Slashdot Mirror
Schneier: Make Banks Responsible for Phishers
abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
Yes, let's remove all responsibility from individuals and beg the big friendly government to make someone else take care of us.
While we're at it, let's make Slashdot responsible for trolls.
When will Windows be ready for the desktop?
Similar for 419 scams: put the responsibility for the scams sent onto those that provide free unverified e-mailboxes to the masses.
Everyone can setup a mailbox on hotmail or yahoo and use it for scamming, and be untracable.
When a freemail provider is responsible for all its client actions unless it can refer to the actual person that is the client that has setup that mailbox, the problem effectively has ended.
Your bank already has your home address (and probably your home phone number).
All they have to do is to institute a "no email from us, ever" policy and spend some time getting that message out to their customers.
Sure, this will cut down on the ad revenue from the banks, so what?
If they absolutely need to have some form of email interaction, they can run an internal (no external SMTP connections) web-based email system so the clients (you) can email the bank's employees.
If you can't do something securely, maybe you should not be doing it.
Phishers use trademarked corporate ID images, names, slogans to fool victims into trusting the phisher as they would the simulated corporation. When a trademark holder does not "vigorously defend" their mark from dilution by others offering the same service, when the trademark owner knows about the dilution, they can lose their ownership. The Lanham Act defines the mark monopoly assigned by the PTO in terms of consumer protection. I'd like to see a phisher bring a new mark registration application for "Citibank" (and their logo), on the basis that the Lanham Act puts it up for grabs, after Citibank has slothfully ignored their dilution. That might wake up some of these banks to their responsibility to their customers, the flipside to the "brand equity" they cruise around on, garnering profits without earning trust with even the most rudimentary security that protects their customers, not just their branches.
--
make install -not war
Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.
Amex - does the same thing that Chase does on americanexpress.com.
CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!
-- these are only opinions and they might not be mine.
I have two theories on this
1. Candy is a tangible commodity. Credit card details are not. You give candy to somebody, you have no candy. You give credit card details to somebody, your credit card details are still there, in your wallet, next to the photo of the kids, so there's nothing wrong.
2. People are stupid. There are still people crying that wearing a seat belt is a volation of their rights. Obviously, anything that goes bad is somebody else's fault. Of course misuse of credit card details is not my problem.
By the way, send me your paypal login and password. I need to confirm that you are you.
Norman Cook's Ode to Sl
This analogy is completely wrong.
:)
The fire department is public service, put in place to deal with the consequences (fight the fire after it starts), while the banks are private business, which is there for customer's money.
The online banking is benefit for both parties - banks and clients. The banks save a big $ not paying for tellers and office space, customers do not need to drive to the bank.
And guess who gets more
So, the banks are much more interested in keeping the online banking. Then they have to be the ones more interested into improving the security (i.e. implementing a new/different type of client authentication, etc.). They are not going to do this unless start to lose customers and/or money.
It's a stretch, but there are still ways.
A hypothetical:
I set up a website to mimic PayPal's. I sniff traffic on a network that you happen to be routed through and spot the legitimate PayPal email you received. My script intercepts that email, finds those "last four digits," and drops them into the site I set up. When you visit PayPal.com, I route your traffic to my fake PayPal site. You don't know the difference, so you continue to enter your new credit card information. Once completed, I change the routing back to normal so you don't notice anything's amiss.
The weakest part here is re-routing you to a different site... I'm not sure whether that could be done without also changing the URL in your browser, but I know there are some ways to do that (Unicode URL hack, for example).
I'm just saying, it's not beyond the realm of possibility.
Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.
It's a minor pain in the butt to get to your account, but definitely more secure.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away.
Isn't the responsibility already on the financial institutions? If someone takes out a loan in your name, do you really think you're required to pay it back?
The victims of "identity theft" are the banks. The consumers only pay in the form of higher fees and interest rates.
#1. Acquire the 4 digits. Unless you're running your own email server, the email will be handled by someone else. Where I work, I keep every email going out or coming in. If someone sent that email to anyone where I work, I would have it. All it takes is one guy in the right location at google.com or earthlink or AOL and thousands of these would be collected.
#2. Fake the site. This is the easy part.
#3. Get the traffic to the fake site. Again, this will require ISP access (see #1). But it would be simple for the right person to set that up in the DNS servers.
So, all it takes is the right person in the right job at an ISP.
And that doesn't even begin to scratch the surface of what organized, technical criminals can do with a database.
