Hooking phishers of men and women

Nov 25, 2013

Phishing is a fraudulent attempt seeking to acquire money, confidential information or other gain such as usernames, passwords or credit card details from people by masquerading as a trustworthy entity such as a bank, service provider, social network, email systems or institutions. In order to improve security and reduce the risk that any of us is caught out by a phishing attack there is a need to carry out research so that countermeasures can be designed. Unfortunately, in carrying out such research it is possible for the scientists taking part to come unstuck by laws that are in place to protect users from the very attacks they wish to study.

Writing in the International Journal of Intellectual Property Management, UK researchers explain how the legal framework and ethical considerations involved in mobile and computer security research must be updated to allow such research to take place without legal impediment. Rasha Salah El-Din of the Department of Computer Science at the University of York working with Lisa Sugiura of the University of Southampton, explain how they were studying mobile users' susceptibility to phishing attacks, through the use of deception in research and discovered that they were subject to regulations concerning its use. The regulations were implemented despite the fact that their covert work was for the benefit of users and did not represent a fraudulent phishing attack in itself.

As a result of this, the team suggests that the research community needs to start a dialogue on self-regulation and boundaries of legal and ethical conduct. "We are currently in the process of organising an international conference to discuss the legal and ethical challenges that face phishing researchers," the team says. "The conference will source multi-discipline expertise including: phishing researchers, board members of ethics committees, law professionals and industries affected by phishing such as and banks."

They point out that while deception is a well-established research methodology in psychology research projects, there is no clear law on whether or not deception is allowable in security or phishing research.

Explore further: Vatican's manuscripts digital archive now available online

More information: "To deceive or not to deceive! Legal implications of phishing covert research" in Int. J. Intellectual Property Management, 2013, 6, 285-293

add to favorites email to friend print save as pdf

Related Stories

'Phishing' scams explode worldwide, researchers shows

Jun 21, 2013

Those insidious email scams known as phishing, in which a hacker uses a disguised address to get an Internet user to install malware, rose 87 percent worldwide in the past year, a security firm said Friday.

Google finds hack attempts on eve of Iran election

Jun 13, 2013

(AP)—Google says it has discovered and stopped a series of attempts to hack the accounts of tens of thousands of Iranian users in an effort the company believes is an attempt to influence the country's upcoming election.

Recommended for you

Kickstarter suspends privacy router campaign

Oct 20, 2014

Kickstarter has suspended an anonymizing router from its crowdfunding site. By Sunday, the page for "anonabox: A Tor hardware router" carried an extra word "(Suspended)" in parentheses with a banner below ...

User comments : 0