Paul Murphy over at CIO Today put together an interesting piece on the ubiquity of authentication, the jurisdictional and timing issues involved with nabbing phishers, and some of the underlying reasons why the powers that be don’t just stop the problem in its tracks. But hope is on the horizon, from an unlikely source.

Authentication of email sources is off-the-shelf technology, the problem is nobody uses it. If identification was made of an email’s source at the point it entered the network, it would be easy to shut that source down. Murphy contends, if the process becomes unprofitable, it will simply stop. Unfortunately, that means billions less in sales to companies like Cisco, Microsft, and Symantec, all of which have much to gain from ongoing problems.

As for catching the crooks, well that story has pounded so hard at Spamroll that my fingers are blue. Mr. Murphy says “the thieves are long gone before the authorities can jump through the hoops needed to get enforceable cooperation by those concerned.” Best wishes to the 100,000 names on that missing Berkelely laptop (see Data Stolen from Berkeley, again).

What unlikely candidate could put the kabosh on the problem, and reap the rewards in between? One time heavy-hitters Lucent and Avaya, that’s who. Lucent and its child build much of the equipment used to carry VOIP traffic. And caller ID, now taken for granted on traditional communications lines, is easy to spoof on VOIP networks. But if folks like Lucent light up authentication on their equipment by default, others carrying internet bandwidth will be forced to do the same (or get a lot of fingers pointed at them in blame).

Again, this is all Paul’s thoughts. One thing that is for certain - his theory on spamming the spammers is sure to garner some attention (and misinterpretation). Don’t think so, well then catch the latest on IBM’s FairUCE, or catch Spamroll’s view of it here: IBM hopping on the spam vigilante bandwagon? I don’t think so.

It will be interesting to see how authentication shapes up, along with legislation designed around catching crooks more swiftly. Meanwhile, catch Paul’s entire article on the matter over at NewsFactor Network: Phishing, VoIP and the Market Response.

Just as VOIP is beginning to take off, fraudsters are embracing the medium as a tool for money conversion. Using caller ID spoofing, scammers are blasting VOIP voicemails and foiling verfication of wire tranfer instructions. But that is not all.

This article has an anti-VOIP ring to it (pun intended), but it outlines some the issue (suspect or not) - Scam artists dial for dollars on Internet phones.

The new game in town seems to be spitting. SPIT, short for Spam over Internet Telephony, is a process where VOIP dialers tune their systems to dial large numbers of voicemail systems to leave messages. This is news to me, and something I don’t think needs worrying about if you are debating the switch from traditional service to VOIP. Reason: what is easily hacked is usually easily patched, and I suspect the bright folks at places like Vonage and Lingo are on it.

We have known for a while that services such as Western Union are a haven for scammers. There are “do not use” warnings on a lot of major ecommerce sites. So it doesn’t surprise me that they have been trounced by fraud once again.

I also was not surprised to hear that collection agencies are using spoofing tactics to get people to pick up the phone. The only comment I have there is..”Isn’t that illegal?” If a collection agent ever called me from a spoofed number (they don’t, as I pay my bills), I would report them to the FCC, and you should too.

But the idea that thieves are using caller ID spoofing for identity theft seems a little far fetched to me, kind of like the rumor that camera phones were being used to snap picture of people’s PINs at ATMs (an article from the Orlando Sentinel some time ago outlined this, but I can’t link to it because I couldn’t find it again - the folks in Florida likely found the idea so stupid after they published it, that they removed it from their archive). Some amount of social engineering would likely have to take place in advance, such as noting that the phone number target banks at a certain institution. There is some other hole here that is enabling scammers in the first place. And, the whole process still preys on the gullibility of the person at the receiving end of that call, something that no telephony security measure is ever going to prevent.

The conclusion reached from this latest news is that it is a poorly researched piece, loaded with FUD, but could be a precursor to issues that lie ahead. The lesson to be learned is an old one - don’t give out your personal account information to anyone, period. Your financial institutions already have that information - they don’t need you to tell it to them. And don’t use Western Union.

Wow, that was tough.