People seem to lack understanding when it comes to financial fraud, and who perpetrates much of it. I'd like to relate to you something that happened to my friend's father, who works as an administrator at a retirement home. A couple of years ago it was reported to him that checks were being stolen, forged, then cashed. He reported this to the police and called the fraud department at Bank of America. He recieved a reply. They told him to stop getting involved before he got killed. In his area, he was up against the Russian and Armenian mafias.
I only tell you this because banks simply aren't equipped to go up against organized crime. Problems such as these must be dealt with by government authorities. That doesn't mean that banks can't help through better verification procedures, or by better securing customer information, but to lash out in frustration by saying that banks should shoulder complete responsibility is either irresponsible journalism or naivete on the part of Mr. Schneier.
Right now people can be somewhat proactive against fraud. Be careful who you are dealing with. Phony emails often have phony headers and always go back to phony websites, so check those URLs. Don't give personal info over the phone, either. If something does happen, report it to the bank right away and notify all three major credit reporting agencies. Remeber to use change of address forms when you move. Don't just toss documents with critical information in the trash; shred them first. One more thing that you can do: once a year you are entitled to see and review your credit report. Do it. You do not have to pay for it, and you do not have to mess with outfits like freecreditreport.com et. al.
I like to think of this line when it comes to protecting identity, "I may be paranoid, but that doesn't mean that someone isn't out to get me."
(checking to make sure "Post Anonymously" is checked)
Ok. As a guy that both works for banks and works for ISPs and deals with end users web sites and all that... I have to say I see a lot of willful ignorance on all sides.
People or the general public are really really far behind as to understanding the basics of keeping safe while using email. Sit them down in front of a computer and all of a sudden common sense is gone.
The banks on the other hand, treat these issues as PR that the marking or HR chicks take care of, when they need a techically assute attack person to counteract. I have seen (and personally warned) banks that their images were being called remotely in phishing emails. Of the dozens, only one did anything about it (by putting "EMAIL FRAUD" in a gif and replacing it with the one in the site). Preventing remote linking of images on a web server is rediculously easy, yet the large hosts don't do it, and the banks that host their own sites dont know how. Just the simple step of not allowing remote image linking without the proper http-referrer header would stop a lot of phishers in their tracks.
Yet they don't do much...
So on that respect I think making the banks financially responsible (or their web host for that matter, many of them get free web sites with their online banking service or data service providers) would help a lot.
But at the same time, it's not their fault... so why should they have the financial duty to cover consumer's losses?
So if that's the only solution, it might be ok, otherwise people need to get a serious education boost.
It's not that hard to make sure you're on the right site, make sure emails are legit, or login securely. All together, a pretty good system. Sure, you can still get tricked into entering your info elsewhere, but then you should probably not be banking online anyways.
So, what did the credit card companines do? They took their enourmous profits and paid for immense lobbying to get a law passed to insure they get their money even if you file for bankruptcy.
The laughable part of the new bankruptcy law is that no one is required to file for bankruptcy, and you can't get blood out of a turnip. If you have a house secured by a mortgage, yeah - you can save your house if you file. You could also just blow off all your creditors except the mortgage bank, pay just your house payment, and keep all your stuff you bought on unsecured credit. 7 years later, the written-off credit card accounts disappear from your credit report. You will suffer no sanctions, other than having a hard time getting credit for 7 years. There is no reason to file for bankruptcy unless you stand to lose your home without it. And if you can make your mortgage payment by defaulting on everything else, why bother with bankruptcy? They aren't going to throw you in debtor's prison. They aren't going to take your plasma TV. And, your spendthrift habits made possible the gainful employment of a lot of Circuit City and Starbucks people, not to mention the local sales taxes that went into your home county's coffers.
Don't file, just Default!
Edith Keeler Must Die
Ok. As a guy that both works for banks and works for ISPs and deals with end users web sites and all that... I have to say I see a lot of willful ignorance on all sides.
Definitely agree with you there. The companies who can actually do something about internet crime seem to do the least about it. If you email a webhost, even a reputable one about a blatent phishing site that they are hosting, they will do absolutely fuck all for at least 24-48 hours while the site gets more victims. A site designed to look exactly like PayPal or whatever should be shut down immediately, considering that it can have no ligitimate purpose.
ISPs will happily let their customers continue to be connected to the internet even when they blatently have a virus attacking other hosts (in the form of excessive traffic out of port 139, 445 et all). And these same ISPs are the ones who supply the public with 2MBit DSL lines and no security software.
I believe in the US of A, your liability for fraud on CC is limited to $50, although most CC companies waive that to $0. It's a pain, but it's often okay...
