Gone Phishing?

Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."

10.2 Billion is a stunning number.

[Concern]

If anyone believes this, it justifies fairly extraordinary investment to combat it. When you are talking billions then enormous infrastructure projects are possible. For instance, imagine the kind of systematic surveillance activity that could be mounted on the internet with a multi-billion dollar budget.

Re:10.2 Billion is a stunning number.

[krbvroc1]

...poorly regulated capitalism doesn't work...

What a bunch of BS. What ya want -- communism?

Ah come on. Because I would prefer some checks and balances in the form of effective regulation on a trillion dollar credit card industry that makes me a supporter of communism?

The article was about an industry claiming 10.2 billion is losses due to fraud. My response was because the industry is poorly regulated, that inefficiency is allowed to be passed onto the consumer. The competition among the card companies has not created effecive solutions to the problem.

I do have a credit card, but I carefully keep track of my expenditures (computers are great for this) and pay it off before the due date and therefore pay NO interest

Good for you. We share something in common, I do the same. Even with great discipline I have not been immune from the credit company schenanigans - incorrectly claiming they didn't receive a bill payment until 1 day late and charging a $25 fee (on a $100 bill - wow 25% penalty).

An interesting exchange

[sjbe]

Tangentially related. I just had an interesting conversation with CDW. I ordered some toner from them for my laser printer. Set up an account and gave my credit card number through the website. Very typical online experience. We've all done it hundreds of times.

A day later I get a call from them asking for the security code on the back of my credit card as well as the phone number for my credit card. Odd, I thought. I've been ordering online for years with this credit card and never been asked after the fact for that info. Additionally the card was a Discover card and there is only one number for that which I'm quite sure CDW knows.

While I doubt there was anything malicious going on I had them cancel the transaction. They explained that it was for extra security but the could have easily asked for that information in the online transaction. I have no way of knowing if this rep was acting on her own so I don't see any added security for me. My only criticism of CDW is that I don't think this was a very professional way to handle this transaction.

I don't really think there was anything malicious going on but its a good idea to be very careful when something is out of the ordinary, even a little bit.

Re:An interesting exchange

They called you, from CDW to verify the transaction? That's a pretty standard practice. You could always ask for the persons extension and call back to ensure it's not call from outside their organization.

Just think. If they called you, because they thought the transaction was fishy (and you had NOT placed an order) wouldn't you be thankful they called you?

Just today someone used stolen card card details in full. Phone number, address, etc, for a service. I did a whitepages lookup, and called the card owner. He was completely surprised that his card had been utilized, and immediatelly called to report the attempted fraud and get a new card issued. I would sure hate to call a customer to verify 'just in case' and have them cancel on me, for only doing what is right to protect myself from a chargeback, and protect them from potential fraud.

Combat it or deny responsibility you mean...

[WIAKywbfatw]

I read recently that phishing scams have reached such a ridiculous level that UK banks are seriously considering making the victims 100 percent responsible for them.

Whereas at the moment a phishing victim can reasonably expect their bank to to give back any money that's lost from their account(s) as a result of being scammed, in future the same victim could well be told that they're responsible so they're liable.

Personally, whilst I would prefer that banks do the right thing, I find it hard to argue with a policy that says that they won't refund money where people have been stupid enough to be conned into giving away their banking details by obvious scams.

I don't want Alzheimer's disease victims to suddenly find their accounts empty but when the average man on the street is practically giving away his financial details when he should be keeping them secure, well, what do you expect banks to do? Give away money which they then end up recouping by charging everyone more for their services?

Sometimes, the only way you can educate people into doing the right thing is to not protect them when they do the wrong thing. In that respect, we're talking about the same sort of lesson people who don't have any backup procedures learn the first time they irretrievably lose all their data.

Tough love is sometimes the best love.

Re:Combat it or deny responsibility you mean...

[trewornan]

and not to respond to any links in an e-mail

The problem with this is - sometimes the banks do need to contact their customers. Maybe more often than not it's to try to sell them something, but occasionally they have genuinely good reasons. So they can't tell customers they'll never contact them by e-mail or not to respond to e-mail.

Normally, market forces would drive things so that in order to gain business, banks would have to assume responsibility for some or all losses. Unfortunately with banks acting as a legalised cartel, market forces don't apply.

Re:Combat it or deny responsibility you mean...

