Slashdot Mirror
Gone Phishing?
Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."
Not to mention it just gives the attackers more information to ask the attackees. They just have to create sites that ask for SSNs and ZIPs and stuff, on top of everything else. With that additional information the attackers'll have an even easier time stealing! Way to go ING :)
Banks, Ebay, PayPal, and all the other popular phish targets should have rewards programs for customers who aren't gullible and don't fall for scams. And maybe a "congratulations on not being an ignorant gullible fool" reward would motivate more customers to actually care. Most folks don't, they assume the government will protect them. I think we should stop foiling natural selection and let it do its job.
we will end no whine before its time
Hmmm ... the number of "sites" found doubled just when Google doubled its index size...
My bank doesn't have my email address. Give them a throwaway email address when registering online, then delete the address. All the mail to that account would bounce, and the bank has other (non phishable) ways to contact me if needed.
I can't click a false hyperlink in a printed letter.
Click here for a free picture of an iPod!
The problem seems to be people who don't know the difference. A phishing scam won't really fool anyone who is aware of them. Sure, everyone here knows about dummy e-mail accounts and is well aware what a phish looks like. The problem, as with many scams, is not those who are aware of them but those who are not.
Given that, why don't banks and the like give a simple online tutorial before allowing a user to set up any type of Net account that implies moving real money? I would think a 5-minute (at most) presentation followed by a short quiz would be sufficient.
If everyone involved in online financial transactions is thus educated about phishing, it would become quite a bit harder for the scammers to find unknowing victims.
To fight the war on terror, stop being afraid.
Wasn't there an IE exploit where you could make one URL show up like another URL in the address bar?
It does seem to be yet another shift of burden of proof onto the consumer though, does it not?
Have you noticed all the online banking EULA's with specific "you're liable for anything until you report your password as breached"? Much in the same way as "Chip and Pin" here in the UK, the shift in the responsibility of fraud onto the customer of these systems is designed for the benefit of the BANKS, any benefit to you is a secondary concern and it seems to be that its actually to your detriment in many cases.
Interestingly, who is it that oversees the fraud of these systems to determine whether they're secure or not? Why, it's the same banks that run them. Hardly independent or unbiased now, is it? That's like asking Adobe, "is your PDF encryption secure?" Hmm, what do you think... *cough* ROT-13 *cough*
Let's use an example of something like Chip and Pin, where instead of a signature you type in a pin along with your credit card transaction. This is vulnerable to multiple attacks, e.g. shoulder-surfing: say someone watches your pin, then steals your card and goes on a shopping spree -- the transactions are all valid as they had the correct pin, so YOU are responsible for this loss. Compare this to the old signature method, they might fool the store cashier, but when you report it you get your money back -- problem is, it's costly for the credit card companies to check and they (or the retailer) ends up paying out. The cost and burden of proof is on THEM, and they don't like that. Other examples of abuse would include dummy card readers and pin input devices, corrupt shops who capture pins, etc. For an interesting discussion on this see here:
http://toothycat.net/wiki/wiki.pl?ChipAndPin
So, while I totally agree that users have to bear a certain amount of responsibility, much in the same way as Chip and Pin, until internet banking can be made more secure *by the banks themselves* to the extent that phishing scams and other fraudulent methods are overcome AND the burden of proof is *kept with the banks* then I, for one, will not use them. (Removes tin-foil hat!)
I agree. I hate having to map alpha passwords into numeric passwords while at the same time losing security (lowercase + uppercase + specials gives you an easy 80 symbols, while decimal only gives you 10). I can't remember weird numbers if my life depended on it, but I can remember alpha passwords easily so long as it's a phonetically valid nonsense word in some language I know the phonetics of (English, French, Hawai`ian, Vietnamese, Japanese, Spanish). Hawai`ian is particularly good since the phenome is limited (13 letters, including the `) and it contains the ` character, which anything but a brute force attack won't use. Having only 13 sounds (+ 4 dipthongs) means that even a fairly long word is easy to remember.
