision cascade that comes into play when you are talking about fixing a problem like this. We really do wonderfully inform the larger membership about the complexity of doing things like applying a new kind of authentication procedure. A lot of this stuff, on paper, looks lickity-split. But when you sit and talk with bankers, you realize that there is an enormous number of factors that come into play in terms of costs, consumer education, future-proofing, public perception and regulation, and in that way we are very lucky to have the trust and the fellowship of the financial institutions.
By comparison, what does the involvement of certificate authorities or software companies provide?
PC They provide us with an insight into authentication technologies that can be deployed in a number of wonderful ways that can be considered in some part a defensive mechanism against phishing.
How much of the APWGs work involves educating the public in general about the threat?
PC A lot. We spend a lot time on the phone with journalists. We spend a lot of time giving documents out to credit unions, banks, financial institutions and community groups two or three times a week. Well get anything from a local cop to a worker at a senior center to a credit union, will call up and say, hey, can we have some top ten tips to prevent phishing from happening to our customers or our constituents? And we mail all that stuff out and make sure they have enough material to cover their constituents. Often well send package presentations to law enforcement that they can use on their own. And they call us up and well go over the stuff as best we can so that they can give a presentation and educate the public sort of on our behalf.
And just how aware is the average Internet user of the threat posed by phishing?
PC Good. I think pretty well. I think because its been in the newspapers, most people are pretty savvy to the conventional forms of phishing. The minority of people is sort of aware of what can happen to them through technical subterfuge that requires no deception on their part. Viruses and worms that can load trojan horses onto their machines they basically mine the data from their keystrokes or directly from the PC itself. I think people are less aware of that. But I think they are actually becoming more aware off it.
As the organization grows, will it become more involved in recommending specific means for combating fraud online?
PC No. We really need to be agnostic. As soon as we start picking winners we stop researching reality, we stop interrogating what reality is and what needs to go there. But what we will always do is try to pull in the largest body of thinkers and vendors and push them out into the world because I think that it is going to be a multiplicity of solutions at a number of different frontiers that is going to put it down. Not one single bullet.
What is the long-term solution? What will it take for Internet users to be safe from phishing?
PC It will take the return on investment to plunge below the level at which organized crime will want to be involved with phishing. So that means not one bullet is going to take care of it. It means life is going to be hard and expensive for them at the network level. Life is going to hard and expensive from them at the client level. Life is going to be hard and expensive for them at the transaction level. So I think the moment it becomes too expensive for them to do this is the moment it all goes away, because they are rational businessmen like anyone else.
What can law enforcement agencies contribute to the APWG and vice versa?
PC An understanding of how to deal with law enforcement, how to inform law enforcement, how to get information to them in the right formats and the right order. Thats really important. Its very easy to get lost because law enforcement is big. And I think phishing has helped financial institutions and other victims sort of organize their thinking and organize the protocols on how to deal with these kinds of things. Because even if phishing is put away, electronic crime is not going to disappear.
What kind of relationship do you currently have with law enforcement?
PC Great. The latest plenary session of the APWG was at the United States Secret Service headquarters Washington, DC. We have a very large police presence at the APWG.
What are the organizations goals long-term? How will you measure failure or success?
PC The moment we are put out of business. For us, the faster we put ourselves out of business, the more successful we are.