However, once a phisher has enough info on you they can do things that you aren't aware of and will not catch until it's really far to late. For example, they'll go buy a used car and finance it with the used car dealer back by a credit card and then sell the car for parts. Some used car dealers take just about any credit indication (e.g., the fact that you have a credit card) because they sometimes make money by selling/repo-ing the same cars over-and-over to people that have marginal credit. They can also rent furniture, electronics, and major appliances (and resell-them), and sometimes they can open credit union accounts and write overdrafted checks which are kite-ed at pay-day-advance loan stores and so on. Of course they don't use your address and phone number on any of these additional credit applications, so it's pretty hard for you to track...
By the time you find out about all your potentially fraudulant accumulated liability, you are getting non-stop harrassing phone calls from some ABC collection agency that doesn't really care how your name got into their to-be-tracked-down-and-harrassed list. Then you spend a year cleaning up the whole mess on your credit report.
If you don't think this is possible, go into a store that usually sells/rents items to people with less than stellar credit and see if you can get store credit with only a major credit card number, a temporary driver's license (one w/o a photo), and a university id (that is trivial to forge). You may be shocked...
I think the poster has a point. I've not had a problem with my bank, but I did have a situation with a cellular phone company that issued an account in my name to someone who was pretending to be me. My conclusion from that experience was that the phone company was much too eager to open a new account without due diligence. Ultimately I didn't have to pay anything, but the experience was moderately expensive in terms of time and fees for certified mail, etc., and quite unpleasant. A simple legal principle something like "if you give someone who claims to be me some money, and it turns out not to have been me, too bad for you" is what I'd like to see. I think then we would see some real attention paid to the problem of securing transactions over the Internet and the POTS. Yes, I suppose this would make it more expensive for banks and others to do these transactions, but it seems that a reduction in fraud would make their overall expenses lower over time. Under the present system, much of the risk and frustration is borne by the consumer, who can do little to prevent fraud other than follow the boilerplate advice given out by government and commercial representatives.
Sadly, if one of these fraudsters gets enough info on you, you may find that "you" are doing business with a bank you've never heard of with a line of credit you've never asked for ;)
Personally, I like how he thinks doing his investments in "person" keep him safe from fraud. Does he have a seat on a Stock Exchange or trusting a guy in an office hundreds of miles from an exchange who claims to represent an investment firm (CLUE: Ponzi schemes pre-date the internet)? Perhasp he invests directly in local businesses, where he carefully audits the books, and works as an "internet guy" from the back office, watching the cameras while using his voice translation software? Does he deal only in cash, never uses an ATM or checks?
I work in the anti-phishing industry, and suggestions like the article makes are pie in the sky "corporations have magic powers" crap. Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.
You are in a maze of twisted little posts, all alike.
I'm quite happy with my bank, the HSBC here in Hong Kong: they have started to provide their customers with a hardware security device that generate encrypted sequences of 6 digits at the press of a button: you need to register your device once online with its unique serial number and then, every time you login or you do a bank transfer online, you're requested to input the digits generated by the device.
This effectively makes phising impossible since all they can do is collect your login and password, but won;t be able to access your account with that information alone: they would need to be able to generate proper security codes as well (and getting a single instance of that code won't be enough).
Only way left for scammers and thugs to get into your account is by stealing your physical device and your login info. Always possible, but not very likely.
Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.
Yes, unfortunately. Until the banks pull their collective heads out of their asses and implement security measures which actually work.
For instance, right now, all I need to withdraw money from my checking account is my ATM card (or the number from it) and a four digit PIN, which I didn't assign and can't change. I don't even need a name.
There are solutions out there to make this astronomically more difficult. For instance, give the customers smart cards which use a public key authentication system. No one can do anything without that card physically on hand, and it could be made tamper-resistant enough that it couldn't be copied -- meaning that if the card is stolen, you get a new one, which can reasonably be *much* harder to do than it is now (since there's more risk for the bank) -- show up with a driver's license, birth certificate, sign something, mention some secret password, and check your thumbprint.
Right now, we're nowhere near that. In fact, remember Diebold and the voting machines? They also make ATMs. A single vulnerability at the ATM or anywhere between it and the bank and someone can get the same access credentials you do -- whereas, which the scheme I mentioned, they actually have to steal your *physical* card.
Of course, if the bank itself isn't trustworthy, you're still screwed. But the bank has an incentive to be trustworthy -- if you suspect you've been ripped off anywhere, by a phisher or by the bank itself, they have to prove that they made you read sufficient literature (always hold on to your card, if someone takes it off your person for a transaction instead of letting you swipe it yourself, they're stealing) and provide enough documentation (your public key that they've got on file, plus all the transactions you've signed with that private key, and all the verification they have that it was you who signed up for the account....)