Personally, I'd prefer a system that has photo and signature-based security. You sign for transactions as you do know but your card has a visible photo ID on it, and a similar ID comes up on the entry terminal when it's processing a transaction. As you say, getting hold of someone's PIN isn't impossible but mimicking their physical appearance is a little bit harder.

Incidentally, there are one or two UK banks that have offered credit cards with photo IDs on them for some time now, and the incident of fraud associated with those cards is far lower than cards without photos on them. Credit cards with photo IDs on them are big in continental Europe too, or so I'm led to believe.

In Denmark, the photo id has been removed from bank-cards with the introdution of Chip+PIN. Customers are not happy, but there's not a lot they (as individuals) can do about this, as all the banks are doing this.

While I think it is reasonable to require bank customers to take some responsibility for the security of their cards and PINs, I am not in favour of liability being on the customer until the PIN is reported stolen/compromised - there can be a long period between actual loss of the card and knowing the card has gone e.g. a break-in at home when you are away for several days/weeks and not taken all your cards with you.

There is also the issue of the individual not being able to choose adequate security methods - doctored keypads and shoulder surfing are difficult to guard against, and it is difficult to guarantee the card's physical security at all times.

Re:Combat it or deny responsibility you mean...

[Anne+Thwacks]

making the victims 100 percent responsible

The banks are 100% responsible. They operate accounts for the scumbags, and they know who the scumbags are, in order to open accounts for them, and they hand the money to the scumbags.

Lets face it, this is a problem which the banks could solve without third partiy intervention if they only tried. (You can almost hear them singing: If I only had a brain"

Re:Combat it or deny responsibility you mean...

[lemonjelo]

I was thinking recently that a new TLD might help. If there was .bank or such, and only allow authoritative DNS servers that are registered by a valid bank, possibly even using DNSsec, well maybe it would be easier to educate people to only use the proper URLs.

But of course that would also depend on a browser that doesn't make it easy to dupe people even then.

10.2 Billion

[Viceice]

Did the industry really loose 10.2 billion dollars to scammers or did this number come from the same process the RIAA and the BSA used to estimate loss to piracy?

Personally, I think something is seriously wrong if phishing alone managed to net scammers $10.2 billion. Maybe if it was world wide consumer finance fraud combined it would be more believeable.

Search images?

[earthforce_1]

I wonder if it is possible to automatically spider for suspicious sites with images and logos from financial institutions that don't belong there? They could be shut down almost before the scam gets started.

Re:ING Direct's changing logon

[itsthebin]

HSBC has a good extra security measure. Unless you are transferring to an existing account template you must request an extra qualifing code which is then sms'd to the phone number you have registered with them. To change the phone number requires you to ring up customer service and using your phone banking code to verify yourself.

Re:Here's how I got my mom to verify

[hobo2k]

Or for the truly paranoid, burn a bootable CD that does nothing but load up the bank's website. Maybe mount an encrypted volume if you want to store the data.

They could slow the crime, if they really cared.

[telemonster]

So you set up a bunch of systems that capture tons of spam emails. Catchall's on various domain names, publish the domain names in public along with email addresses (websites, newsgroups, etc).

After your stupid phishing scams hit, eBay, Suntrust, Citibank, Paypal and BOA start hitting them with a few marked accounts. These marked accounts are setup with the purpose of dropping the information to the phishing scam people.

From that point, the phishing scammers will try to use this information for their benefit. At that point, it should be easier to build a path back to them.

That would require effort, it's easier for the banks to tack another dollar onto ATM fees and write off the losses. Has anyone checked to see if banks are actually writing off these losses and reporting them to shareholders?

Just like spam emails, the money goes somewhere. Just follow the money.

Make sure links to where they say they do

[erice]

I received a very well done paypal phish recently. It was sent to my paypal email address (different from my ebay address and never used for anything else).

There was a link that claimed to go to:

https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Regi st erEnterInfo

But mousing over revealed that it actually went to:

http://signin.ebay.com-ogi-bin.tk/_eBaydll.php

Note the com-ogi-bin.tk rather than com/cgi-bin

Phish Firefox?

[hyphz]

I personally have a bet that, if FireFox gets popular, hackers will start using its open source nature to phish Firefox itself.

Ie, they'll hand out fake Firefox download links in e-mails or HOST file hack mozilla.org. Then, when you download, you get Firefox - plus add-on code that sniffs your keystrokes or credit card numbers.

Mind you, this has been my big problem with using Firefox from the beginning: the distribution might contain that kind of thing anyway. At least MS, with their existing millions, are unlikely to be interested in my card number.