Slashdot Mirror
20,000 Zombie PCs -- $3000
Saint Aardvark writes "From F-Secure blog comes these links to two USA Today articles on spamming. The first gives an example of how a grandmother ended up becoming a security expert after Comcast cut her connection for spamming. The second quotes spammers advertising networks of Zombie PCs for sale. The price? $3000 for 20,000 machines."
GTRacer
- Things to do
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
How many % are running Microsoft Windows ?
Zombie Macs and Zombie Linux boxes are about as common as snowcones in hell, it would seem.
I, for one, welcome our new security grandmother overlord. All bow to thee.
I wonder how the processing power would compare to WETA's supercomputer cluster and their pricing. It would be slower to coummunicate data among the computers and ensure data quality, but I wonder how it compares.
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number. ...
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
Yes, it's her fault. She did something foolish.
What is the percentage of OS broken down. Is it consistant with the OS spread. Such as 90% Windows, 7% Linux, 3% Mac? Anybody know of a break down? What does everybody think it is?
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
So that's all it takes to be a security expert these days? No f'ing wonder there are so many security problems these days
Also, it lightens my heart and makes me feel all warm and fuzzy that it only took "as many as 70,000 pieces of mail" in a day to get Comcast to shut her down.
"When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."
Not without some kind of sauce or dressing. Plain 1's and 0's taste like cardboard.
Lets buy a whole bunch of these zombified pcs, and launch a DDoS attack against the isps of known spammers! It may force some action, and I think it would be worth the cost.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
It is quite sad that a person who just updates their computer and runs a virus scanner is now considered a "security expert."
I didn't realize the zombies of voodoo legend were online.
Telenor takes down 'massive' botnet (From the story, they didn't really take down the botnet, just rendered it headless for a little while.)
One line blog. I hear that they're called Twitters now.
I have to say, I don't understand how people get into so much trouble.
Maybe I've been lucky, but I've ran a Windows XP system for about a year now (and a Windows 98SE system for about 2 years prior under the same conditions), doing the occasional patches from Windows Update, without a virus scanner or firewall. If I do something stupid that makes me suspect that I've contracted something, I'll drop over to http://housecall.antivirus.com/ and do a quick scan. This generally only happens when I'm trying to find a crack for something on a P2P network and the bastards have embedded a keystroke logger or some other little nasty in a trojan crack package.
Otherwise, I do an occasional glance-over at the list of processes running, and if my modem is lighting up like a Christmas tree I might fire up Sygate Personal Firewall or something just to see what's happening with the traffic, but I've never seen it give me real cause for concern. I still get some port traffic for the old Code Red worms and what not, but nothing that seems to have been really problematic.
As I said, maybe I'm just lucky. Then again, maybe I don't use Internet Explorer or Outlook Express, and maybe that helps a lot. Who knows.:-)
picpix image polls. create - share - vote. fun!
It's interesting that articles like this don't blame Microsoft. One wonders how Microsoft arranges that.
Very few people realise that deploying a cheap effective reverse firewall will save them from being unwitting spam zombies (kinda sounds like sex slaves don't it? It sure is as demeaning!).
Granny had the right ideas.
Home users, please note - a. You need a firewall
b. You need a reverse firewall
c. You need to dump IE and use Firefox
d. You need to try dumping windoze and move on - that puppy is probably crapping all over your machine.
--
See that long UID - that's what you get for lurking too long
Are these Scoobie Doo type zombies? They aren't all that bad it's just some guy with a mask. As long as it's not the new "Dawn of the Dead" uberzombies I think we'll all be ok, just walk around them.
Actually, according to my spammeter the amount of spam has been slightly declining over the past few months. I'm still at around 400/day level though...
...the ability to DoS SCO for the rest of the century...priceless.
There are some things money can't buy. For the rest, there's my Zombie Army of Evil.
adam b.
Why would a spammer want to deal with the increased complexity and labor involved in infecting and managing a heterogeneous zombie herd when it would increase its size by less than 10%? It's a waste of time and money.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC
So which distro is she running, then?
