Slashdot Mirror
Schneier: Make Banks Responsible for Phishers
abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
As long as they make a backup copy, I'm fine with it.
When phishing is outlawed, only outlaws will have phish!
I seriously doubt the innovation of criminals with technology will fail simply because banks require additional information.
FanFictionRecs.net
However, it doesn't seem very feasible.
... which I think there is more than enough uncertainty on the subject to prevent that.
There is no way we can get the government to do such a thing... and such losses may even effect federal insurance and our interest rates...
Depending on how many morons there are getting hit by phishing scams, this could have a large effect.
Of course... that's assuming it ever got made into 'law'...
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
if we can teach little kids not to take candy from strangers can't we teach people not to give credit card numbers to people on the internet? not sure putting that burden solely on the banks etc. is the only solution...
Personal responsibility has to come into play somewhere. If people aren't educated enough to know NOT to email back their bank information to an unsolicited source, than just whose fault is it? The banks obviously need to do more, but in the end someone has to be responsible for their own actions.
Yes, let's remove all responsibility from individuals and beg the big friendly government to make someone else take care of us.
While we're at it, let's make Slashdot responsible for trolls.
When will Windows be ready for the desktop?
Banks should require their users to have SSL Client Certificates
Because if anyone should be responsible for the damage phishers have caused to our marine wildlife, it should be our financial institutions....oh, wait...
I don't think there's much of a chance of this kind of thing ever getting implemented. The financial industry would kill any legislator who tried to introduce legislation like this. If anything got through, they'd convince the executive branch not to enforce it. I'm sorry to say this, but the banks hold our money and they're very cavalier about to whom they give access and they like it that way.
Holding financial institutions responsible for something like this makes about as much sense as holding the fire department responsible for fire damage to a building and any casualties.
File under 'M' for 'Manic ranting'
What's wrong with "all of the above?" It would seem to me that a multi-pronged attack to the problem would be best, because I really don't see how "just" holding the financial institutions responsible will make the problem disappear completely. Scammers are creative, after all, and the people who fall for their scams can be pretty friggin' dumb.
Similar for 419 scams: put the responsibility for the scams sent onto those that provide free unverified e-mailboxes to the masses.
Everyone can setup a mailbox on hotmail or yahoo and use it for scamming, and be untracable.
When a freemail provider is responsible for all its client actions unless it can refer to the actual person that is the client that has setup that mailbox, the problem effectively has ended.
I've been thinking the same rule should be applied to proprietary software makers as well. If they want it closed source, then they can have it their way, but they have to pay for it as well. Thats the price they pay for haveing complete control. Open Source vendors wouldn't have these requirements because the code is available and truly a use-at-your-own-risk program, unlike proprietary softwares.
Put some of that cash in Microsoft's fat pockets to some use.
There would be no argument for Palladium and NGSCB in regards to code security anymore.
I hear this often - identity theft of healthcare information. In many cases the insurance and billing information associated with Healthcare are ill enforced from a security perspective. When you have this information available it makes much of Biometrics (the next generation of security) conceivably null and void. Having worked in this industry for 12 years I can tell you it is scary how little your medical information and all that is related to it are enforced.
Dear Bruce Schneier,
We read with interest your comments on preventing phishing activities.
Our conclusion is that we are not taking appropriate measures to prevent phishing.
Therefore, we have acted to prevent such damages in the future. This action is the only certain method of fraud provention: Your account has been closed and we have placed you on a universal banking blacklist to prevent you being able to open an account with any other bank.
Thank you for your refreshing point of view, and good luck.
Sincerly,
Your Bank
---"What did I say that sounded like 'Tell me about your day?'"---
Forcing the responsibility on the banks is only going to encourage the banks to treat the customers worse than they already do.
Your bank already has your home address (and probably your home phone number).
All they have to do is to institute a "no email from us, ever" policy and spend some time getting that message out to their customers.
Sure, this will cut down on the ad revenue from the banks, so what?
If they absolutely need to have some form of email interaction, they can run an internal (no external SMTP connections) web-based email system so the clients (you) can email the bank's employees.
If you can't do something securely, maybe you should not be doing it.
The problem is banks are lazy and like to go after soft targets. If a fraud takes place, the perpetrator disappears and only the victim is still around, and that's who the bank will go after to get their money. There's no incentive for them to prevent the fraud in the first place.
This will always be a problem because people don't want to have to deal with complex security. I wouldn't mind keeping an RSA authenticated keychain that has a rotating cryptographic key that changes every 60 seconds (a pretty cool solution, I've seen in action), but moron hick who doesn't see why he should have to have more than one password will never stand for it. Juggling multiple methods of authentication is too complex for the average Joe.
Thankfully, that average Joe is also the same moron who will fall victim to phishing instead of me. I'll never lose my money, so it's not my problem. A connundrum, if you will - the only people smart enough to do anything about it (or be willing to do anything about it) are the ones that such scams don't apply to anyway.
(No offense to any geeks/intellects happened to be named Joe)
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
The only way something like this works is if there is an neutral agency that one can report this to. Even then it probabaly won't. It's in the financial institutions best interest to keep all security problems secret. That is today, even with them not being responsibile, in a day where they are resonsible, they'll act just the tabacoo companies did/do "There is no security problem, Mr. Senator. No, there is no problem with identity theft, not at all, we have it under control.". The cheapest short term solution is the best one to a company, these guys pretend to think long term, but they don't. Don't assume they will.
Burn Hollywood Burn
Conversely, how many hoops do I want to jump through to prove it is me?
In the end the consumer will always pay no matter what happens. If they exclusively make financial institiutions responsible for phishing then that just means they will charge us more for their services. If they don't do anything about it, well, then we still pay when some schmuck steals our identy and our money.
As someone who works in technology for a large financial institution, this is bullshit. We work with the appropriate people to get many, many phishing sites shutdown every year. Unfortunately, there's no patch for end user stupidity. Short of sending someone around to every customer's house and teaching them what not to click on...just how does he plan on actually accomplishing this?
On second thought...I think I'm going to get some travel vouchers to South Beach tomorrow...I think there's some customers that need my help.
Christ, who gives their email address to the bank? None of my banks or credit cards have my email. How can your bank email you if they don't have your email address?
It amazes me that, for example, no-one really checks signatures on credit card slips or that you don't need a PIN to buy gas with a card at the pump.
If you tighten up all these processes then just knowing five pieces of data about a person won't let you access their accounts. Why sign your credit card at all when no-one even LOOKS at the signature and YOU are liable for fraudulent use of the card?
Isn't this just basically ignoring the fact that banks continually get "more secure", as to what they're requiring for online transactions? Making banks responsible(which isn't much differed from the reality today, considering they usually eat the losses anyway), is like saying "ok, go sell your info online and you'll be 100% unliable." Take your pick, almost EVERY bank requires the customer's PIN online now, which while somewhat easy to pry from someone by a simple "Hi, this is Tim Collins from Visa Fraud Prevention. May I speak with _________?" call, wasn't necessary at all a year or so ago. Is this not updating their security? I just don't see where this guy's going with this one.
"Crime fighters fight crime. Fire fighters fight fire. What do freedom fighters fight?" -George Carlin
Legislation shouldn't be used as a way of solving a technical problem, and this is really just a technical problem with e-mail.
Find free books.
He's essentially claiming that identity theft is too easy, and the banks should not allow you access to funds with such simple authentication (name, ssn, address, etc)
Here's the news flash -- if his recommendations are put into practice today, then bank web sites will use some super-nifty-turbo authentication before you gain access to your funds. That will lock out any Phishers who just have yesterday's identity theft kit.
Instead, the phishers will just spoof the super-nifty-turbo website, and have a new super-nifty-turbo ID theft kit.
Phishing highlights how bad the issue is, phishing isn't the issue. If anything, the presence of the additional verification steps on the Phisher's site will lead people to believe that it simply MUST be the real deal!
... to tell the difference.
Suppose you get a legitimate email from myEBAYsecurity.com? You go to that site and a man-in-the-middle attack presents you with a 100% perfect eBay site? All it takes is skill and time and desire. The technology is available today.
As long as banks and other sites use direct email to communicate with people, they will be subject to these attacks.
There is nothing that can be done to prevent them when email is the contact method.
Lets blame the electric company for these phishing attacks. Eventually, they won't be able to stand all the losses, and will send a power surge that destroys all the phisher's computer systems. Yea! That ought to work.
I read
Americans will experience losses like they've never seen before as banks go belly up under the burden of the enormous losses they take on.
I currently have no clever signature witicism to add here.
So I fall for a phishing email and enter my credit card info, bank passwords, etc. into some scam site. Said scammer proceeds to empty my bank account.
If I directly gave the scammer enough info to do such financial damage, how can the bank be held responsible? It's like if I forget my wallet on the table at some fast food restaraunt, and someone picks it up and maxes out each of my credit cards. Should the bank be held accountable that I forgot my wallet? Banks should make a better effort to confirm identities in cases of large sums of money being transfered/spent under strange circumstances, but holding them financially accountable for my own faults?
I think any firm, government entity, universities, etc ... should be held responsible. It just kills me when I walk by a bursars office and the clerk immediately asks, through the window, for the students SSN and name. If I were a crook, all I'd have to do is just sit there and write them down. Mention this the university, you just get a blank stare.
Evil people don't think they're evil. - George Lucas, Making of Ep III
Banks are RESPONSIBLE for all the money that we give them. If they fumble and lose it, guess who's fault it is...
On the other hand, we're responsible for the money we have, and if we lose it, guess who's problem it is...
The bank needs to take due caution. If your entire account balance is drained in one day by someone from Taiwan, Russia, or some other far-away nation, then it should be pretty obvious that its a fraud thing. They should place it on hold to call and verify the purchase.
On the other hand, there SHOULD be some blame on the customer that decided to give the information out. Something like a mandatory long form to fill out to 'unfreeze' the account to make sure they realize that they were being stupid. Busy work, so to speak.
Point is, the blame is impossible to place on the bank or the customer in some cases. What if someone uses some obscure bug to lame their way to your account information and then drains it? Something that no one has reported yet. Should the customer be smacked on the hand? No. The bank? Well, since they are the central authority that takes care of the money you give them, probably. It could be really easy to impliment.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
It is the consumers responsiblity job to make sure that they don't get suckered. A bank taking care of all of it's customer like this would take a lot of resources. Make the consumer responsible.
Show this to your friends and family that don't know what a real hacker is
It will never happen.
Consider this: The credit card companies were getting reamed by people getting a boatload of credit cards, running them up to the limit, then filing for bankruptcy.
