Gone Phishing?

Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."

ING Direct's changing logon

[LostCluster]

ING Direct's logon page has an interesting feature where it asks for an extra piece of info beyond the username and PIN such as your account's ZIP code or a piece of your SSN on each logon, with the extra question changing every time.

However, this security method has a fatal flaw... if an attacker knows the answer to any one of the questions, the attacker can just keep reloading until they get the question they want to come up and then answer it. Still, it's better than doing nothing at all.

Re:ING Direct's changing logon

[realdpk]

Not to mention it just gives the attackers more information to ask the attackees. They just have to create sites that ask for SSNs and ZIPs and stuff, on top of everything else. With that additional information the attackers'll have an even easier time stealing! Way to go ING :)

Re:ING Direct's changing logon

[itsthebin]

HSBC has a good extra security measure. Unless you are transferring to an existing account template you must request an extra qualifing code which is then sms'd to the phone number you have registered with them. To change the phone number requires you to ring up customer service and using your phone banking code to verify yourself.

10.2 Billion is a stunning number.

[Concern]

If anyone believes this, it justifies fairly extraordinary investment to combat it. When you are talking billions then enormous infrastructure projects are possible. For instance, imagine the kind of systematic surveillance activity that could be mounted on the internet with a multi-billion dollar budget.

Re:10.2 Billion is a stunning number.

[krbvroc1]

If anyone believes this, it justifies fairly extraordinary investment to combat it.

It sure is a stunning number. However, the credit card industry is a huge rip off. They charge consumers interest rates in the 12 - 23% range. (This us during a time in history where interests rates are at historic lows). They charge the merchant fees from 1.5 - 7% on each transaction. The ever increasing fees are adding more profit. They are changing due dates to Sundays hoping to increase late fees. Telemarketing their customers. Trying to sell stuff when you call with the customer support lines.

Last year the credit card industry profits were nearly $30 billion dollars. My guess is that they just write off the fraud and then pass those costs onto the consumer. The average credit card debt keeps increasing so it seems they can pass these costs along and the customer is so reliant on credit card debt for daily life that they don't fight it. What a sham, what a shame.

I think this is an example of how poorly regulated capitalism doesn't work. Despite the appearance of hundreds of credit card competitors and so many cards to choose from, the industry is extremely anti-consumer. The better business bureau reports that the credit card agencies are number one when it comes to consumer complaints.

Re:10.2 Billion is a stunning number.

[krbvroc1]

...poorly regulated capitalism doesn't work...

What a bunch of BS. What ya want -- communism?

Ah come on. Because I would prefer some checks and balances in the form of effective regulation on a trillion dollar credit card industry that makes me a supporter of communism?

The article was about an industry claiming 10.2 billion is losses due to fraud. My response was because the industry is poorly regulated, that inefficiency is allowed to be passed onto the consumer. The competition among the card companies has not created effecive solutions to the problem.

I do have a credit card, but I carefully keep track of my expenditures (computers are great for this) and pay it off before the due date and therefore pay NO interest

Good for you. We share something in common, I do the same. Even with great discipline I have not been immune from the credit company schenanigans - incorrectly claiming they didn't receive a bill payment until 1 day late and charging a $25 fee (on a $100 bill - wow 25% penalty).

Re:10.2 Billion is a stunning number.

[loraksus]

Come now, these are the same motherfuckers who send seniors $5 checks which, when cashed, enroll them into some credit protection program / yellow pages listing service that costs $10 a month.
Of course the "terms and conditions" were written on the inside of the envelops (i.e. on the envelope itself) and the AG has to step in to put a stop to it.

I had a credit card company who used to try to pull this sort of shit all the time - the due dates were set to sundays or holidays (changed every couple of months), the payment address changed every couple of months and, for some strange reason, it took about 13-15 days for them to "receive" payments (and usually another 2 days to "process". The checks weren't being sent to fucking Rwanda, but from Oregon to Utah / California / Nevada. Blind mail is faster. Mysterious fees would be added and re-added, apparantly with my consent. Membership points / air miles would vanish.
Their collections people would be happy to call you repeatedly even though your bank told you they cashed your check 4-5 days ago.
And it went on and on and on.
Sure, it was fun to abuse the agents for a while, but it got old pretty fucking quick.

The damndest thing was the company was decent for a while, and all of a sudden they changed.
I suppose one or two screwups on their part could be attributed to incompetence or a one time screwup, but there are limits.

I could walk away, and I did - but I'm sure many people couldn't. I know a home loan isn't the same as a credit card, but you presume that they aren't going to act like Guidos.

I think this is also less about the person's greed - It is assumed that you're going to have to borrow a significant amount of money (not many people buy a house outright), but I don't think it is reasonable to assume that a credit card company is going to be a bunch of vicious greedy assholes when you sign up. It's one of those unwritten rules.
Rules that are eventually broken and result in "Pussification Legislation" being passed by the state's AG.

Anyways...

Here's how I got my mom to verify

[russler]

1. Make certain the site name is not all numeric.

2. Make certain it is spelled correctly.

3. If they write to you unsolicited, just type the website in directly that you normally use for the service and you can be certain where you are going.

I can think of more things to tell her, but the more I say the less I fear she will remember. So I boiled it down to the above list.

So far so good....

She is as clueless as anyone on the net, so I figure if it works for her that's a good litmus test....