We have more to fear from the bungling of the incompetent than from the machinations of the wicked.
It's funny you should mention computer problems.
Whenever I view this it.slashdot.org site, everything on my screen is all washed-out.
Is this a symptom of being a zombie PC?
________________________________________________
suwain_2
The first article states, Cyberintrusions traditionally have been the domain of socially inept males launching electronic attacks for fun and bragging rights...
Sorry maybe it's just me, but aren't nerds by definition socially inept. Let's be honest, it's the socially inept who keep the world running.
- a list of machines that need to be cleaned up
- a bank account or other information that can be used to track down the spammers/crackers
I guarantee $3k is cheaper than what it would actually cost tax payers if the authorities did their job with normal investigative work.Let's see...$3000 for 20,000 windows boxen works out to 15 cents per machine. Yeah boy, that's about what one is worth.
what a big ... mailbox you have.
Just start monitoring for bursts of spam from their clients, and simply *pick up the phone* and *call them.* "Sir, we've detected mass spam coming from your connection. Please clean up your computer. You have one week."
"People" using "unnecessary" quotes should be "shot".
- The perpetrator (a spammer) is almost universally hated.
- Spammers do real damage.
- They are doing this damage for a pure profit motive.
- They are operating out in the open, making for an easy arrest.
So why are these bozos still in business?===== Murphy's Law is recursive. =====
We get Linux boxes in labs we don't manage hacked all the time. They usually aren't used for SPAM, they are instead used for warez, eggdrops or shells, but they get hacked all the same. Reason is the same too: someone fails to patch their system, and it gets exploited.
Linux needs patching as well because OSS is not immune to security holes. SSH, BIND and even PNG are three off the top of my head that have had security problems in the past. If you run a Linux box that has an SSH server, and you don't patch it when an SSH venurability comes out, someone WILL hack it.
Yeah, it's nasty all right.
Wanna be more disgusted, though? Say we did get a good handle on one of them. Well, then the federal prosecutor has a hell of a job on his hands. All he has to do is make 12 people understand how spam works, how they found the guy, why their "searches" were legal, what he was doing, and why it's a crime. Which, if it were possible to make people understand, would have prevented the crime in the first place.
And, if he's really unlucky, the defendant waives jury trial and he instead has to convince one very conservative 70 year old man of all these things.
adam b.
""Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable.""
how is it my ISP's fault if i am too stupid to secure my own system? it is quotes like this that pass the buck from the end-user/consumer. hey, if you want to drive a car, you need a license. want an internet connection over 56k? make people pass some sort of security review or test.
(yes, save your breath, i know ISPs can do things to reduce the problems, but it's not their fault in the end that these machines are messed up.)
I'm sorry, but calling that woman a Security Expert is wrong. She discovered the hard way that not being aware of security was a mistake but all that makes her is a security-aware user. Of course, that implies most computer owners aren't.
10,000 Homo DJ's - $14.99
If spammers are scammers, can you really expect good value for your money?
I fully expect follow-up news stories on how someone who wanted to open a business online fell for a mass marketing scam, paying spammers thousands of dollars only to see the spammers vanish in thin air with their money.
I mean, it's like "I transfer you 3 grand and then you mail me a password to a controller server", or something like that ? I guess you have to be mighty sure of the delivery of the goods to enter in such deals.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
from the article:
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
Umm, riight. Anyone who downloads ad-aware and turns on their firewall is a security expert now? Shit, my networking prof must be a god damn diety then.
The "Insert Quote Here" line is almost as predictable as inserting an actual quote.
Stupid? Well, people look at their home computers like their TV or their toaster. Is there any other consumer product that requires so much awareness to run?
Probably only the the automobile. We make people take written and practical tests before they're allowed to drive unsupervised, and then in most places they are expected to get insurance to cover any damage their operation of the car may cause.
Is that where you want to go?
Using a computer on the Internet will never be as simple and relatively safe as using a TV, but it could be moved down the scale of complexity in that direction, by better engineering of Internet software and making ISP managed reverse firewalls part of the standard broadband service.
