Slashdot Mirror
Schneier: Make Banks Responsible for Phishers
abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
"Hi, this is Joe Lieberman, and I'll be your Senator today. What can I do for you? Oh? Let me transfer you to my supervisor, Senator Biden"
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
Technical solutions can follow legal solutions.
1) Law is passed placing the burden of phishing on financial institutions
2) Financial institutions run a cost-benefit analysis and determine that RSA SecureIDs are cheaper than
self-insuring against fraud losses
3) Everyone gets a SecureID with their new account
Why sign your credit card at all when no-one even LOOKS at the signature
VISA/MC merchant requirements are that it does not matter what the signature looks like, if the card is signed, then they are to accept it as valid unless there are other extenuating circumstances. They do this because VISA/MC wish to make using their cards as easy as using cash. Extra security measures like you describe reduce the utility of the cards and risk pushing people back to using cash.
YOU are liable for fraudulent use of the card?
Federal law says that you are not liable for more than $50 of fraudulent charges and even that first $50 is almost universally waived by the issuing banks.
You DID see that the FORM's ACTION attribute contains "https://chaseonline.chase.com/chaseonline/checkb
So when you submit the form, it passes over https, and displaying that lock is perfectly okay. I didn't check what Amex does, but I'm guessing it's pretty much the same deal.
Chase - has a login on their insecure site http://www.chase.com/,
The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.
and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.
That I agree with; putting the padlock icon there is not a good idea.
Amex - does the same thing that Chase does on americanexpress.com.
I had to do a little more digging for this one, as the actual action of the form is set via a javascript function, but again, it's secured over SSL.
CitiBank - Another bad problem, weird domain names.
I agree with this point - a company really ought to pick a single domain name for a single purpose, and stick to it. Hanging domains off that (e.g. credit-cards.bank.com, accounts.bank.com) is fine, but having a bunch of totally unrelated domains with similar (or in some cases, not so similar) names is a bad idea.
It's official. Most of you are morons.
Japan recently enacted a law along similar lines. The target is skimming, not phishing, but it makes banks 100% responsible for account owners' losses from duped ATM cards (with a few limited exceptions, like if you write the PIN on the card you don't get your money back). The net effect has been to speed the introduction of IC-based cards, some of which use biometric verification as well--my own bank (Tokyo-Mitsubishi) has this funky palm reader thing on their latest ATMs that makes me wonder if it tells you your fortune while it's processing.
The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.
No, that's not enough. https gives you two things:
(1) it encrypts your answer, and
(2) it authenticates the site you're talking to.
The situation with Chase does not provide guarantee number 2: if they're not using https then you would have to check the source every single time to make sure that no hacker replaced some packets in flight to steal your account information.
I agree with the grandparent: login pages that don't use https: are a pityful security practice, regardless of whether the form gets submitted over https.
This solution is too draconian to work. In real life much of the problem lies in ignorant users getting tricked. There also needs to be a tough love solution whereby stupid users get punished financially.
Right now, when someone gets their credit card stolen and a crook uses it to commit fraud, it's not the bank that gets to eat the loss, nor Visa/Mastercard/Discover/American Express. It's the merchant who gets it in the rear. The banks would love to make you think it's them protecting you, when in fact they're doing really little. After all, it's the merchants and not them eating the losses.
So, if say stupid Joe gives up his cc info to some crook, who is smart enough to circumvent most fraud screening methods like AVS, IP geography check, and inputs a fake phone number (remembere, phone numbers are not verifiable by AVS), the merchant really has no way of knowing it's fraud.
The bank wins, Joe wins (because he can do a chargeback), the crook wins, and the merchant loses.
eTrade SUCKS
Here's a link to the article:
http://www.sims.berkeley.edu/~hal/people/hal/NYTi
Hal Varian is a professor of Economics at UC Berkeley, and generally a bright guy.
http://www.welton.it/davidw/