Because the burden of proof is now on the bank to prove that you weren't ripped off.
Will people try to abuse that? Yes, but it won't get them anywhere. Any bank worth its mortar should easily repel enough frivelous cases to discourage that kind of scammer.
Could we be more paranoid? Sure. Here's an example: make the card more universal, allow it to keep several identities (ATM, credit card, driver's license) which are all user-managed, and give it a built-in display and thumbprint reader. Basically, you jack the card (or dongle, or whatever) into their payment system, check the display ($1.25 to PepsiCo for Sierra Mist), then scan your thumb (in your own card) and it "signs" the sale. This also works online -- maybe the device is shaped like a USB keychain. It's still possible to be scammed on individual purchases, but you can't be scammed out of your entire identity -- if the most you ever spend on a single purchase is $50, no one scammer can steal more than $50 from you, unless you're amazingly stupid.
If you want, I can explain the crypto behind that scenario, but suffice to say that AFAIK, the only way the vending machine example breaks is the same way it already does -- you deposit money, push a button, and it doesn't actually deliver the Coke (or whatever) -- it "eats" your money. But it can't eat more than you put in.
So, this makes your banking almost as secure as cash. And cash is backed by the US government, so... uh oh....
Don't thank God, thank a doctor!
None of the methods you have mentioned have actually fixed the problem of financial fraud. They've all been stop-gap patches-on-patches solutions.
I only wish we did live in Bruce Schneier's world where having law-makers push the problem onto banks to get the problem fixed would have any real effect. Unfortunately for us, in the world in which we live, banks' "fixes" for the problems are insufficient and they "defray the costs" by increasing loan interest rates and adding "administration charges" to their accounts.
Bottom line: banks are businesses. If they feel they can reduce the problem with a cheap-ass "fix" then they will - to keep their shareholders happy, not the customers.
There is a simple and cheap solution that banks can implement to stop phishers cold. They can use disposable pins for every outgoing transaction. When the customer opens an account, he gets a plastic card with pins. The card is either given in person, or sent by postal mail. Whenever the customer makes a payment, he is prompted by the bank to enter a pin. One pin - one transfer, the pin is never reused. The standrd credit-card sized card can hold about a hundred pins covered with scratch-off paint. The phishers can get the password and see the contents of the account, but they will not be able to transfer the money out of the account.
Why don't the banks do it? Becuse such system would seem like an unnecessary hassle to the majority of customers.
Look at credit-card fraud. Do banks pay for this? Hell, yeah. Is there a cottage industry? Perhaps, but banks are EXTREMELY motivated to fix the problem, since it's costing them daily
rubbish. Look at bank's current efforts to fix CC fraud.. CVV numbers that are relatively recent introduction for distance selling, and now chip and pin for cardholder-present frauds. Until very recently you didn't need to give the CVV number for authentication, and some of my cards *still* don't have chips on them.
The point here is that the banks are very conservative. They will first add up how much fraud costs them, figure out how much it will cost them to fix (including all the hidden costs like consultants and management and new readers for stores etc), and if the cost is too great, won't do a thing.
Bruce's point is that any data that can't be completely secured really shouldn't have been available online in the first place.
The reason phishing works is because banks put sensitive information online where it can be accessed remotely once the phishing part of the attack is complete. Take the data offline and phishers will go away because there's no data to access, even if they do get people to give them their passwords. Right now, banks have no DISincentive to take the data offline because they're making money, and our losses are acceptable collateral damage to them. Don't believe me? Look at the way they hand out credit cards - and that's when they *are* willing to take losses themselves.
Would it set banks back 10 years or so? Yup, but it's also the right thing to do.
My $0.02. YMMV
"Lawyers are for sucks."
- Doug McKenzie
It seems that a lot of people in this discussion seem to think that this would be (a) impossible, or at least (b) horribly expensive, so I thought I'd illustrate how it could be accomplished cheaply and effectively.
First, the bank would need to have a readily recognizable web address that fully described the company name. www.wellsfargoofnorthamerica.com, for instance. It's kind of long to type, but we're talking security procedures here.
Second, have ALL FINANCIAL INSTITUTIONS institute a policy of never sending a link in any email. Announce this policy on TV commercials. Make people sign a notice recognizing this policy when they sign up for an account. Put it in big letters on the initial credit card contracts. Put posters up in the bank lobby, that kind of thing. Awareness is truly the place where we're falling down here.
There will always be idiots who fall for this stuff, but if people in general know that banks won't send these links, then they won't fall for this kind of thing nearly as often.
Wake up - the future is arriving faster than you think.