Granny should be able to just turn on her computer to order to sell her crocheting on ebay or get email with pictures of her grandkids without having to research computer administration. And, when she's done, I think she should be able to flick a massive off switch (like on the old PC/XTs) and watch the CRT raster turn into a little dot, without having to worry that somebody is using her computer when she thinks it is idle. I for one would think that was cool.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
How many who drive cars know how to fix it? I certainly don't, nor do I have any desire to learn to fix my car.
It's not the end users' fault the majority of home computers are by default magnets for virii, trojans, worms and spyware.
Certain OS manufacturer is at fault here, as well as the Dells and Gateways of the world, who insist on selling zombie networks when solutions to prevent them from occurring have been in place for quite a while.
In Soviet Russia, I ruled you
Why ask for what people will give you for free?
It would be a bit alarming to see if your own computer is in the list. Should be enough of an epiphany for some to actually do something about their personal computer security.
w3 0wn y00r pc & w1ll r3nt 1t b@ck t0 y00
A feeling of having made the same mistake before: Deja Foobar
From the USA Today article: Are hackers using your PC to spew spam and steal?
"Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."
Huh? Where does this guy live that he gets consumable water out of his tap? Mine tastes like a dirty swimming pool.
I don't drink the water out of my tap; it goes through a filter before it goes in my body. I also don't open the gas line and hold a match to it; it goes through a burner in a carefully crafted device. And I don't have bare wires lying around carrying electricity; they are all installed in receptacles to keep me from electrocuting me and my guests.
I certainly can't sue the gas company if my faulty furnace causes my house to burn down (well, who knows these days, I probably could but it'd be wrong). And blaming the electric company for pushing too many electrons through my heart when I tried to pry some bread out of my toaster with a butter knife isn't right either. If you're daring enough to consume the water out of the tap you are probably ignorant of its contents: heavy metals, pesticides, chlorine variants, sometimes fluoride, and who knows what else.
So why should I blame my ISP for giving me data from the Internet? That's what I'm paying for and it is exactly what I want. As long as the signal levels are right for my modem and the information is IPv4 they are doing no wrong by me.
The burden of protection lies within the devices and software connected to the net. The consumer shouldn't have to give this any more thought than what they give their car about changing its oil. So who does the average consumer have to blame? You guessed it! I'm not even going to say it.
Does anyone else wonder where MessageLabs gets their statistics? I can't help but wonder at their methodology (though I suspect rectal extraction). I get daily reports on SpamAssassin and my configured DNS block lists for the servers I manage. Their spam traffic doesn't start to approach 95% of inbound messages. After eliminating all internal email from the statistics, SpamAssassin flags about 20% of incoming email as suspicious and SpamHaus blocks another 10% or so. These are not confidential, hard-to-find addresses. These are university servers where staff and faculty are required to have valid email addresses posted on the department web pages. Any spider worth a damn should have harvested them long ago. I find it very hard to believe that this environment is getting 60% less spam than systems that don't provide a directory of valid addresses.
Spam is a problem, but it's time journalists (online and otherwise) start taking stats with a grain of salt. Too many organizations are willing to publish questionable numbers in an attempt to sound like they have thoroughly researched the issue.
Or in the MessageLabs case, to sell a product that will 'solve' the problem.
Using simple tools, I have watched the inbound connection attempts made to my personal computer. Many of these attempt simple http style requests on unregistered ports. The requests are in the form: ttp://www.helllllabs.com/cgi-bin/found_one.cgi or something like that.
Going to the website, I find its one that sells proxies of some form. Gee.
Now this seems like they are signing their own name to their evil deeds. Could this mean anything other than this company is scanning for proxies and registering them using their own website?
The security of my bank account is not based on secret codes or passwords or account numbers or any other blamed thing.
Every check you writing contains the account number and the routing number and everything else needed to withdraw money from that account. If somebody creates a fake check using that info, and withdraws money from my account, then that is is no way my fault and I'm entitled to reimbursement of those funds.