Now, the real solution to this would have been for the credit card companies to have done their jobs and really examined the credit ratings of the people to whom they gave these cards, and to have given people reasonable credit limits (I shall use myself for an example - I have a single credit card which has a limit of well over one-half of my yearly salary - there is NO REASON for me to have that much unsecured credit - and no, I did NOT request that limit, they gave it to me on their own).
However, that would require the credit card companies to actually do work and would impair their ability to take people almost to bankruptcy and make lots of money on revolving credit interest.
So, what did the credit card companines do? They took their enourmous profits and paid for immense lobbying to get a law passed to insure they get their money even if you file for bankruptcy.
Now, what is another word for "credit card company"? I'll give you a hint - it starts with "B", ends in "K", and has 4 letters. Wanna buy a vowel (at 15% APR)?
Making banks actually take responsibility for phishing means banks would have to do work on their online banking and credit applications. It would mean they would have to make it harder for people to buy things online (read: go into debt). It would CUT INTO THEIR PROFITS!
So what is a good, responsible banker to do? Call 1-800-RENT-A-SENATOR.
www.eFax.com are spammers
...and while we're at it lets make all software developers responsible for the consequences of every bug and flaw in all of their products. This will make Microsoft and other closed source non-free embracing corporate demons 'go away'.
Whether you're playing with people's money, time or lives there is a personal risk and responsibility to to end user (us) when we do anything in life. Yet we're constantly trying to make it somebody elses problem?
Rather than just shifting the blame why doesn't somebody come up with a decent list of things banks could actually do to make us safer.
The only way banks can create a secure connection to consumers is by forcing consumers to use the bank's client software on a trusted platform. In theory, banks could support multiple platforms. In practice, they will support one and only one. Consumers with Mac or Linux will be out of luck and kicked off e-banking.
I think I prefer avoiding/defeating phishers myself rather than suffer the consequences of the bank's solution to the problem
Two wrongs don't make a right, but three lefts do.
The problem always is.
It's time to drive a stake through the heart of that protocol and start over. Like telnet and ftp, it just doesn't meet the standards of today's Internet.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
I don't know what the banks have to do with phishing, but people make such a big deal about Phish shows because of all of the pot and acid that flows through. Give them a break! They're just trying to enjoy a few hours of their lives watching a band they love. They're not violent concerts by any means, and they DO NOT ROB BANKS any more than a follower of any other band.
Although there have been many viruses/trojans that spread without user intervention, a vast majority of the ones I hear of are spread through gullable people opening mysterious attachments or running a strange program. Although they exploit computer code, they also exploit the human brain about as much as phishing tactics, they just attempt to get the information indirectly.
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
A properly formed e-mail from a reputable company nearly completely eliminates all possible intercepts. At least as many as can be eliminated by simply going to the website in the first place without an e-mail prompt.
case in point:
I recently received an actual e-mail from PayPal, this e-mail suggested that my on-file credit card was about to expire. The first thing that keyed me in and made me actually read this mail was that they referenced the last four digits of said card. Next, they suggested that I logon to their website and update the credit card's expiration date. Most importantly they didn't even offer a link to paypal.com, they simply said to logon and then gave instructions as to how to change it. Not the first link in the whole e-mail. This effectively eliminates fraud as a possibility. While it is still possible that paypal.com itself could be hijacked or some other esoteric scheme, the 99.9% possibilities are all eliminated simply by not providing any link.
Phishers use trademarked corporate ID images, names, slogans to fool victims into trusting the phisher as they would the simulated corporation. When a trademark holder does not "vigorously defend" their mark from dilution by others offering the same service, when the trademark owner knows about the dilution, they can lose their ownership. The Lanham Act defines the mark monopoly assigned by the PTO in terms of consumer protection. I'd like to see a phisher bring a new mark registration application for "Citibank" (and their logo), on the basis that the Lanham Act puts it up for grabs, after Citibank has slothfully ignored their dilution. That might wake up some of these banks to their responsibility to their customers, the flipside to the "brand equity" they cruise around on, garnering profits without earning trust with even the most rudimentary security that protects their customers, not just their branches.
--
make install -not war
Have we learned nothing? For every lock you build, a pick will be devised, therefore, security should always be layered (thus requiring any would be wrong-doer must carry lots of picks or they will - more likely - give up). People should be educated, laws should be passed, banks should hold some accountability, people should hold some accountability, and I'm absolutely certain there's layers that haven't even been devised yet that should be implemented when new exploits are found.
"As far as I'm concerned, I prefer silent vice to ostentatious virtue." ~A. Einstein
Surely you've heard of the Health Insurance Portability and Accountability Act of 1996 which mandates privacy and security of healthcare information, and provides punitive measures, including fines and prison terms?
Apart from regulating banks into assumming responsibility for fraud losses, is there a bank somewhere in the market place currently offering this deal? I'd sure like to consider switching.
Whenever I get my daily phish attempt for JP Morgan Chase, I usually report it since I'm a customer. I generally check to see if the phony link is still alive (it almost always is) and then send a short note to their security and customer service contacts. I have done this nearly every day for the past couple of months and with the exception of an automated reply from their customer service department, I've never ever gotten a response from a real human to investigate the issue further. In a number of cases, the naughty phisher site was up for a week or more after the initial spam hit my inbox and I notified Chase.
So there doesn't seem to be any real (outwardly visible) priority given to these rather brazen attempts to dupe customers. I also feel that the financial institutions should be 100% liable for fraudulent activity. That would certainly ratchet up their lackluster attitude towards prevention.
Once you start holding companies responsible for the data that so quickly gather on us, then you see that companies are actually able to lock boxes down. In addition, they will go to great lengths to avoid a lose by simply sending customers certificates that will work with only certain browsers.
But to go further, they need to start holding companies responsible for all lost data. That means that CC card processors should be held liable. Both the company in Nebraska, and in Arizona should be held liable for 10's (possibly 100's) of millions in loses.
I prefer the "u" in honour as it seems to be missing these days.
Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.
Amex - does the same thing that Chase does on americanexpress.com.
CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!
-- these are only opinions and they might not be mine.
Proposals like this will drive UP the cost of internet and telephone banking and maybe even bank-by-mail.
If these costs go too high, banks will just force everyone to use human tellers, where they can photograph you, ask for 2 forms of government ID, and get your signature and fingerprint with each transaction.
In any case, someone *coughyouandmecough* will eat the increased costs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I had to open a paypal account for some testing, closed it when done, and about an hour later got phishing email. This was spring 2002 I believe. Phishing was still somewhat rare, IIRC. I immediately logged back on to paypal, checked, yes the account was closed, I figured the email was just a typical big corp screwup. It wasn't til later that I realized it was a phisher. About the only reason I didn't get snookered was that I typed in the paypal URL directly rather than clicking on the email link.
.bl or someplace decidely unbankish, and I forwarded it to the bank.
Recently I paid a credit card twice; it got buried under other papers after the first payment, and when I uncovered it a couple of weeks later, I paid it again. My checking account was not happy and the overdraft protection kicked in. I got a phishing email the same day I noticed this. The link was to
My point is that I have received tons of phishes and ignored them; I do not have accounts with most of the banks. But these two came just when it was, by coincidence, perfectly plausible to get such an email, and thus much more believable. The first one did not work because I never click links. The second one failed because I always read email in text mode (mutt) and saw the funny URL in the link.
People who are even slightly less paranoid could easily have clicked the link directly in these cases. Your insistence on people being responsible is rather naive. Most people, I am sure, will ignore phishing email which for banks which they do not have accounts with, but if they do have an account, and if it comes at a coincidentally plausible time, it is perfectly understandable for them to believe in phishing email.
Infuriate left and right
Technically, they are, but 9/10 times they seek to hide the problem and avoid liability. It is irresponsible in my view to put major databases in another country where it is known the information is being sold on the blackmarket, yet banks continue to insist there's nothing to be done. Remember, these are the same guys who organized shadow accounts so that the Russian mafia could siphon off billions in US aid to Russia a few years ago. It took the combined efforts of several governments to put political pressure on all countries where this method was known to exist (in places like Bermuda, etc). Banks will *never* act in the customer's interest unless forced, and yes, charge the customer for the privilege afterwards.
insecurity asks the wrong question irritation gives the wrong answer
I get over a hundred a week from "PayPal". I don't even bother sending them to spamcop anymore.
The part about not having any links in the email is good. But not good enough. You could have been told to go to mypaypalsecurity.com and logon. Then you'd be back to the man-in-the-middle attack.
Not to mention that most people who do read those emails will not know enough to not click on a link when the company involved has not specifically stated that they will not send links.
Send someone a phish, get their money and teach them a lesson.
Teach someone to phish, and they may try to get your money!
Infuriate left and right
It's a stretch, but there are still ways.
A hypothetical:
I set up a website to mimic PayPal's. I sniff traffic on a network that you happen to be routed through and spot the legitimate PayPal email you received. My script intercepts that email, finds those "last four digits," and drops them into the site I set up. When you visit PayPal.com, I route your traffic to my fake PayPal site. You don't know the difference, so you continue to enter your new credit card information. Once completed, I change the routing back to normal so you don't notice anything's amiss.
The weakest part here is re-routing you to a different site... I'm not sure whether that could be done without also changing the URL in your browser, but I know there are some ways to do that (Unicode URL hack, for example).
I'm just saying, it's not beyond the realm of possibility.
Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.
It's a minor pain in the butt to get to your account, but definitely more secure.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
identity theft. Financial institutions are so eager to sign people up for new credit cards and accounts, that they make it easy to create accounts without ever ascertaining the person's real identity. There is no excuse for this to occur, yet it falls on consumers shoulders to prove that someone has lifted their identity. It is not so much that someone has lifted someone else's identity, as the information that is required to open most accounts is not nearly enough or secure enough to acscertain a real person. It is more like a straw man. And because there isn't the technology to do it is not an excuse for allowing the abuse. The marketplace is not created to allow faulty mechanisms and bad business that create abuse and then make the consumer responsible for the faults. Either the technology and processes exist to authenticate a person and their information or it doesn't and there is no business plan until there is. Sometimes capitalism sucks.
Have you heard of anybody who actually lost money due to phishing, and wasn't reimbursed by their bank, provided that they were willing to submit their computer to an independent third party for forensic analysis?
Maybe the situation in the U.S. is drastically different, but over here, the banks take full responsiblity, and things aren't much better. We even use one-time passwords and two-factor authentication, but all this doesn't help that much if there's a trojan horse on the customer's machine.
Maybe I'm wrong, but credit cards only hold the owners responsible for at most $50 worth of fraudulent charges. My bank has the same arrangement.
Sure this doesn't cover all the time and effort I might have to go through to restore my name when people start taking out loans with my SS number, but it already is the bank (or the bank's insurer) that's going to pay for the actual lost money. It's not like I'm expected to repay that, the bank covers it. The same is true for fraudulent credit card transactions, the credit cards cover it. I don't.
