Slashdot Mirror
Schneier: Make Banks Responsible for Phishers
abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
I seriously doubt the innovation of criminals with technology will fail simply because banks require additional information.
FanFictionRecs.net
However, it doesn't seem very feasible.
... which I think there is more than enough uncertainty on the subject to prevent that.
There is no way we can get the government to do such a thing... and such losses may even effect federal insurance and our interest rates...
Depending on how many morons there are getting hit by phishing scams, this could have a large effect.
Of course... that's assuming it ever got made into 'law'...
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
Personal responsibility has to come into play somewhere. If people aren't educated enough to know NOT to email back their bank information to an unsolicited source, than just whose fault is it? The banks obviously need to do more, but in the end someone has to be responsible for their own actions.
I don't think there's much of a chance of this kind of thing ever getting implemented. The financial industry would kill any legislator who tried to introduce legislation like this. If anything got through, they'd convince the executive branch not to enforce it. I'm sorry to say this, but the banks hold our money and they're very cavalier about to whom they give access and they like it that way.
What's wrong with "all of the above?" It would seem to me that a multi-pronged attack to the problem would be best, because I really don't see how "just" holding the financial institutions responsible will make the problem disappear completely. Scammers are creative, after all, and the people who fall for their scams can be pretty friggin' dumb.
Forcing the responsibility on the banks is only going to encourage the banks to treat the customers worse than they already do.
This will always be a problem because people don't want to have to deal with complex security. I wouldn't mind keeping an RSA authenticated keychain that has a rotating cryptographic key that changes every 60 seconds (a pretty cool solution, I've seen in action), but moron hick who doesn't see why he should have to have more than one password will never stand for it. Juggling multiple methods of authentication is too complex for the average Joe.
Thankfully, that average Joe is also the same moron who will fall victim to phishing instead of me. I'll never lose my money, so it's not my problem. A connundrum, if you will - the only people smart enough to do anything about it (or be willing to do anything about it) are the ones that such scams don't apply to anyway.
(No offense to any geeks/intellects happened to be named Joe)
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
The only way something like this works is if there is an neutral agency that one can report this to. Even then it probabaly won't. It's in the financial institutions best interest to keep all security problems secret. That is today, even with them not being responsibile, in a day where they are resonsible, they'll act just the tabacoo companies did/do "There is no security problem, Mr. Senator. No, there is no problem with identity theft, not at all, we have it under control.". The cheapest short term solution is the best one to a company, these guys pretend to think long term, but they don't. Don't assume they will.
Burn Hollywood Burn
In the end the consumer will always pay no matter what happens. If they exclusively make financial institiutions responsible for phishing then that just means they will charge us more for their services. If they don't do anything about it, well, then we still pay when some schmuck steals our identy and our money.
It amazes me that, for example, no-one really checks signatures on credit card slips or that you don't need a PIN to buy gas with a card at the pump.
If you tighten up all these processes then just knowing five pieces of data about a person won't let you access their accounts. Why sign your credit card at all when no-one even LOOKS at the signature and YOU are liable for fraudulent use of the card?
Legislation shouldn't be used as a way of solving a technical problem, and this is really just a technical problem with e-mail.
Find free books.
So I fall for a phishing email and enter my credit card info, bank passwords, etc. into some scam site. Said scammer proceeds to empty my bank account.
If I directly gave the scammer enough info to do such financial damage, how can the bank be held responsible? It's like if I forget my wallet on the table at some fast food restaraunt, and someone picks it up and maxes out each of my credit cards. Should the bank be held accountable that I forgot my wallet? Banks should make a better effort to confirm identities in cases of large sums of money being transfered/spent under strange circumstances, but holding them financially accountable for my own faults?
It will never happen.
Consider this: The credit card companies were getting reamed by people getting a boatload of credit cards, running them up to the limit, then filing for bankruptcy.
Now, the real solution to this would have been for the credit card companies to have done their jobs and really examined the credit ratings of the people to whom they gave these cards, and to have given people reasonable credit limits (I shall use myself for an example - I have a single credit card which has a limit of well over one-half of my yearly salary - there is NO REASON for me to have that much unsecured credit - and no, I did NOT request that limit, they gave it to me on their own).
However, that would require the credit card companies to actually do work and would impair their ability to take people almost to bankruptcy and make lots of money on revolving credit interest.
So, what did the credit card companines do? They took their enourmous profits and paid for immense lobbying to get a law passed to insure they get their money even if you file for bankruptcy.
Now, what is another word for "credit card company"? I'll give you a hint - it starts with "B", ends in "K", and has 4 letters. Wanna buy a vowel (at 15% APR)?
Making banks actually take responsibility for phishing means banks would have to do work on their online banking and credit applications. It would mean they would have to make it harder for people to buy things online (read: go into debt). It would CUT INTO THEIR PROFITS!