Likewise, somebody doing the same thing electronically is not my fault either. There is nothing essentially different in the transaction. Fraud is fraud.
Bank accounts have never been based on secrets. It might not be smart for me to give out my account number to everybody, but it's something I do every time I write a check or use a debit card or use one of several forms of payment. I *must* give my account number to somebody I want to pay from my bank account.
Is this a flaw in the system itself? Yes, absolutely. But until everybody moves towards public/private key authentication and so forth, it's just the way things are.
The public-private key method is the only solution to this sort of thing that I'm aware of. To "write a check" or make a payment of any sort, I form a message that essentially says 'Pay so much to this person, using this transaction number, on this date' and encrypt it using my private key. Then I give it to that person. They give it to their bank. Their bank gets my public key from my bank (it's a public key, they can give it to anybody who asks for it), verifies the message is valid (since it's signed by my private key, my public key can decrypt it and it validates itself that way), and does the transaction. My bank also verifies the same message before releasing the cash from my account. Unforgeable money transfer accomplished.
Sounds great? It's a long ways off.What's needed is:
-Every account holder to have a public/private keypair.
-Banks have the public key, people have the private key on some sort of device.
-Device allows transfers of cash from one person to another, probably by simply plugging in a key or wirelessly or whatever. You can think of a thousand ways to do this.
-Banks need a protocol to transfer public keys around, and all have to agree to some form of standard.
-Etc, etc, ad infinitum. It gets more complex the more you think about it. If you assume that the electronic cash transfer happens in real time (eliminating "float"), then it's actually slightly easier. If not, then you get the concept of people transferring funds that was just transferred to them before telling the bank about it, and it gets hella complicated. But it's all doable with the crypto, it's just complex.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
That is a leading question that seems typical of a smug linux zealot. A better question would be, 'What is the ratio of zombied linux boxes in proportion to it's total installed user base.' Since most people use Windows, it follows that most of the zombie boxes should be windows boxes.
Even that isn't totally informing, as how many of those people who run Windows would be less vunerable if they ran linux? Most of the problem isn't the OS, but the lack of understanding on how a computer works. If you aren't a skilled admin, you are going to get haxxored regardless of the OS.
I think Linux is a superior idea and platform, but win the argument with sound logic, not snyde comments.
HA! I just wasted some of your bandwidth with a frivolous sig!
"Consumers should demand what they do of other utilities," says Kip McClanahan, CEO of security firm Tipping Point. "When I pay my water bill, I expect my water to be drinkable out of the tap. Today, when you pay your Internet bill, the data you get is not consumable."
I only partially agree with this. What should happen is they should sell me access, and I should be able to waive their protections under the promise that I provide my own. I want to run my low-traffic web and email servers from my connection. Most people don't need to. I will take the extra work of securing them in return for being allowed to use them.
A blanket stop of much of this is all but impossible, though.
My blog. Good stuff (when I remember to update it). Read it.
Even closer to the mark, if I use my ATM card to pay for a product and that product later turns out to not work as advertised, that's a crime (at least in the state of California, where I live). We have "lemon laws" that say that products we buy should perform as advertised. I deserve my money back. But even though the company that sold me the product deducted the money directly from my account, it defrauded me -- not the bank. Why should the bank be held liable? Because I failed to investigate the seller and/or the product beforehand? Because I failed to file a civil suit against the party that defrauded me?
"Give people an inch and they'll take a mile" is the phrase that comes to mind here. Bank of America did the right thing by ol' grandma in this case. They didn't have to, so let's applaud them for it.
Breakfast served all day!
Basically the Undead could have rights too, I suppose.
"Forgive us our trespasses, as we forgive those who trespass against us." -Jesus Christ The Lord's Prayer
A bank that loses money to a criminal act that refuses to reimburse its customers might well lose its status as a bank.
It didn't "lose" her money. It followed the proper security procedures involving the use of a login name, password, and bank account number.
They took from her, without her permission, money from her bank account.
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock? Of course not. So why do we treat physical keys so differently than virtual keys (login credentials)? You'd never suggest that anyone but the homeowner was responsible for the loss if they gave their house key to some con artist. So why is the bank responsible when the customer gives away the "keys" to their bank account?