Clearly they already have an interest in preventing fraud, a huge one. Clearly they don't feel that it's worthwhile to undertake serious security measures and lose customers in order to prevent the current level of fraud.
We could always change the math by encouraging fraud and making the whole business less profitable for the banks, but that's probably not what Bruce had in mind.
--
RumorsDaily
This doesn't make much sense to me... The only way the banks could do this without pissing off customers by cutting out features would be requiring more information. A bank would need to gather information at signup for a user to verify it later on. So a fisher gathers information at "signup" that should provide enough to screw the "fish" (for lack of a better term). I see no way this could work realistically without restricting access to ones account online to a single computer/IP, putting mag-card readers in every computer, or having some sort of USB key to go with the user's account. A USB key would seem like the most realistic method to go about this, but most users probably wouldn't like it, and would prefer not to have this "feature", which banks would probably not make mandatory unless it became a state law. The best method I can see is bind the account to one computer with an SSL certificate or something, and allow the user to have a USB Key to access it from other computers if they so wish to.
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Stopping phishing requires a different approach.
Your approach has more to do with securing online transactions, which is also good. Personally, I'd prefer that I have to logon to my bank and start the transaction there. Then the details can be worked out between the bank and the vendor.
That would also be good when the bank's site comes back with "ALERT! Vendor's site has had 500 problems out of 500 transactions! Continue at own risk!"
Bruce Schneier would do well to do a little checking around before writing. In the case of frauds to financial institutions, they are out of control and getting worse by the month. That this would happen should have been obvious years ago (and was to some of us) but it has now happened. The banks can only guess who is on the other end of a wire, and the fraud detection algorithms that work based on location and purchase patterns no longer are keeping fraud down. New technology is on the way, but something that will work in the field needs to be robust and durable, and producible in tens of millions and more. Something that will work needs also to be inexpensive to make, simple, and be usable to authenticate bank to customer and customer (as an individual, not as a token) to bank, and able to sign transactions in some fashion so the customer can know what he agreed to. As I say, in the works, but some engineering is still going. What is not needed is more yahoo politicians who have no concept what all the problems are going and making regulations based on an idea that nothing is happening. Huge losses are happening, and be sure: that gets the attention of businessmen. That they are growing also has peoples' attention. Merchants are displeased too, since their chargeback losses are growing and their margins are none too thick, and that too is something that has to be part of any fix. Well, help is on the way, but it will take a bit of time to get it out, not because of ill will or desire to delay, but because the work to be done yet requires it. You'll recognize the solution when you see it.
Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away.
Isn't the responsibility already on the financial institutions? If someone takes out a loan in your name, do you really think you're required to pay it back?
The victims of "identity theft" are the banks. The consumers only pay in the form of higher fees and interest rates.
I sent a nice email to Bruce, but I didn't keep a copy (sent through Wired).
Basically, we already have this with CC numbers, it's almost no hassle at all to get unauthorized charges removed. Yet CC fraud still happens, if anything, even more widespread than before. The little 3 digit number on the back was nice, but does it really slow anything down? After all, that number is now part of the databases, just like the expiration date.
So who pays for CC fraud? The CC company? No, they backcharge the merchant. Does the merchant pay? No, he raises costs for all his customers, either in hassle proving identity, or by raising costs.
In the end the customer always pays, so we might as well make it easy for him to solve problems.
Fellowship 9/11
Apart from the phishing problem, I've never understood how the problem of identity theft arises.
Is your social security number, mother's maiden name etc. considered enough information to obtain a credit card or buy drugs in a drugstore ? Some stories, like how they use some kid's SSN to buy drugs seem very strange to me.
The banks are offering all kind of services, which to me (coming from Europe) would seem unecessary. In a safe economy, nobody should obtain credit in my name, right ?
Not totally on-topic, but in the same vein. Does anyone know of nationwide banks with good security models? My first (local) bank had a system that limited me to a 6 character password, and I immediately dropped them. My current bank lets me have a nice long password, but that's it.
I've seen discussions of European banks issuing keyfobs with pseudo-random numbers, one-time pads, etc. Which banks in the US offer similar protection - something more than a password? Any experience with them in terms of customer service?
A couple years ago I read that a school which I had applied had its admissions database hacked in to. Everyone who applied gave more than enough information to make identity theft a breeze. I don't think my info has been used yet, but I know that whoever has it can use it whenever they want.
The 'verification' banks use now to confirm your identity is a joke. It is negligent to issue credit or anything else based on this information but they do it anyway. Sure they take a loss, which is insignificant compared to what they make in profit. The person whose information is used has his credit ruined. They are impacted much more than the bank which recklessly put credit in their name. This is not right.
Given that the government is owned and operated by a greedy corporate conglomerate, I doubt any significant consumer protection will be passed any time soon anyway.
"Hi, this is Joe Lieberman, and I'll be your Senator today. What can I do for you? Oh? Let me transfer you to my supervisor, Senator Biden"
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
We have had reports of attempts at accessing your accoount plleeese loggin in to our s3cure surverr and enter your account a nd pass word.
Loggin here http://securebanking.slashdot.org/ Our Secure server^M
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
If the guy has to show up to a bank, there is a limit to how many accounts he can pillage and he will show up on the security camera.
If the guy can have a computer do it online and bounce through a cracked box, the limit is at least 1,000x greater with no danger of discovery.
How about :
- putting your picture on your cards
- requiring a pin
- designating a geographical area in which your cards work (which you can adjust if you go on vacation)
- an automated call when you purchase something online or over the phone, where you can enter your pin
- and my favourite idea - have an emergeny pin number in the case you've been taken to a bank machine. When you enter it, the police are notified and only $100 or so shows up in your accounts.
But wouldn't that make it easier for the bank to be defrauded by its CUSTOMERS?
credit card companies are responsible for preventing fraud. If someone steals my CC acct # somehow, I dont pay for it, the company does. So when my card gets used on the other side of the world, or in multiple places at once, I get a call from the company to try to prevent the fraudulent transactions.
If I get an unknown transaction on my statement, one call to the company, and they look into it and figure out how it happened.
Banks currently have no responsibilities. They dont give a shit. I once received my monthly statement to see a series of withdrawls and cheques cleared that I didn't do. I called them. Their reply? Prove it wasnt you. WTF?!?!?! I told them to look at the cheques to see if I even signed them. They told me it'll cost $10/cheque and it'll be 5 business days. WTF?!?!!
Heres another stupid one. Once I write a cheque for $150. The person who cashed it entered it as $510 at a bank machine. The cheque cleared an $510 was taken from my account. It took me two months to resolve. And this is with a carbon copy of my original cheque.
If those fuckers were held accountable for all my banking problems, they'd be pretty damn sure to make sure the problems dont happen in the first place.
Its not about making them responsible for fraud after-the-fact. Its about making them responsible so that they design their systems and have safeguards that prevent it from happening. i.e. a phisher somehow gets my name and account number. this alone should not be enough to take my money.
You miss his point. What he's suggesting is a system that blocks those transactions even if the phisher has all that information.
Let's take electronic checks as an example. Currently, all I need to have to "write" an electronic check on your account is your account number. The bank'll assume the check's authorized unless you tell them otherwise (and why would you, since you don't have a clue this is happening until after the fact?). But suppose the bank made a simple change to the system, and assumed that electronic checks were not authorized unless you came to a branch in person and authorized it? Or at least authorized that specific entity to submit certain electronic checks (eg. only once and for not more than a certain amount)? Now it doesn't matter what I know, the bank's not going to let the transaction go through until you take some action to allow it. Or I forge your driver's license and take the risk of showing up at a branch of your bank impersonating you with my face now captured on video, and security guards between me and the doors if the teller twigs fast enough.
Another way is to start authenticating the bank to the customer, as well as authenticating the customer to the bank. SSL already has the ability to do this, all that's needed is some way in the browser UI to control the set of valid certificates used to verify the SSL session, eg. if I want to talk to Citibank I select "Citibank" from a pull-down menu and now my browser will only accept servers if they present an SSL certificate from a list I've associated with "Citibank" on my end. Now it doesn't matter how good a fake the phisher's e-mail or web site is, if they don't have the real private certificate my browser will just pop up a "Server does not belong to $BANK." error.
Disclaimer: I am employed by a large financial institution (also the reason I'm posting anonymously) and I am neck-deep in its anti-spoofing efforts.
Here's the thing. When a bank's data is stolen, they absolutely should have some responsibility for it. The trickier issue is: How much responsibility? Claiming it's 100% their fault when there's obviously a criminal committing crimes behind it... well, that's a bit disingenuous. The ways it can happen are just too varied for some blanket policy to really work. There's a vast difference between sloppy handling of backups and an inside job. You can always put more safeguards on the data, and certainly a bank should be held responsible if its data safeguards are inadequate, but at some point, some employees have to be trusted with some information in order to actually get things done.
No matter how many safeguards you put in place, the point in the process at which you have to trust people will always be a weak one. This is especially true as the potential reward grows, as it provides enticement to go to even greater lengths to assume that trusted role. No matter what anyone does, a trusted employee of 20 years with the highest level clearance possible, one who passed any number of background checks (and, for that matter, has never had so much as a parking ticket), who has patiently awaited his opportunity for all these years, could one day decide it's time to make off with everything he has access to.
The really bad idea here, though, is the phishing side of it. While I respect Mr. Schneier credentials in the security world, he seems to be deficient in common sense. Any identity theft has at least two victims: The customer and his financial institution. Frankly, the technology doesn't exist for banks to outright prevent phishing just yet (the sorts of technology that require industry standardization to be effective, meaning the banks cannot effectively just "roll their own"), and there's a social aspect to it that may NEVER be solved. Any Slashdot geek who's been frustrated by a computer-illiterate friend or family member repeatedly doing something harmful (such as opening untrusted email attachments or allowing ActiveX controls to install), no matter how often they're told not to, knows exactly what I'm talking about. You can tell them not to click links in emails, you can tell them the mail must always look like *this* to be real, you can tell them you never send emails asking for any personal information, and they'll ignore it all if they receive one that looks sufficiently legitimate to the untrained eye.
So what are we going to do in the meantime, while many financial institutions work on educating customers, and are shepherding and even driving efforts to develop technical solutions to email and URL spoofing and secure authentication? Should we try harder to prosecute the perpetrators? To find diplomatic solutions to the problem of locating foreign perpetrators? To hold responsible the ISPs that allow these to be sent and hosted by their customers? No, no, let's punish one of the victims.