Re:Here's how I got my mom to verify

[LostCluster]

That list is a good start, but the latest variant involves a worm that hoses the hosts file and that means a properly spelled URL can still possibly lead to a phisher's site...

one problem...

[tsu+doh+nimh]

is that banks themselves are guilty of perpetuating this stuff.

got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....

then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.

Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)

Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.

Misleading Statistic?

543 sites in September to 1,142 sites in October

Hmmm ... the number of "sites" found doubled just when Google doubled its index size...

Combat it or deny responsibility you mean...

[WIAKywbfatw]

I read recently that phishing scams have reached such a ridiculous level that UK banks are seriously considering making the victims 100 percent responsible for them.

Whereas at the moment a phishing victim can reasonably expect their bank to to give back any money that's lost from their account(s) as a result of being scammed, in future the same victim could well be told that they're responsible so they're liable.

Personally, whilst I would prefer that banks do the right thing, I find it hard to argue with a policy that says that they won't refund money where people have been stupid enough to be conned into giving away their banking details by obvious scams.

I don't want Alzheimer's disease victims to suddenly find their accounts empty but when the average man on the street is practically giving away his financial details when he should be keeping them secure, well, what do you expect banks to do? Give away money which they then end up recouping by charging everyone more for their services?

Sometimes, the only way you can educate people into doing the right thing is to not protect them when they do the wrong thing. In that respect, we're talking about the same sort of lesson people who don't have any backup procedures learn the first time they irretrievably lose all their data.

Tough love is sometimes the best love.

Re:Combat it or deny responsibility you mean...

[ManxStef]

It does seem to be yet another shift of burden of proof onto the consumer though, does it not?

Have you noticed all the online banking EULA's with specific "you're liable for anything until you report your password as breached"? Much in the same way as "Chip and Pin" here in the UK, the shift in the responsibility of fraud onto the customer of these systems is designed for the benefit of the BANKS, any benefit to you is a secondary concern and it seems to be that its actually to your detriment in many cases.

Interestingly, who is it that oversees the fraud of these systems to determine whether they're secure or not? Why, it's the same banks that run them. Hardly independent or unbiased now, is it? That's like asking Adobe, "is your PDF encryption secure?" Hmm, what do you think... *cough* ROT-13 *cough*

Let's use an example of something like Chip and Pin, where instead of a signature you type in a pin along with your credit card transaction. This is vulnerable to multiple attacks, e.g. shoulder-surfing: say someone watches your pin, then steals your card and goes on a shopping spree -- the transactions are all valid as they had the correct pin, so YOU are responsible for this loss. Compare this to the old signature method, they might fool the store cashier, but when you report it you get your money back -- problem is, it's costly for the credit card companies to check and they (or the retailer) ends up paying out. The cost and burden of proof is on THEM, and they don't like that. Other examples of abuse would include dummy card readers and pin input devices, corrupt shops who capture pins, etc. For an interesting discussion on this see here:
http://toothycat.net/wiki/wiki.pl?ChipAndPin

So, while I totally agree that users have to bear a certain amount of responsibility, much in the same way as Chip and Pin, until internet banking can be made more secure *by the banks themselves* to the extent that phishing scams and other fraudulent methods are overcome AND the burden of proof is *kept with the banks* then I, for one, will not use them. (Removes tin-foil hat!)

Solution (for me)

[xsupergr0verx]

My bank doesn't have my email address. Give them a throwaway email address when registering online, then delete the address. All the mail to that account would bounce, and the bank has other (non phishable) ways to contact me if needed.

I can't click a false hyperlink in a printed letter.

Re:An interesting exchange

They called you, from CDW to verify the transaction? That's a pretty standard practice. You could always ask for the persons extension and call back to ensure it's not call from outside their organization.

Just think. If they called you, because they thought the transaction was fishy (and you had NOT placed an order) wouldn't you be thankful they called you?

Just today someone used stolen card card details in full. Phone number, address, etc, for a service. I did a whitepages lookup, and called the card owner. He was completely surprised that his card had been utilized, and immediatelly called to report the attempted fraud and get a new card issued. I would sure hate to call a customer to verify 'just in case' and have them cancel on me, for only doing what is right to protect myself from a chargeback, and protect them from potential fraud.

Truly it is said...

[plierhead]

Give a man a fish; and you have fed him for today.

Teach a man to phish; and you have fed him for a lifetime.

Figures...

[Superfreaker]

Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.

In related news, some anonymous guy using randomly generated numbers, estimates that tech employees who visit /. during working hours have cost corporate America in excess of $1.5 trillion since September.

I thought I saw a phishing victim the other day...

[NotQuiteReal]

... then I realized those hooks and such were there on purpose. These young'uns call it piercing, and do it on purpose!. And pay tattooed fellows to do it!

When I was a kid, we had to get bits of metal embedded in us the old fashioned way - war, industrial accidents and drunken fishing!

Make sure links to where they say they do

[erice]

I received a very well done paypal phish recently. It was sent to my paypal email address (different from my ebay address and never used for anything else).

There was a link that claimed to go to:

https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Regi st erEnterInfo

But mousing over revealed that it actually went to:

http://signin.ebay.com-ogi-bin.tk/_eBaydll.php

Note the com-ogi-bin.tk rather than com/cgi-bin