Fix a car no.. but maintence on a car.. yes. If you don't know how to check your oil, windshield washer fluid, heck how to fill the gas tank, your not going to get far. I agree that we don't need the world being able to repair failed hardware or troubleshoot irq settings (Bad example I know) but being able to keep their computer "clean" and in decent working order should be achievable. Not saying it's the end users fault completely, software and hardware still has a ways to go before it's as easy as it probably should be for the average Joe (or Jane) but people do need to take more interest in these "new fangled computer thingies" if they're gonna use em. My 2 (CAN funds) cents
Grandma does not have to become a computer security expert. All she needs is a Macintosh.
Friends don't let elderly friends drive Windows on the Internet.
That is so true... thought I had security pretty tight on my Cobalt Qube running Linux... then my ISP called me up telling me I'd already used 30G upload and download for the month after two weeks... I normally have like 400MB for a month on my little family server. The spammers were using the Squid vulnerability to make my box a zombie remailer. Had to slap on greatly increased security onto my firewall! They never logged in to my box at all - simply routed their filthy spam through my open port. From all the hits I got googling my issue, I'd say this is way to common... this is one case where Linux is easier to abuse than windows!
One indication of the going rate for zombie PCs comes from a June 11 posting on SpecialHam.com, an electronic forum for spammers.
And you guys didn't put that link in the main Slashdot article?!?!?! Oh come on! If there's a site that deserves to be slashdotted, that one must be it.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
No. It didn't follow the proper security procedures. It followed its choice of security procedures. The success of this kind of phishing scam is evidence that those security procedures are not proper; they're inadequate because they're so easily defeated with a bit of social engineering. The bank needs to design a better security system- one that uses a time-dependent smart card, for instance- so that phishing doesn't work.
There's no point in questioning authority if you aren't going to listen to the answers.
From the article:
----------
Heather Hall can trace the start of her online banking nightmare to the day she received what she thought was a legitimate e-mail request from Bank of America asking her to click a link to a bank Web page. The 27-year-old health services worker typed in her login, password and account number.
[deletia]
Bank of America agreed to reimburse the money stolen from Hall's account, but only after she badgered them. "They wanted me to believe it was my fault," says Hall.
----------
Gee, I hate to break it to you, sweetheart, but it WAS your fault. YOU were the gullible one who clicked on the wrong link and gave thieves your username, password and account number!
As long as her attitude is prevalent among the majority, the problem of malware will never go away. Not only are these people completely oblivious to the dangers waiting to snare people using Windows PCs, even when something bad befalls them they just flat out refuse to believe it was their fault.
~Philly
If you all want this stuff stopped, contact your local Attorney General and demand they start prosecuting these cases. The Feds can't do anything if the AGs won't prosecute. Call your AG and tell him you'll make sure he isn't re-elected if he doesn't start prosecuting people for computer tampering.
Seems to me this is off the mark, and it typifies what is wrong with our telecom-oriented providers, as they too believe this all too often.
The provider provides a connection. He does not provide content. ISDN was a gigantic failure because telco's thought they had to provide content, rather than just a reliable connection.
If I want content, I will buy an AOL subscription. Otherwise, what I expect is not clean water but a reliable liquid movement mechanism. You don't call it a pipe for nothing. The liquid that comes out will be determined by me, not by the provider of pipes!
MW
---
BDOS ERR ON A:>
However it is your responsibility to make sure your car does not fall apart on the road, so you hire people to take care of it. Same thing should be done with home pc's.
Oh if I had mod points, my friend, you would be more karma-ful than you are right now. I couldn't agree more. At least she did something about it, instead of sitting ignoring it, hoping it gets better, unlike the other 20,000 plus people mentioned.
What he can't kill, he has sex on. Trent.
Anyone who has an e-mail address gets spam. It's an ugly fact of life in the modern age. Figure that, out of a pool of - say - 100 potentials, at least 10 of them have kids. Spammers are notorious about not checking the ages of the people who own the addresses that they spam - and they work very hard on ways to get around filters.