Brilliant.
idealists, listen up: you can't have it both ways
you can't have robust security and easy convenience at the same time
you can have one, or the other, or a half-hearted mix of both that satisfies no one (like we have now), but that's it
if you understand this, then fine
but what i don't want to see is the usual suspects railing about the rise of big brother, and, at the same time, railing that bank customers should make their banks the masters of their personal information to conveniently protect them from themselves
if you are asking for banks to control your personal information, make sure you know what you are really asking for and the ramifications of that: becoming a ward of the bank, giving the bank the keys to your life, asking for big brother to enter your life
maintain some logical consistency in your worldview and study all the ramifications before you idealistically ask for everything, even for things, if you thought about it, wind up contradicting each other
such as ironclad security and superconvenience
as a segue, we can talk about privacy idealists too: sometimes, you have to drop your pants to do some kinds of business in this world, if you know what i mean
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Does this mean that some one will be selling me a Paper Shredder for my emails?
Dr. Retarded Check out what they have done now.
The problem is using a system that was never designed for security (email) in a situation where security is critical.
Email is used because it is easy to use and just about everyone has an address now. But that doesn't make it the best choice for this. It's just about the worst choice.
... both retinal and brain wave scanners will now be required for all Bank of America customers to access their account balance.
Most online banking sites I know specifically tell you on a regular basis to *DELETE* any emails in regards to banking and passwords, etc etc. We aren't talking about making banks responsible for hacked, accounts, etc, but for the stupidity of customers who disregard both common sense and warning to endanger themselves.
Personally, I see a greater risk in spyware than phishing. It requires a certain degree more stupidity to enter your personal details in myb@nk.com than it does to login into your banking site as normal than to get your password snarfed by a keylogger, etc.
What I would like to see is banks held more responsible in keeping the safety of debit accounts of responsible users. There are instances where fake banking machines are setup to capture PINS and magcard signatures, as well as situations where cameras and cardreaders placed over the slot on legitimate machines snag customer's numbers. When it comes to actual bank equipment, or when people are able to impersonal legitimate physical equipment, the bank still often says 'tough luck' where they should be held responsible.
Make financial institutions pay? If someone buys a knock-off Rolex from a street vendor, is Rolex liable when the purchaser figures out it is a fake?
Try the ING Direct site - best over the web security ever. You need your account number
Enter Account Number: [_______________]
some ever changing specific fraction of your social security #
Which wouldn't be hard to phish. Off the top of my head, I can think of two ways of doing this:
zip code, or other identifier
Enter ZIP Code: [________]
and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.
This one is especially interesting and confusing. So they give you a number pad that would be something like:
1 = s, 2 = q, 3 = w,
4 = i, 5 = r, 6 = k,
7 = i, 8 = n, 9 = g,
0 = y
Anyone have any more info?
Adding security is not something that comes from your everyday business case: apart from additional costs there's ease of use (and acceptance etc.) to be lost. This is why it is still possible for me to instruct someone by phone to handle my bank account, while at the same time I cannot do the same with the software requiring the dongle in my pocket. I don't think the stick Bruce proposes will break on the state of art in secure communication. Didn't I put this nicely?
#1. Acquire the 4 digits. Unless you're running your own email server, the email will be handled by someone else. Where I work, I keep every email going out or coming in. If someone sent that email to anyone where I work, I would have it. All it takes is one guy in the right location at google.com or earthlink or AOL and thousands of these would be collected.
#2. Fake the site. This is the easy part.
#3. Get the traffic to the fake site. Again, this will require ISP access (see #1). But it would be simple for the right person to set that up in the DNS servers.
So, all it takes is the right person in the right job at an ISP.
And that doesn't even begin to scratch the surface of what organized, technical criminals can do with a database.
I don't know that the rotating key is necessary, but RSA smartcards are a wonderful way to authenticate yourself without divulging information that would enable a third party impersonate you, and their use need not be any more complicated than running a card through a reader or plugging a token into a usb port. Why we even use credit card numbers anymore is a mystery to me.
You might be able to avoid being a victim of phishing, but there are other ways you might fall victim to identity theft that are beyond your control (unless you don't use a credit card or divulge sensitive information to anyone, and that's hard to do in our society). The problem is that many organizations who have access to personal data don't have significant incentive to protect that data. It's not their problem if someone steals thousands of credit card numbers off their servers... (Once again, RSA would do wonders to mitigate many of those risks.)But because of the limits on how many accounts can be pillaged and the ability to publish the "wanted, dead or alive" posters, it wasn't so bad before. If your account was pillaged, the bank and you and the cops could verify that it was the same guy who pillaged 20 other accounts last month.
Because there was more risk and more effort, it was not as common as it is now.
If the thief has to steal your token in addition to your info, he is at least prevented from doing it all from his comfy arm-chair.
Years ago (I'm talking the 1970's here folks), the credit card companies had anti-fraud units that would circulate and track credit cards with "tripwire" numbers that they let fall into the hands of crooks. Do you think that a lot of crooks where caught? No. Most local law enforcement had little interest chasing petty fraudsters for a credit card company halfway across the country. Not unless the crooks were so big that they attracted the attention of a big city bunko squad.
In the year 2005, credit card companies could use coded credit card numbers to catch phishers. They don't bother.
Banks could use tripwire accounts to catch phishers. They don't.
Do you really think that law enforcement is ready to catch phishers? A lot of spam cases are in civil count, not criminal court. The law and law enforcement lag far behind on Internet issues.
vb
Yep, if they're running the wrong email client, you could send an exploit that cracked their hosts file. This might not net as many people as the DNS method would ... but if you have cracked their machine, you can just log their keystrokes without going through the other steps.
If this happens why don't we remove all personal responsibility... if I shoot someone, we can hold glock responsible... if I break into someone's house, we'll hold stanley responsible... if I hit someone with my motorcycle, we can hold suzuki responsible....
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
People seem to lack understanding when it comes to financial fraud, and who perpetrates much of it. I'd like to relate to you something that happened to my friend's father, who works as an administrator at a retirement home. A couple of years ago it was reported to him that checks were being stolen, forged, then cashed. He reported this to the police and called the fraud department at Bank of America. He recieved a reply. They told him to stop getting involved before he got killed. In his area, he was up against the Russian and Armenian mafias.
I only tell you this because banks simply aren't equipped to go up against organized crime. Problems such as these must be dealt with by government authorities. That doesn't mean that banks can't help through better verification procedures, or by better securing customer information, but to lash out in frustration by saying that banks should shoulder complete responsibility is either irresponsible journalism or naivete on the part of Mr. Schneier.
Right now people can be somewhat proactive against fraud. Be careful who you are dealing with. Phony emails often have phony headers and always go back to phony websites, so check those URLs. Don't give personal info over the phone, either. If something does happen, report it to the bank right away and notify all three major credit reporting agencies. Remeber to use change of address forms when you move. Don't just toss documents with critical information in the trash; shred them first. One more thing that you can do: once a year you are entitled to see and review your credit report. Do it. You do not have to pay for it, and you do not have to mess with outfits like freecreditreport.com et. al.
I like to think of this line when it comes to protecting identity, "I may be paranoid, but that doesn't mean that someone isn't out to get me."
https://secure4.ingdirect.com/tpw/InitialINGDirect .html?command=displayLogin&device=web&locale=en_US
ING started by notifying customers it was changing, and now it's here.
Any ING customer used to their old login knew they were typing fractions of numbers to begin with. Now they don't type their pin number ever.
My mom says I'm cool.
This is kind of like the auto industry. A safe well trained driver doesn't need seat belts, air bags and crumple zones. But for the rest of us they are great ideas.
In the past many cars were very unsafe. Read "Unsafe at Any Speed" for more on that. By making the auto industry responsible for its product, things improved greatly.
If it happens once, then it was a fluke. If it happens many times, then you have a problem with the product, in this case banking
Phishers don't steal information from the bank, they con it out of you. It's the difference between someone forging checks on your account and giving someone $20 for the old 'I bet I can tell you where you got your shoes' routine. Making the bank responsible isn't going to stop people from doing stupid things with their financial information.
Anyone who logs into www.thisisntPAYPAL.com or www.CITYBANK.asdf.fr should be somewhat responsible for the screwing they've earned. The people who think they've won the canadian/nigerian lottery really deserve it.
Pharming, OTOH, is a completely different story. Banks should be responsible for monitoring the DNS entries for their transaction sites. If their site ever gets compromised, they should bear the burden of verifying customer IDs and getting customers to change passwords.
Even organizations that should know better sometimes fail to do this. I once received an email message from an address at openvenue.com claiming to be from the ACM and asking me to go to confirmit.com to fill out a survey. Imagine my surprise when it turned out to actually be from the ACM. (To add further insult, when I emailed the ACM about it, the two line response was followed by two copies of a ten line signature, without delimiter. Sigh.)
It seems like any university that claims to give a well-rounded liberal arts education should include a course that covers issues of computer-related common sense and etiquette, such as "don't give your account details to strangers" and "don't use a signature 10 times as long as the body of your email."
Banks make money selling you fraud protection, credit bureau monitoring and all that rot. Why would they want to cut off this revenue stream? The threat of fraud makes more money for them. This is the free market at work. Since capitalism is the most ideal economic system, it follows that the bank fraud situation that results is also optimal. We simply cannot do any better than what the Invisible Hand can do.
Edith Keeler Must Die
There is a very simple solution to the entire phishing problem. A solution implemented in all major browsers. A solution that no bank that I know about actually implements.
There is no reason to base authentication on transfer of any shared secret (password, SSN, etc.) between client and bank. All that has to be done is:
1) Have the bank authenticate the customer.
2) Have them both use a key that would be unknown to a third party.
This can be easily done with Zero Knowledge Proof and a DH key exchange. The basic idea is that the bank knows it's clients' public keys and you know the bank's public key. Using both public keys and your secret key, both you and the bank can generate a unique key unknown to a third party, under which you can encrypt the session key.
The end-user only has to authenticate to its local key store, be it implemented in software, or better in hardware. If a phisher steals the password for the local password store, they still cannot login to the bank, because they need access to the media (dongle or hard disk). If a phisher impersonates the bank, they will get authentication data, but get the session key, and in any case, will not be able to authenticate for the bank. The only thing a phisher might do is present you with false information and get you to issue commands to a fake bank, but not get any access to your account.
On the perspective of the end-user, this system is simple as attaching a USB key to the machine and typing a PIN in a dedicated prompt.
Make even shorter URLs - 8LN.org
Blaming banks for phishing is like blaming the woman for being raped because she's pretty and attracted the attention of the rapist by wearing a skirt above her ankle. It's the same old same old, predictable rants against the USA, government, big, bad banks. Hey! Why isn't Microsoft responsible? But here's the deal:
You need to take some responsibility yourself and enter into a partnership with your bank. That's right. I've been the 'victim' of credit card fraud twice, and the victim of an over-reacting bank once. They cut off my card, without telling me, simply because the replacement took too long to arrive. This caused me to be 'off the grid' for a spell (of anxiety), but it was really my own fault for not having a good back-up plan.
