BKPHSHNG.RVW 20061014 "Phishing: Cutting the Identity Theft Line", Rachael Liniger/Russell Dean Vines, 2005, 0-7645-8498-7, U$29.99/C$38.99/UK#18.99 %A Rachael Liniger %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2005 %G 0-7645-8498-7 %I John Wiley & Sons, Inc. %O U$29.99/C$38.99/UK#18.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764584987/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764584987/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764584987/robsladesin03-20 %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 309 p. %T "Phishing: Cutting the Identity Theft Line" The introduction to the book provides a good, and very realistic, prologue to the topic of phishing. The audience for the work is said to consist of executives and incident response teams for banks and large corporations, information security professionals, and general Internet users. Chapter one furnishes the reader with a solid overview of the subject, although it would seem to be aimed primarily at individual Web and email users. "Phishing Emails," in chapter two, explains various spam hiding and URL obfuscation technologies. The list is not exhaustive, but is sufficient to illustrate the basic concepts clearly. (The writing, in this chapter by Rachael Liniger, is delightful. Wit and humour are used extensively, and to good effect.) Chapter three presents information on false or obfuscated URLs, as well as useful detail on pop-ups: the content is much superior to other sources on the same topic. (There is also an oddly placed section on public key encryption.) Spyware is reviewed in chapter four. You cannot stop phishing completely, notes chapter five, examining various players in the fight against identity theft and the limitations of the action they can take. Chapter six is supposed to be about helping the organization to avoid phishing, and sets forth some policies in regard to email and Websites that are very practical in preventing abuse. (The section on authentication schemes is less so, and eventually the chapter devolves into random topics.) A generic and sometimes terse outline of incident response and network forensics makes chapter seven poor in relation to other parts of the book. In terms of consumer education, chapter eight has a number of recommendations for safer computing, with lots of "avoid Microsoft" advice, but also configuration settings, a bit of email analysis material, and an admonition to check your home finance statements carefully. Chapter nine deals with actions to take if you, personally, are the victim of identity theft. (Most of the agencies mentioned are based in the United States, but the resource list does have some additional contacts for the UK and Germany.) Identity theft (and, by extension, phishing) is a major problem, and not enough is being done to address the issue. This book lays out the risks and threats clearly, and proposes practical solutions for a variety of actors in the drama. The text is readable and the concepts are clear. I can recommend this work to almost anyone involved in a security role, particularly those in the financial or online industries, law enforcement, or working in the field of security awareness. copyright Robert M. Slade, 2006 BKPHSHNG.RVW 20061014