Leaving the parents aside for the moment, everyone in the hypothetical jury pool gets flooded with this crap, because everyone with an e-mail account does. Period. Plus, I've observed that the less tech-savvy a person is, the angrier they get about spam, because they don't know how to stem the tide. Now, imagine a spammer going up against even 12 of the most sane, rational, mentally well-balanced of his vict^H^H^H^Hpeers. True, a lot of people don't quite understand the tech stuff; but break it down into dollars and sense ("misspelling" intended), and you'll see lightbulbs going off overhead all through the jury box.
And that goes triple for the conservative old man. A guilty plea would be much safer, all around.
Doing my level best to piss off the religious right wing...
i've been getting these for months. kinda makes me wonder how many people have been fooled by them.
the funniest by far is the one from the so-called mail administrator from my domain with the same basic message. the funny thing is, i own the domain
and i run the server that's running the MTA...
"in labs we don't manage"? The ones we do manage, Solaris, Linux, Windows, etc don't get hacked. We have a firewall, and then firewalls on the systems themselves, auto updating, etc. However, we do not manage all the labs, and those we don't get hacked frequently (Windows and Linux).
I know Zombified Humans tend to call out "Brains! Brains!"
Now does that mean that Zombified PC's call out "CPU Cycles! Need CPU Cycles!"?
or perhaps "Bandwidth! Need Bandwidth!"?
DEAD DEAD DEAD DELETE ME
If it hadn't already been published that the list was available (Like it's still for sale now that it's public knowledge), this would be a perfect opportunity for Comcast etc to reclaim some bandwidth. They could team with the FBI/Scottland Yard/Interpol (who would be very interested in such fraud) then buy the list with something tracable.
.sig?
If the deal is a scam, follow the money and bust the crook. If it's real, follow the money and bust the crook then clean up the zombies on your network.
Basically it's a no lose opportunity.
Psst... Hey buddy, can you spare a
I'm going to wait til I can get one second hand. It's bound to come down in price to something more like $1000.
meh
Broadband companies could do more to protect their users and the internet in general - here are a few suggestions:
1. Block outbound port 25 from residential users that OBVIOUSLY have compromised machines sending out hundreds or thousands of emails a day.
2. Provide cable/DSL modems with some NAT/Firewalling capability turned on by default. Tech savvy users will figure out how to forward ports or disable NAT if necessary.
3. Provide free trial anti-virus software with their configuration software.
4. During installation of supplied software, ask the user if they would like to turn on "automatic software updates".
These steps would go a long way to securing 90% of non-tech savvy people. Geeks could ignore all this and go about their business.
-ted
That's the key: "They took from her." They didn't steal from the bank. There wasn't negligence on the part of the bank. The bank didn't leak her account number, login name, or password. She did. She fell for a scam through no apparent fault of the bank. And now we all pay for it in the form of higher fees, lower savings account interest, etc.
Banks are legally responsible for securing the funds in your account, and for only giving those funds to authorized people. To do this, banks have a wide number of security choices available to them.
Banks have deliberately chosen a pretty flimsy set of security procedures, even though they are held financially liable. This is because the amount they lose due to fraud with existing systems (more often, due to insurance premiums to make someone else pay for fraud) is less than it would cost them to beef up security more (both in direct cost, and in lost customers who want an "easy" bank).
When a particular kind of fraud increases, the banks try to pick the cheapest and easiest way to curtail that specific kind of fraud. And then they stop, because they have no financial incentive to secure things any more than they already are.
Suppose she was duped into giving her house key to some burglar posing as someone from a carpet cleaning service. Should the mortgage company have to pay when the burglar steals her stuff? Should the home builder? Should the maker of her door lock?
No, because none of these people have contracted to secure her home. The closest is the maker of her door lock, and all they are contracted to do is make a door lock that can be used to assist in securing her home.
When you put money in a bank, you have a contract for them to secure your money, that's the difference.
----
Open mind, insert foot.