So I called up my bank and over several days and calls we developed a plan that would ensure I wasn't dead in the water if this ever happened again. I don't need to tell you excactly what the plan is, though you can probably guess. It entails multiple levels of security so that both the bank and I are better protected. I can call a live body 24/7. I inform them if I'm hopping over to, say, England for a month. They call me if something weird comes down the pike (like someone from Belaruss trying to charge $1200 of health food products on my card). This way, we help each other.
If you insist on believing and acting as if every other institution that is a part of your life is out to get you, then why not go off in the woods somewhere, make yourself a small cabin, and send in your bombs by parcel post. Oops, yeah. I forgot. That would be the fault of the post office.
How about a moderation of -1 pedantic.
One serious problem is the difficulty with credit reporting agencies. I don't understand why when you have a case open with the Secret Service the "big three" aren't require to flush your account, setup a new SSN and reporting info, and restoring your rating based on the FICO you had before the breach occured. Voila, you're golden again! All of your current accounts can be identified and made aware of the change and a special notation can be on the account that some history is unobtainable due to identity theft.
If I read all the descriptions of the USA banking security, I get really scared. To give a demo of something that actually works, I'll tel you how my brother uses his internet banking for, I believe, his account in the Netherlands (it might be here in Belgium, too).
* Usual stuff: https, etc
* Banks don't put URLs in the e-mail, and say so. Banks warn about phishing
* Most interesting: he got a little calculator-like box (a physical device, not something on the computer with internet!). The bank site displays a number. He enters it in the box. He also enters his secret code. The box does something criptographically, and answers with another number. This resulting number has to be typed into the banking site, alongside with his account number and password.
Very secure, yet quite quick and easy to use (yes, non techies do survive this procedure).
I think the only way the banks can make a dent in this is by sending a snail mail to all their customers, stating that they will NEVER send them any emails no matter what. If they did that, then they'll have to stop, and you have to login to write/read communication to/from the bank.
There's a name for what you think is so dumb: Identity Theft Insurance. If you know somewhere to buy it, send me the URL.
Just like health insurance, it will be completely useless... that is, until John Q. Mafioso puts his yacht on your Citibank Visa.
Q: What did the comedian say to the crowd?
A: If I knew, this joke would be funny.
I agree that more identification hoops, and other usability nightmares, would occur if this was just dumped on the banks.
A simple solution is to see how phishing would be prevented in the real world. I see two real-world issues: fraud, and trademark infringement.
If a fake Citibank office popped up beside my local milk-bar, bearing all the marks of a Citibank, I would expect helicopters to appear shortly after the signs went up.
When a bank does not protect its branding, online or offline, it should not be allowed to operate, because by operating, customers are at risk of being fleeced.
So to ensure banks dont push the problem onto the client, banks should be required to protect their trademarks adequately, otherwise they loose the right to trade online, and/or need to reapply under a different name to become a financial institution. The repercusions would need to be carefully considered. To address the problem, financial institutions may join forces, or could outsource the brand protection to companies that have bots that scan the web or something similar.
Also, I would like to see clear statements from the bank on how they handle fraud, and what assurances they will give customers that are the subject of fraud. It should be like a privacy policy -- informing the client of what actions they will take, and when they will re-imburse the client. Obviously, they dont make claims like this because they are not statistically immune to those types of fraud. They should be!
Yes, we know who Bruce is. Sounds like fun!
and so have other people. For obvious reasons, banks don't want it, and they have the power to prevent it.
The Banking Industry has already dealt with this issue, basically the law they had passed says their not responsible. And you changing their law is going to be a hard sell.
But let us consider if you are the victim of credit fraud. Person-A walks up with:
1. your Birth date on a Birth Certificate, all legal looking.
2. your Drivers License Number with Person-A's picture on it, all legal looking.
3. your Social Security Card, all legal looking.
4. a cell phone that the phone company associates with your name.
5. an address that the post office associates with your name.
6. 5 business 'references' that will back up what ever Person-A says.
Or, my personal favorite:
Company-B pays Big Faceless Corporation that sells credit info online, and then proceeds to suck down ALL this data, and then proceeds to use said data with a cell phone and an AOL/Earth-Link account combined.
And how can I think of all this nonsense? For the last 3 years I've been speaking ISO-8583, and listening to the horror stories over at customer service.
Yea, lets make someone else responsible for me being a dumbass, and make it harder for everyone else to do business with their own financial institution because I'm too stupid to realize the email is a phish scam.
Sorry, that falls into survival of the fittest. If your too stupid to keep your money, you don't deserve it.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
After all my check should not work if I do not have the money to cover it. But seriously, the real problem is that credit is so easy to get. Fix that by realistic legislation that would require me to be there in person with my ID pic MATCHING my face. Opening credit accounts usually are too easy because merchants get money for having people open them, that is a stupid idea.
One of the biggest misconceptions of credit card companies is how they "protect" the consumer from credit card fraud. In actuality, the credit card company passes whatever risk they have in each transaction to the merchant who receives the credit card for merchandise purchased from their site.
In other words, the merchant relies on the credit card company to validate a charge made for product. If that charge turns out to be fraudulent, the credit card company pulls that money from the merchant. At this point the merchant has lost both the monies paid for the product but also the product itself.
Why would the credit card companies even care to create more fraud prevention methods? To them it is a perfect system.
I've always thought it would be nice if everyone had a two way pager to authorize financial transactions. It could a cerficicate (dual key technique) to authenticate that it was *your pager*. So, when you go to buy something online, or in a store, or whatever, the transaction doesn't go through until you are paged and then press the "authorize" button on the pager.
The effect would be that if a Phisher or any fraudster tries to access your account, you get paged and you see the amount and the store and you hit "don't authorize". Ba-da-bing.
I'd gladly pay for the cost of the pager and the service for this.
Avoid Missing Ball for High Score
- Lack of incentive to fix the problem, because they're not at risk
- Risk that tools they can use against phishers will backfire and cost them lots of money.
The combination of the two means that most of them aren't doing much to fix the problem. If your credit card gets phished, and some merchant accepts it, usually your risk is limited to $50, but the merchant gets dinged for the loss, not the credit card issuer, at least if the merchant does this very often. If your bank info gets phished, and the thief withdraws all your money, bummer for you, but the bank doesn't lose it. If the phisher tricks you into revealing all your ID details as "identification", in addition to your account number, then the phisher can make more money selling your identity than on the specific credit card.There's a very effective tool that most of these providers *could* use if they wanted to - creating fake account numbers that cause transactions by the phishers to get flagged. So you send them the phishing mail, they go to the phisher's website and enter the fake info, and when the phisher tries to spend it, you trace him. Of course, the bank needs to do this in a way that the *bank* isn't breaking laws against fraud etc. by doing it, and if the method becomes popular, some phishers will find ways to frame real people and flood the net with those phishes, so that the banks start losing lawsuits for busting the wrong people.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Why do I give my credit card info to the vendor?
Why don't I get a token from the vendor that I give to my bank and the bank transfers the money for me?
For added security, the bank can even call my home/work phone number "This is to verify that you are placing a charge of $x at vendor y right now. Press 1 to continue this transaction."
The best part is that the vendor will NEVER know you account info. And the banks should already have the technology to do that.
All of a sudden, online fraud drops to almost nothing.
Not to mention that the bank can give you some statistics on that vendor's past financial dealings and COMPLAINTS.
I deal with 50+ hospitals on a regular basis, all of them have spent unbelievable amounts of money on HIPAA compliance, and all of the data they transfer into my systems is as secure as possible given the current state of encryption technology.
[Knocking]
Doug: Hello, sir.
Peter: Enough with the foreplay. What are you selling?
Doug: Well, I was gonna try to sell you some "handsome cream" but I can see you already bought out the store!
Peter: Go on.
Doug: Perhaps you'd be interested in something every homeowner cannot be without.
Doug: Volcano insurance!
Peter: Go on.
Doug: According to my uncle, who's a real whiz with volcanoes a volcano is coming this way!
Peter: [Thinking]: I, too, have an uncle.
Peter: Come in.
Peter: How much is this volcano insurance?
Doug: I don't know. Let's say, $200.
Peter: $200? That's more than I spent on all that handsome cream.
Peter: I don't have that kind of money!
Doug: What about that jar of money?
Peter: No way! That's Lois' rainy day fund.
Doug: Come on, it never rains in Rhode Island.
Peter: Yeah, but I'm pretty sure we've never had a volcano either.
Doug: Well, don't you think we're overdue for one?
Peter: Touche, salesman.
Yes, thats an interesting argument, and I wonder why no one has used that rationale before. You would think banks or any company would be outraged at millions of emails/websites floating around the internet claiming to be them...
But why should they care?
As TFA states they only have to keep their "costs of fraud" account flush with the miniscule amount necessary to do business. It's a "cost of doing business"...
We play the game with the bravery of being out of range
would it help if one were to develop a cross-platform, secure application for connecting to financial institutions. Maybe each institution could apply for a certificate and the application would only connect to sites that you have accounts with. Sure, there would still be ways around the security, but if people couldn't access banking via the web, but needed a separate application then maybe phishing attacks wouldn't work.
Needs a lot more thought, but maybe it's an idea.
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
I love the folks who sell their latest and greatest encoding schemes for mail messages, like HTML, MS-Word, quoted-printable, base64 etc.. Perfect breeding environment for phishing attacks. Sure, you can rightfully blame Microsoft. But then also blame the developers of Pine and MIME. Same junk, just with a bit of penguin dung. What was actually wrong with plain simple ASCII text mail messages? Or take web sites and HTML. Why do we need JavaScript on the Citibank web pages? Or Macromedia Flash files for Citibank's "secure" virtual account numbers? This kind of software was developed for entertainment purposes, not bank transactions. Maybe the people who develop and sell such stupid solutions are also the ones who benefit from fixing the problems, because it keeps them employed. Make the banks and their software developers responsible for their mistakes, and we get secure, simple solutions.
I believe in the US of A, your liability for fraud on CC is limited to $50, although most CC companies waive that to $0. It's a pain, but it's often okay...
However, once a phisher has enough info on you they can do things that you aren't aware of and will not catch until it's really far to late. For example, they'll go buy a used car and finance it with the used car dealer back by a credit card and then sell the car for parts. Some used car dealers take just about any credit indication (e.g., the fact that you have a credit card) because they sometimes make money by selling/repo-ing the same cars over-and-over to people that have marginal credit. They can also rent furniture, electronics, and major appliances (and resell-them), and sometimes they can open credit union accounts and write overdrafted checks which are kite-ed at pay-day-advance loan stores and so on. Of course they don't use your address and phone number on any of these additional credit applications, so it's pretty hard for you to track...
