Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: Make Banks Responsible for Phishers

Posted by CmdrTaco on from the now-there's-an-idea dept.

abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""

3 of 429 comments (clear)

  1. Re:It makes perfect sense... by Jherek+Carnelian · · Score: 3, Informative

    Why sign your credit card at all when no-one even LOOKS at the signature

    VISA/MC merchant requirements are that it does not matter what the signature looks like, if the card is signed, then they are to accept it as valid unless there are other extenuating circumstances. They do this because VISA/MC wish to make using their cards as easy as using cash. Extra security measures like you describe reduce the utility of the cards and risk pushing people back to using cash.

    YOU are liable for fraudulent use of the card?

    Federal law says that you are not liable for more than $50 of fraudulent charges and even that first $50 is almost universally waived by the issuing banks.

  2. Re:Chase, Citibank & Amex are big problems. by Tim+C · · Score: 3, Informative

    Chase - has a login on their insecure site http://www.chase.com/,

    The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.

    and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.

    That I agree with; putting the padlock icon there is not a good idea.

    Amex - does the same thing that Chase does on americanexpress.com.

    I had to do a little more digging for this one, as the actual action of the form is set via a javascript function, but again, it's secured over SSL.

    CitiBank - Another bad problem, weird domain names.

    I agree with this point - a company really ought to pick a single domain name for a single purpose, and stick to it. Hanging domains off that (e.g. credit-cards.bank.com, accounts.bank.com) is fine, but having a bunch of totally unrelated domains with similar (or in some cases, not so similar) names is a bad idea.

    --
    It's official. Most of you are morons.
  3. Re:Chase, Citibank & Amex are big problems. by braindead · · Score: 4, Informative


    The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.


    No, that's not enough. https gives you two things:

    (1) it encrypts your answer, and
    (2) it authenticates the site you're talking to.

    The situation with Chase does not provide guarantee number 2: if they're not using https then you would have to check the source every single time to make sure that no hacker replaced some packets in flight to steal your account information.

    I agree with the grandparent: login pages that don't use https: are a pityful security practice, regardless of whether the form gets submitted over https.