Just think. If they called you, because they thought the transaction was fishy (and you had NOT placed an order) wouldn't you be thankful they called you?
Of course, they wouldn't need his card info for that, just a yes or no would do. In the example you mkention, did you quiz the guy for his card info or just ask to verify that he ordered the service?
I certainly wouldn't give my card info out to anyone who called me, especially since caler ID isn't exactly infallable. I would, however be willing to confirm or deny a charge.
OT: You also forgot the carge for talking to the ATM, or talking to someone on the phone, or a machine on the phone. Or the charge to get a statement, letter, bank cheque. Soon banks will have turn styles(sp?) at their front door that you have to enter a $2 coin.
I'd love to own a bank, any and all expenses are simply passed onto the customer, you can charge them anything you want for whatever you want, and with the way society is set up now days it is imposible to go without a bank. Ever tried to buy a new car with cash? It is much easier with a bank cheque.
I hate banks, but I'd love to own one.
it is only after a long journey that you know the strength of the horse.
I get these types of emails all of the time; very frustrating to not know if it is something I really need to do something about or scam. It seems that there is a simple solution, if banks started digitally signing emails they sent to customers, then we would know that it actually came from them. No more worries about redirects, phishing, etc.
Does anyone know of a bank that digitally signs all of its email to its customers? It seems that it would be worthwhile to switch to a bank that does this.
Probably true for all business related emails as well.
Come now, these are the same motherfuckers who send seniors $5 checks which, when cashed, enroll them into some credit protection program / yellow pages listing service that costs $10 a month.
Of course the "terms and conditions" were written on the inside of the envelops (i.e. on the envelope itself) and the AG has to step in to put a stop to it.
I had a credit card company who used to try to pull this sort of shit all the time - the due dates were set to sundays or holidays (changed every couple of months), the payment address changed every couple of months and, for some strange reason, it took about 13-15 days for them to "receive" payments (and usually another 2 days to "process". The checks weren't being sent to fucking Rwanda, but from Oregon to Utah / California / Nevada. Blind mail is faster. Mysterious fees would be added and re-added, apparantly with my consent. Membership points / air miles would vanish.
Their collections people would be happy to call you repeatedly even though your bank told you they cashed your check 4-5 days ago.
And it went on and on and on.
Sure, it was fun to abuse the agents for a while, but it got old pretty fucking quick.
The damndest thing was the company was decent for a while, and all of a sudden they changed.
I suppose one or two screwups on their part could be attributed to incompetence or a one time screwup, but there are limits.
I could walk away, and I did - but I'm sure many people couldn't. I know a home loan isn't the same as a credit card, but you presume that they aren't going to act like Guidos.
I think this is also less about the person's greed - It is assumed that you're going to have to borrow a significant amount of money (not many people buy a house outright), but I don't think it is reasonable to assume that a credit card company is going to be a bunch of vicious greedy assholes when you sign up. It's one of those unwritten rules.
Rules that are eventually broken and result in "Pussification Legislation" being passed by the state's AG.
Anyways...
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
a. Login ID (usually the SSN)
b. A device computed response to a challenge. The challenge is usually in the form of TWO 4-digit nonce numbers that must be input into the password generator.
No "remembered" password is needed to be supplied in this scheme. The password generator has a PIN for security, locks out forever after three succesive wrong attempts to unlock the device. Of course if someone stole your device and forced you to reveal the PIN for it by pulling out your fingernails - you ahve bigger problems than securing your account anyway.
I work in network security (no- I am not a network admin)for a living, and I have to say this is by far the most phish resistant online banking auth scheme I have come across.
See that long UID - that's what you get for lurking too long
I too have been getting quite a few more of these lately, but there is a pretty easy way to combat them:
If you recieve an email about company bla bla bla, needing bla bla bla, open your brower and :::type::: the known, valid address in and see if they mention it. If you're still curious...call.
It's really that simple folks.
-Chris
--an unbreakable toy is useful for breaking other toys--