By the time you find out about all your potentially fraudulant accumulated liability, you are getting non-stop harrassing phone calls from some ABC collection agency that doesn't really care how your name got into their to-be-tracked-down-and-harrassed list. Then you spend a year cleaning up the whole mess on your credit report.
If you don't think this is possible, go into a store that usually sells/rents items to people with less than stellar credit and see if you can get store credit with only a major credit card number, a temporary driver's license (one w/o a photo), and a university id (that is trivial to forge). You may be shocked...
...is forward all obvious (I can't brag about my geekQ)phishing attempts to the actual sites with a message, pointing out the fraudulent links. To date, no one from any of the banks and lending institutions has replied, I presume they take no action, since I continue to get e-mail from the same putative companies. Still, I feel like it's my job to take *some* kind of action against those who would take my money if I were a little slower.
I love returning memory chips, DVD-burners or motherboards that don't work.
Ahhh, the trip back and the long, long wait in the customer service line.
We play the game with the bravery of being out of range
I think the poster has a point. I've not had a problem with my bank, but I did have a situation with a cellular phone company that issued an account in my name to someone who was pretending to be me. My conclusion from that experience was that the phone company was much too eager to open a new account without due diligence. Ultimately I didn't have to pay anything, but the experience was moderately expensive in terms of time and fees for certified mail, etc., and quite unpleasant. A simple legal principle something like "if you give someone who claims to be me some money, and it turns out not to have been me, too bad for you" is what I'd like to see. I think then we would see some real attention paid to the problem of securing transactions over the Internet and the POTS. Yes, I suppose this would make it more expensive for banks and others to do these transactions, but it seems that a reduction in fraud would make their overall expenses lower over time. Under the present system, much of the risk and frustration is borne by the consumer, who can do little to prevent fraud other than follow the boilerplate advice given out by government and commercial representatives.
"This will mean that banks will be forced to put their customers through more and more identification hoops than they already do. We will be inconvenienced even more and all because of the phishers. They are criminals like any other, and it's the governments responsibility to deal with them."
There is ALWAYS a tradeoff between security and convenience. I would happily tolerate a bit more inconvenience to have less worry about the wide variety of identity scams.
Perhaps you don't care enough about your money to be inconvenienced. I that case, you can leave it in an account I'll setup which will provide you with very convenient access to it (or whatever fraction is left after any unfortunate events, for which this custodian will in no circumstances be liable in any way)...
Lieberman voted against Bill (S. 256 As Amended) Bankruptcy Abuse Prevention and Consumer Protection Act of 2005. p.s. over 60% of credit card/bank campaign contributions go to republicans.
We play the game with the bravery of being out of range
I agree that banks should do more in the fight against fishing. They have the ability to track people down and take them to court, RIAA style. However, even though I don't have too much love for gigantic banking corporations, I can't help but feel like making banks completely responsible for phishing would be like making my apartment complex responsible for someone breaking into my apartment when I'm the one who was tricked into giving them my key.
Customers wouldn't go for it. In fact, that's how online banking used to work before the Internet and later WWW became commonplace enough to supplant it.
It also wouldn't solve the general problem of users not knowing any better. If customers are naive enough to believe an email that says "we need this information because of such-and-such legitimate-sounding reason, and you have to do THIS over the web", then a separate system doesn't help at all.
Japan recently enacted a law along similar lines. The target is skimming, not phishing, but it makes banks 100% responsible for account owners' losses from duped ATM cards (with a few limited exceptions, like if you write the PIN on the card you don't get your money back). The net effect has been to speed the introduction of IC-based cards, some of which use biometric verification as well--my own bank (Tokyo-Mitsubishi) has this funky palm reader thing on their latest ATMs that makes me wonder if it tells you your fortune while it's processing.
In addition, I'm constantly getting email from the banks (Citibank and Wells Fargo both do this) that has some special offer or some such. Banks need to stop sending spam and tell their customers "You will NOT get email from us. Any email that claims to be from us is a fraud."
This really underscores Schneier's point - as long as the banks aren't taking financial hits for their bad security practices they'll continue doing it. Their spam makes some kind of a profit for them and they don't get hit with the downside of phishing attacks based on their spam.
I'm surprised that the victims of identity theft have not banded together to sue the banks and other financial institutions. I bet that a few multi-million or larger penalties would get their attention and make them actually do the job of verifying identities.
Why won't credit card companies start taking fraud seriously and put a PIN on the card
Credit card companies make money when debit cards are used like a MC/Visa, and you sign for the transaction. Credit card companies are shut out when they person enters in their PIN, and the transaction is run on the ACH system.
Because of this, MC and Visa want to keep people from doing the PIN thing, and get them to do the signature thing. If the introduced PINs, what will likely follow is confusion, and they need people to sign, not enter a PIN.
For this reason, you're seeing credit card companies move away from any verification and towards things like proximity RFID systems. That way the person doesn't even have to sign, and, hopefully, will run their card on the MC/Visa system.
Dear User,
Thank you for your Slashdot.org contribution.
For your own security we would like to take this opportunity to verify your account details. If you do not comply we will cancel your account and molest your hamster in 24 hours. This is for your own protection.
Please e-mail CmdrTaco@hotmail.com with your -
Username
Password
Credit Card Number
Expiry
Thank you,
CmdrTaco.
Dear User,
Thank you for your Slashdot.org contribution.
For your own security we would like to take this opportunity to verify your account details. If you do not comply we will cancel your account and molest your hamster in 24 hours. This is for your own protection.
Please e-mail CmdrTaco@hotmail.com with your -
Username
Password
Credit Card Number
Expiry
Thank you,
CmdrTaco.
Dear User,
Thank you for your Slashdot.org contribution.
For your own security we would like to take this opportunity to verify your account details. If you do not comply we will cancel your account and molest your hamster in 24 hours. This is for your own protection.
Please e-mail CmdrTaco@hotmail.com with your -
Username
Password
Credit Card Number
Expiry
Thank you,
CmdrTaco.
the fact of the matter is, identity theft in many cases (phishing emails) are teh result of inexpereicned users who get scammed. Financial institutions are responsible to a certain extent on all of these cases. Full responsability will upset teh economy system, because campanies cannot adapt as fast as crimals (as noted by other users).
"10001110101 - periodic table with a centerpiece of mind" -Clutch
How about-god forbid-real meeniful enforcable policies. I don't know about you all, but I have had some odd problems with bofa for instance. I've seen on more than one ocasion charges that I didn't recognise. Bofa plaid denial, the 1800 number from said company treeted me like a crook-called bofa back and the concourd. aint that about a bitch?! I suspect the "problem" is more: all of the above. Banks have become arrogant, policy makers don't want to admit id theft, customer service, and in general a cash based economy need to mix much better. Plus only businesses, from pr0n to amazon need to do something to stop treeting their customers like crooks, and everyone of them has to-has to- do something where by minitia fundimentals are attacked better: For instance paypal is great at being obviou about where and how I can enter info. Amazon-so so-untill you need to change or cancle a order, ever order a gift and found out someone has it? I have, no reel good way to deel with that. Gotten the wrong item? Yep you betcha I have had that to? In short I think phishing is more indictive of a larger set of problems. The need to be adressed though.
I swear, most of you moderators are on crack. Mod me down if you wish, but fuck, at least read what's said. I suspect some idiot from Kuro5hin is to blame for this.
For reasons like these, I have to give Flamebait a +5 mod just to see useful responses.
How about people use GPG or PGP, and get a public key for their bank, which the bank uses to sign each email it sends out to verify itself.
I'd like to see something like GPG be made easy to use and a part of email clients, we can require that by law. Imagine if Thunderbird, Outlook, Outlook Express, Eudora, etc all had GPG abilities.
Anyway GPG/PGP can verify if the email is legit or not. This can even be automated. That way the phisher cannot possibly fake the GPG/PGP signed emails from the bank. If an email is not signed, don't trust it.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
The only way to somewhat secure online banking access is to require people to boot into a dedicated Read only operating system like a live CD that takes someone right to the bank. Back in the old days of online access for the Toronto Dominion bank, you needed special access software, and it wasn't done through the Internet as far as I recall. Still that wouldn't have protected the average user from a trojan spying on the keystrokes. A CD from a clean boot might do it though - essentially turn the home computer into an ATM, although some sort of biometrics will no doubt be required in the not so distant future to actually move money anywhere potentially risky.
I get an SMS text message with a code I have to enter for every (set of) transaction(s) I make. It's easy, and very secure.
Argh. The guy's ego isn't big enough already. No. We have to post a link to yet another musing and then have the /. crowd provide hits to the site *and* discuss it, almost providing legitimacy to the whacky statements.
Don't get me wrong, he's an *awsome* cryptographer, but he tends to post either the blatantly obvious or (as in this case) the blatantly stupid on most any other subject.
Go ahead. Mod me down. I can take it.
Mind the gap...
For online transactions, there is absolutely no protection for merchants - all fraud is paid for by the merchant.
There isn't anything the credit card companies are doing to combat fraud. Just try to get them or anyone else to follow up on a stolen credit card. Forget it.
Trouble with Bruce's suggestion is that it will open up a fountain of money where those bank customers with reduced moral fortitude will yield to temptation and claim that the "Phishers got my number" when the truth of the matter is that the customer Phished the account [him|her]self.
I'm quite happy with my bank, the HSBC here in Hong Kong: they have started to provide their customers with a hardware security device that generate encrypted sequences of 6 digits at the press of a button: you need to register your device once online with its unique serial number and then, every time you login or you do a bank transfer online, you're requested to input the digits generated by the device.
This effectively makes phising impossible since all they can do is collect your login and password, but won;t be able to access your account with that information alone: they would need to be able to generate proper security codes as well (and getting a single instance of that code won't be enough).
Only way left for scammers and thugs to get into your account is by stealing your physical device and your login info. Always possible, but not very likely.
I have a feeling in the future this will be used as an excuse to push for cumpulsury VeriChips in vunlerable humans.
Case in point: I ordered something from Amazon Marketplace one Saturday evening. Went to bed. Following morning, there's an email from Amazon explaining that there's a problem with my credit card. It appears to be a plain text email, that Mail.app has helpfully highlighted the URL for, and it's not until I've entered my username and password that I realise the questions being asked are all wrong and seriously question what I've clicked on. Needless to say, I don't answer any more questions, and I immediately (a) log in to Amazon and change my password and (b) send Amazon a copy of the email for them to investigate.