So what is a good, responsible banker to do? Call 1-800-RENT-A-SENATOR.
www.eFax.com are spammers
A properly formed e-mail from a reputable company nearly completely eliminates all possible intercepts. At least as many as can be eliminated by simply going to the website in the first place without an e-mail prompt.
case in point:
I recently received an actual e-mail from PayPal, this e-mail suggested that my on-file credit card was about to expire. The first thing that keyed me in and made me actually read this mail was that they referenced the last four digits of said card. Next, they suggested that I logon to their website and update the credit card's expiration date. Most importantly they didn't even offer a link to paypal.com, they simply said to logon and then gave instructions as to how to change it. Not the first link in the whole e-mail. This effectively eliminates fraud as a possibility. While it is still possible that paypal.com itself could be hijacked or some other esoteric scheme, the 99.9% possibilities are all eliminated simply by not providing any link.
Now if a bank intends to hold me responsible for payments on a credit card, that bank better make damn sure that the credit card has been requested by and given to me. Right now, according to Mr. Schneier, that isn't happening.
And let's not forget that it's the victim who, to a large extent, takes the responsibility for clearing their credit record which has been smeared by the irresponsible actions of both a criminal and some financial institution.
Paul Grosfield - the quicker picker upper.
Technically, they are, but 9/10 times they seek to hide the problem and avoid liability. It is irresponsible in my view to put major databases in another country where it is known the information is being sold on the blackmarket, yet banks continue to insist there's nothing to be done. Remember, these are the same guys who organized shadow accounts so that the Russian mafia could siphon off billions in US aid to Russia a few years ago. It took the combined efforts of several governments to put political pressure on all countries where this method was known to exist (in places like Bermuda, etc). Banks will *never* act in the customer's interest unless forced, and yes, charge the customer for the privilege afterwards.
insecurity asks the wrong question irritation gives the wrong answer
I get over a hundred a week from "PayPal". I don't even bother sending them to spamcop anymore.
The part about not having any links in the email is good. But not good enough. You could have been told to go to mypaypalsecurity.com and logon. Then you'd be back to the man-in-the-middle attack.
Not to mention that most people who do read those emails will not know enough to not click on a link when the company involved has not specifically stated that they will not send links.
Then you hand your credit card to the waiter, who goes into another room with it.
I sent a nice email to Bruce, but I didn't keep a copy (sent through Wired).
Basically, we already have this with CC numbers, it's almost no hassle at all to get unauthorized charges removed. Yet CC fraud still happens, if anything, even more widespread than before. The little 3 digit number on the back was nice, but does it really slow anything down? After all, that number is now part of the databases, just like the expiration date.
So who pays for CC fraud? The CC company? No, they backcharge the merchant. Does the merchant pay? No, he raises costs for all his customers, either in hassle proving identity, or by raising costs.
In the end the customer always pays, so we might as well make it easy for him to solve problems.
Fellowship 9/11
credit card companies are responsible for preventing fraud. If someone steals my CC acct # somehow, I dont pay for it, the company does. So when my card gets used on the other side of the world, or in multiple places at once, I get a call from the company to try to prevent the fraudulent transactions.
If I get an unknown transaction on my statement, one call to the company, and they look into it and figure out how it happened.
Banks currently have no responsibilities. They dont give a shit. I once received my monthly statement to see a series of withdrawls and cheques cleared that I didn't do. I called them. Their reply? Prove it wasnt you. WTF?!?!?! I told them to look at the cheques to see if I even signed them. They told me it'll cost $10/cheque and it'll be 5 business days. WTF?!?!!
Heres another stupid one. Once I write a cheque for $150. The person who cashed it entered it as $510 at a bank machine. The cheque cleared an $510 was taken from my account. It took me two months to resolve. And this is with a carbon copy of my original cheque.
If those fuckers were held accountable for all my banking problems, they'd be pretty damn sure to make sure the problems dont happen in the first place.
Its not about making them responsible for fraud after-the-fact. Its about making them responsible so that they design their systems and have safeguards that prevent it from happening. i.e. a phisher somehow gets my name and account number. this alone should not be enough to take my money.
Even organizations that should know better sometimes fail to do this. I once received an email message from an address at openvenue.com claiming to be from the ACM and asking me to go to confirmit.com to fill out a survey. Imagine my surprise when it turned out to actually be from the ACM. (To add further insult, when I emailed the ACM about it, the two line response was followed by two copies of a ten line signature, without delimiter. Sigh.)
It seems like any university that claims to give a well-rounded liberal arts education should include a course that covers issues of computer-related common sense and etiquette, such as "don't give your account details to strangers" and "don't use a signature 10 times as long as the body of your email."
Yea, lets make someone else responsible for me being a dumbass, and make it harder for everyone else to do business with their own financial institution because I'm too stupid to realize the email is a phish scam.
Sorry, that falls into survival of the fittest. If your too stupid to keep your money, you don't deserve it.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
I love the folks who sell their latest and greatest encoding schemes for mail messages, like HTML, MS-Word, quoted-printable, base64 etc.. Perfect breeding environment for phishing attacks. Sure, you can rightfully blame Microsoft. But then also blame the developers of Pine and MIME. Same junk, just with a bit of penguin dung. What was actually wrong with plain simple ASCII text mail messages? Or take web sites and HTML. Why do we need JavaScript on the Citibank web pages? Or Macromedia Flash files for Citibank's "secure" virtual account numbers? This kind of software was developed for entertainment purposes, not bank transactions. Maybe the people who develop and sell such stupid solutions are also the ones who benefit from fixing the problems, because it keeps them employed. Make the banks and their software developers responsible for their mistakes, and we get secure, simple solutions.