Schneier: Make Banks Responsible for Phishers

abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""

Re:Chase, Citibank & Amex are big problems.

[braindead]

The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.


No, that's not enough. https gives you two things:

(1) it encrypts your answer, and
(2) it authenticates the site you're talking to.

The situation with Chase does not provide guarantee number 2: if they're not using https then you would have to check the source every single time to make sure that no hacker replaced some packets in flight to steal your account information.

I agree with the grandparent: login pages that don't use https: are a pityful security practice, regardless of whether the form gets submitted over https.