Consider the circumstances: it's first thing in the morning and I'm not fully awake. I know that Amazon has just tried to charge my credit card. The email was sent to an address used exclusively for Amazon-related email (so it was probably a marketplace seller, or an Amazon employee, or someone connected with either, that actually sold the address to phishers.) It all looks pretty credible. Yes, if I'd had a few coffees and been up for a couple of hours, then I might have double checked the message. Likewise if the email hadn't been sent to my Amazon mailbox, or if I hadn't just ordered something from Amazon marketplace. But, as it was, it wasn't until I saw the "Confirm your name, address, and credit card details, etc" form that alarm bells began to ring.
And when that happened, I seriously asked the question: if I can get hoodwinked, at least to that extent, a computer professional who regularly sees these scams and laughs at them, how is my mother supposed to avoid them?
You are not alone. This is not normal. None of this is normal.
He is a rude lame ass. I met him once. Very snobbish. I also work at a bank and all the idiots who use our online banking are idiots. They can barely log in. Most idiots have things like 123 as their passwords. Make banks responsible for phishing? Fuck you, you lame-o retard. How about having people responsible for themselves? Or is personal responsibility dead in the United Nanny States of America?
Quite simply - Why should I have to prove a loan/debt was not initiated by me? Why shouldn't the responsibility be on them to prove who they were actually doing business with??!! If they can't prove, beyond the shadow of a doubt, that it was me, then they can not ruin my credit, attach my wages, or take other legal actions to collect from me. And having data that could have been acquired without my authorization, would not constitute "beyond a reasonable doubt".
Well... the most basic security precaution is always the best: go directly to the source. Don't trust any e-mail to ever have the proper URL. Just go to the original web site you originally transacted with and go from there. If I ordered something from Amazon I'm going to go to www.amazon.com and work my way through to check on my order. If there are any problems I'll try to correct them. If things are totally and utterly FUBAR and I've expended a reasonable and sensible effort to resolve the problem I'll start from the main page again, try to track down a customer service number and handle it that way. If it's for my bank and seems serious enough I'll probably just try to go in to the bank and handle it in person.
This suggestion is more of the tired make those who can do pay for those who can't. It really is ridiculous. If the banks have to pay for it, yes perhaps they will do thier best to fight it, but in the end, either those who have accounts (those who can) will pay for it; deny those who don't have the sense to recognize (those who can't) the opportunity to have account; or a combination of both. Can you imagine the conversation when applying for a credit card? "Ah, I am sorry sir, but it says here on your credit card report you have been phished 2 times, account declined." And, "Ah, yes, Mr. I have never paid a late payment, that 'Stupid People Who Can't Recognize a Scam' fee is now customary and Visa, Mastercard, and Discover have implemented it, so threatening to change providers won't do any good."
People should pay for thier mistakes, they are much less likely to make them again. It is called learning through consequence.
This solution is too draconian to work. In real life much of the problem lies in ignorant users getting tricked. There also needs to be a tough love solution whereby stupid users get punished financially.
Right now, when someone gets their credit card stolen and a crook uses it to commit fraud, it's not the bank that gets to eat the loss, nor Visa/Mastercard/Discover/American Express. It's the merchant who gets it in the rear. The banks would love to make you think it's them protecting you, when in fact they're doing really little. After all, it's the merchants and not them eating the losses.
So, if say stupid Joe gives up his cc info to some crook, who is smart enough to circumvent most fraud screening methods like AVS, IP geography check, and inputs a fake phone number (remembere, phone numbers are not verifiable by AVS), the merchant really has no way of knowing it's fraud.
The bank wins, Joe wins (because he can do a chargeback), the crook wins, and the merchant loses.
eTrade SUCKS
A bad day phishing will still be better than a good day working.
There is a simple and cheap solution that banks can implement to stop phishers cold. They can use disposable pins for every outgoing transaction. When the customer opens an account, he gets a plastic card with pins. The card is either given in person, or sent by postal mail. Whenever the customer makes a payment, he is prompted by the bank to enter a pin. One pin - one transfer, the pin is never reused. The standrd credit-card sized card can hold about a hundred pins covered with scratch-off paint. The phishers can get the password and see the contents of the account, but they will not be able to transfer the money out of the account.
Why don't the banks do it? Becuse such system would seem like an unnecessary hassle to the majority of customers.
I think that by making banks solely responsible, you are going to set things up for banks to be very *very* cautious about giving customers access to their accounts. Identity theft is a serious issue but we ought not to solve it by making everyone vulnerable to buisness interruptions, etc.
Let me share a story with you that happened to me very recently.
I have a business Paypal account and for reasons that will become clear very quickly I now actively warn my customers about my experience with them and help them evaluate other alternatives for their businesses. Fortunately for me, my Paypal use is infrequent (I have one customer in Greece who occasionally sends me money via Paypal) and I do not rely on it for my ecommerce transactions.
So anyway, yesterday I got an email saying that my account has been put on "limited" status and that I have to confirm my identity before I can start receiving or sending money again. Note that if I was running a shopping cart via Paypal, and if that was the main source of my business, my business would have been down from that point. So I try to verify my location. It says I need to add a credit card number. So I call Paypal and spend an hour on hold. The agent continually defends their practices, tells me I need to add a credit card. I try to add the card but it won't let me because the card has the abreviation "BUS," short for "BUSINESS" after my name. The rep I was on the phone with said "Well, you know how computers are-- they require an exact match. This is really your bank's fault since the name on the card is not the same as the name on the bank account."
As you can imagine I really let her have it then. I explained, with all due respect, that the way the match the names is fully within their control and that this hardship I was experiencing was fully within Paypal's control to solve (speaking as a computer programmer), and that all of these problems were the direct result of decisions which were made by Paypal. I was told to fax a copy of my drivers license and a utility bill and they would use that to confirm my address. After I was off the phone I wrote them a letter which I faxed along with the requested documents accusing them of adopting a caveat emptor mentality regarding their services and threatening to write my State's AG, congressmen, and asking them to make sure their legal department was advised of the possibility of damages as a result of these policies.
The agent was unable to tell me what was wrong or provide any information relating to why this was now necessary. She just said that they just wanted to confirm my identity. Evidently this is so scary to them that they are willing to completely interupt whole arms of their customers' businesses for days in order to do this.
The limitations are still in effect and nobody is able to tell me when they will be removed or why they are even there in the first case. Do we really want to make identity theft such of an issue for our financial institutions that this situation becomes the norm for dealing with a real financial institution?
LedgerSMB: Open source Accounting/ERP
I really think that this is the wrong incentive here. In another post I detailed a bad experience I recently had with Paypal regarding their antifraud measures. Banks are already largely responsible for phishing because of the fact that they are obligated to give *you* your money back unless *you* authorize that it be given to someone else (IANAL, though).
I am going to reproduce the entire text of my letter to them here (minus letterhead, case id's headers, etc).
To Whom It May Concern;
Within the last couple of days, certain limitations were placed on my account which prevent my customers (some of whom are overseas) from sending money to my account. Your company has made it extremely difficult and risky to do business with. This letter is to inform you of the serious concerns my technology consulting business has regardinng recommending your services to my business customers.
I recognize that confirming the identity of customers is a legitimate business need on your part. However, it would really help business customers if there was far warning before you go and interrupt our businesses. This is especially true for some of my customers who use Paypal as the exclusive internet gateway for their ecommerce ventures. Letting people know after the fact, when you have already put their businesses on hold is simply unacceptable. The fact that your call center representative could not tell me why the limitations were placed on the account is even worse. In essence, your firm has made this process as difficult and costly as possible for your business customers.
My business may be incorporating soon and we may be selling prepaid support accounts online. I am very concerned that continuing to do business with your company could place my business in undue risk from factors beyond the control of the owners of the corporation. Suspending the e-commerce transactions without notice for a business due to the actions of third parties is, in my opinion, asking for legal problems and I think you need to send a copy of this letter to your legal department to make sure they are advised of the possibility of damages arising from such negligence.
As a technology consultant, computer programmer, and security consultant, I am sensitive to the issues surrounding identity theft and I do appreciate the fact that your business takes this problem seriously. However, PayPal will only be a safe provider of online payment solutions if all other business risks that arise from your efforts are taken seriously. Business interruption is a seriousl issue and one I don't believe you are making any good faith effort to mitigate here. Safety is only a measure of how the total risk of an activity, such as doing business with your firm, is managed. Being insensitive to the legitimate business needs of your commercial customers damages us and ultimately damages your firm.
Although I am not considering legal action at this time, I expect a timely response to this letter. I fully intend to publish my concerns to the general public or at least the e-commerce consulting community, either via trade magazines, as a notice bundled with the shopping cart software we are developing, or in some other form (perhaps a whitepaper comparing online payment solutions). I am also considering a letter to my congressman and my state's Attorney General explaining the problems which are caused by the fact that Paypal has managed to avoid the general forms of regulation that are applied to nearly all other types of financial institutions.
It is sad to see market leaders fall back to a "caveat emptor" mentality.
LedgerSMB: Open source Accounting/ERP
Similarly, if a bank gives a credit card to someone in your name, at an address where you've never lived, without attempting to contact you (and yes, they can contact you: your credit report will contain every address you've lived at for many years), why is it your problem?
You seem to think that you're safe because you're careful about your personal information. You aren't.
Here's a link to the article:
http://www.sims.berkeley.edu/~hal/people/hal/NYTi
Hal Varian is a professor of Economics at UC Berkeley, and generally a bright guy.
http://www.welton.it/davidw/
Not that I'm sympathetic to banks (that would be like admiring roadkill or outlawing suicide: weird and pointless), but isn't this rather like making programmers solely responsible for IP infringement?
Why would phishing then go away and what if it didn't, would banking become too expensive, would service become cumbersome and wouldn't we still get dressed down like the stupid schmucks we are?
ATM has always been very popular in Belgium. As a matter of fact, we've been the world's testbed for this kind of thing. Used to be an almost 10 year gap between Belgium and Holland where normally we're behind on things. In Holland they had had a pretty big scandal, a bad experience. So for a long time you were extremely limited, while in Belgium we got used to the idea of being able to plunder our own account night and day.
And in the end, everybody adopted our method of ATM and you can use most any kind of card to do a whole bunch of transactions. I'm not sure who's "responsible" if something goes wrong, but I am sure that today it is no safer to do all that than yesterday. And somehow, we take the bad, the chances, in the name of convenience. So while I don't think phishing is going away no matter who is responsible, I don't think it's a very big problem either in the long run. I do like my conveniences though. Human nature != intelligent behaviour...
I think, therefore I am...I think.
if an institution is holding private information on someone, they should be legaly liable for any loss or breach of this information. I would go on to suggest making legislation that would require those holding the information to pay a fine ($+++++) for each loss of an identity to its holder and then cover any other loss incured by this theft. Making the loss of this kind information extremely expensive and costly to the orgnanisations which are holding it, is the only way that they will guard our personal information as if it were golden bricks or they would decide not to collect it in the first place as it would become a liability to their business not an asset unless their was a bona fide reason for them having it in the first place.
I've been saying this here for a while anonymously, hoping some body might take it and run with it. I am not a genius, this seems so basic, and the only reason it hasn't flown already is because our government is controlled by big business and will only allow legislation which suits its purposes and needs.
I work in the anti-phishing industry, and suggestions like the article makes are pie in the sky "corporations have magic powers" crap. Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.
Sorry to be blunt, but so what? I'm really supposed to be concerned because rich banks take more of a hit from phishing than the innocent dupes do now? Corporations have a lot more power than individuals, especially when the only thing people can do is "just be smarter". Get real.
If other reasons we do lack, we swear no one will die when we attack
Heh... First time I read that I thought you said
and I thought, "hell yeah! delete those sons of bitches!"
It's a good plan though, and I too would pay for something like it.
I'm surprised you haven't found this by now:
http://paypalsucks.com/
[ ]Clever sig [X]Lame sig
I bank with egg.com
I know they are secure because their security policay says they will never send me an email asking for security details.
All they do is send me an email each month telling me my statement is available, and providing a link to their site where I enter all my security details. At least I think it's their site. Wait a minute...
I wish this was a joke.
I have some friends who did a major renovation on their house recently, and was visiting to see how things were looking. I happened to look up at an unfinished cathedral ceiling, and saw "gullible" written there. (I presume you've heard the kids' joke.)
The living have better things to do than to continue hating the dead.
But what I want to see is large companies that have lots of phishers after their customers offer a "what to do if you receive a suspicious email" link on their home page. And when you click on that, it gives you a fake user id, password, account number, and any other identifying information that a phisher is looking for. When the fake user id and password is used by a phisher, actions from that PC are temporarily disabled and any accounts accessed from this location are flagged as stolen. Do what you can to try to get the phisher to reveal themselves and also start re-authenticating your clients with good old fashion phone calls (plus you can ask them to stop giving our their account information). Have some reasonable checks in there so that if a customer thinks they are being phished and sends the fake info to the real web site, you don't go knocking their door in with a swat team. It wouldn't be hard to create this anti-phishing tool. Smart customers help you, fraud goes down, dumb customers receive some protection without the big company being liable, and the company gets known as a safe place to do business. The only losers are the phishers and the little bit of time it takes to setup and maintain the system.
I was actually thinking something similar. The bank isn't the one that made you click on that link to go to the phishing site, and they aren't the ones that entered in the personal information for the crook to access the account and take your information.
Its really a simple matter of using enough common sense to figure out that maybe I should contact the bank to make sure that something actually happened. Another clue is that most banks also send out snailmail as well, at least everyone that I've ever been with has.
In today's world, there is no excuse in not having enough sense to question anything you receive in an email. Even if its from a friend, you're stupid to not scan the email and to have some form of spam filter up to protect you from possible malicious email.
The only way this proposed solution would work effectively is if you denied the users the ability to willfully duplicate or otherwise represent enough personal information to perform a financial transaction. Sure, with really overkill smart cards you can make ATMs and retailers secure (good luck on getting them to pay lots of $$$ for something they dont neet, ie, new scanners), you would also render it nearly impossible for people to buy things, for example, over the phone, or from merchants without cc processing equipment on hand. This level of paranoia will only lead to one place, really frustrated old people who just want to bank, and a whole lot of money down the tubes. Now what banks like ING do is prudent to be sure, but people have been falling for cleaver scams since the beginning of time. All of them have been easy to spot (from the outside) and all of them have attracted people. It's nice enough that some banks offer online froad protection. I'd just suggest signing up with one of them, because insurance is really the best, and as I see it, the only practical way to deal with this problem.
Sure, why not? We have the democratic party. We have lawyers. We have LULAC. We have Jesse Jackson. And we have our mommies. They have all told us that everything bad that happens to us is someone else's fault, and someone else should pay us for it. And now we have Bruce Schneier, letting us all know that being an idiot is not a punishable offense. Obviously it is the bank's fault for having idiots for customers. I think this is a great idea. I would also like to suggest that MY bank start performing intelligence tests on its customers so that it does not have to pass this "idiot tax" on to me. YOU GO BRUCE!!! Remember when you were a kid, and you fell over one of your own toys that you left out, and then you laid there and cried, looking for attention from mom and dad? Your dad said "stop crying and get up - no one wants to hear you whine." But then your mom came over, picked you up and hugged you, and then spanked the toy saying "bad toy!" --- You should have spent more time with your dad, Bruce.
The phisher that nearly got me caught me at the right time. There's a right time to get anyone.
You are not alone. This is not normal. None of this is normal.
It seems that a lot of people in this discussion seem to think that this would be (a) impossible, or at least (b) horribly expensive, so I thought I'd illustrate how it could be accomplished cheaply and effectively.
First, the bank would need to have a readily recognizable web address that fully described the company name. www.wellsfargoofnorthamerica.com, for instance. It's kind of long to type, but we're talking security procedures here.
Second, have ALL FINANCIAL INSTITUTIONS institute a policy of never sending a link in any email. Announce this policy on TV commercials. Make people sign a notice recognizing this policy when they sign up for an account. Put it in big letters on the initial credit card contracts. Put posters up in the bank lobby, that kind of thing. Awareness is truly the place where we're falling down here.
There will always be idiots who fall for this stuff, but if people in general know that banks won't send these links, then they won't fall for this kind of thing nearly as often.
Wake up - the future is arriving faster than you think.
Oh I understand completely. The one time you forget to wear gloves in the lab because it's a quick, simple little thing you need to do is the time that you're going to end up spilling a mutagenic substance on yourself... never fails.
Any time someone works with something dangerous or potentially dangerous or security related there's always the chance that you're going to get caught with your guard down just enough to make it work. The only way to prevent that is to be rigid and disciplined in the way you do things. Yeah it's a text-only e-mail, but that differs from the set policy of how to deal with these types of things. Same as treating every gun as loaded consistency and routine are the keys.
Ok. I have information for you.
When money comes in to a suspended account, the transaction remains "pending" and no notice is provided to the payer.
Needless to say, this is negligent in the extreme. So your seller could have been telling you the truth.
Now to the worse part... Anyone using the same IP address to contact eBay could in accounts being linked in their system. This means among other things that you are putting your business in jeopardy if you travel and access eBay using your laptop while plugged into, say, a hotel's network. The fact that there is no reasonable way to truly link accounts by computer makes this irresponsible at least. But again, it is justified as a part of their anti-fraud regimen.
LedgerSMB: Open source Accounting/ERP
Sure, and then they page you and you call them and tell them that no, you didn't loose your pager. They don't know who to believe, so they put your account on hold until you come in with photo ID and have them examine your fingerprints.
Avoid Missing Ball for High Score
The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it's easy to make a transaction, open an account, get a credit card and so on.
As Schneier says, banks and other entities that extend credit are making an unbelievable amount of money because the current system places the emphasis on ease of use rather than security. Visa USA processed $1.3 trillion dollars in transactions last year, an amount greater than 10% of the GDP of the United States of America.
Unless you've been hiding under a rock for the last 20 years, you probably recieve at least one 'pre-approved' credit card offer per week in the mail-- often for lines of credit exceeding your annual income. Advertisements tout mortgages, credit, car financing, gas credit cards, and innumerable other forms of lending.
Ease of use. That's why you can apply for a credit card by filling in a few lines on a form, with just a name, address, and SSN#. It's also the reason why someone else can fradulently apply for credit under your name with just your name, address, and SSN#.
Rather than individuals being required to prove that credit was granted fraudulently, creditors should have to prove that it was not.
I'd like to see a socially acceptable cease-and-desist letter: "I did not apply for or recieve that line of credit. Unless you can conclusively prove that I was the individual who did, you will remove all references to that credit from my credit history and never contact me again."
The current system is entirely based on security through obscurity, and that just doesn't work in a world where an arbitrary number of people have access to the authentication information being used. Making credit vendors entirely responsible for their own mistakes will cause very rapid changes in that regard.
So, who has enough information to apply for credit in your name, no matter how well you try to hide it?
- Your Employer: All the information anyone needs to fraudulently impersonate you in one simple employee file.
- Your bank/lender/creditor: Same as the above.
- Your University: Mine just phased out SSN#s as a primary userID five years ago. Some still haven't, and you can bet they all still have it on file... along with a prior address.
- Government Agencies: Yeah. They have all of it.
All of the information necessary to authenticate or counterfeit your identity under the current paradigm is available to anyone with access to records in any of those monolithic entities. Or anyone who gains access illicitly. Or anyone who buys access.
Entities which extend credit need to take responsibility for positively verifying the identity of anyone requesting credit, and be 100% responsible by default for all the expense, hassle, and annoyance of instances where credit is granted improperly. Right now, the responsibility is entirely on the individual who was impersonated to resolve the situation, and that is unacceptable.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
In TFA, Schneier wrote that phishing isn't the problem. It's just one tactic. The problem is people using fraudulent information to access accounts. If someone comes up with a good way to stop phishing, it probably won't help fraud that much, because phishers will find another way to get account numbers and PINs and passwords.
What Schneier says the financial institutions need to do, is find a way to prevent unauthorized account access, which they will have to do if they are forced to bear the entire burdens of identity theft. He doesn't give any hints on how to accomplish that, but he was clear in saying that the answer isn't about any simple solution to stop phishing, it's got to be on the heads of the banks to stop identity theft.
And you fail to see how this will produce a criminal cottage industry 10x worse than the current phishing problem, I think you're blind. User applies for credit, goes hog wild buying big screen TV's and running up gambling debts, then denies he applied for the card. Just steal your own identity.
I know, the answer is banks need to be more thorough about checking your identity. To get a card, you'll need to give your DNA, fingerprint, and iris scan (in person), because anything else could be faked (realistically, you leave your fingerprint everywhere and its pretty easy to fake, its not a great way to secure access to money). That will need to be compared to a reference standard the credit bureaus will need to maintain to cross reference, plus an extensive initial invetsigation the first time though to verify who you are the first time, interviews with parent, co-workers, freinds, etc. I'm sure we'll all gladly put up with that expense and inconveinence....
Paypal does not allow those with frozen accounts to issue refunds either. So if you request a refund, they require an authorization in writing, etc. Funny how they like to charge back your account when it is not locked without your authorization.
Monday, among other things, I will be calling the Office of Comptroller of Currency (a regulatory body) to complain, then I will call eBay and ask to speak to the office of Scott Thompson (VP of Paypal, CTO of eBay) and air my complaints. I am still holding out some slim hope that the senior execs might actually care about their customers. Certainly the customer service reps don't.
LedgerSMB: Open source Accounting/ERP