Schneier: Make Banks Responsible for Phishers

abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""

Simple solution - no email from banks.

[khasim]

Your bank already has your home address (and probably your home phone number).

All they have to do is to institute a "no email from us, ever" policy and spend some time getting that message out to their customers.

Sure, this will cut down on the ad revenue from the banks, so what?

If they absolutely need to have some form of email interaction, they can run an internal (no external SMTP connections) web-based email system so the clients (you) can email the bank's employees.

If you can't do something securely, maybe you should not be doing it.

Chase, Citibank & Amex are big problems.

[slashkitty]

Every time there is a banking security article, I start pointing to Chase bank and Amex, both of which use pitiful security practices on their sites. The most important one of all, is to teach the user to always login from a secure site, and one with the bank name.

Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.

Amex - does the same thing that Chase does on americanexpress.com.

CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!

Try the ING Direct site

[nightsweat]

Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.

It's a minor pain in the butt to get to your account, but definitely more secure.

Re:Hmmm...

[ePhil_One]

"Anywho, being a well-informed and adept engineer of the internet age, I still do all my investing in person because I'm paranoid as heck =]."

Sadly, if one of these fraudsters gets enough info on you, you may find that "you" are doing business with a bank you've never heard of with a line of credit you've never asked for ;)

Personally, I like how he thinks doing his investments in "person" keep him safe from fraud. Does he have a seat on a Stock Exchange or trusting a guy in an office hundreds of miles from an exchange who claims to represent an investment firm (CLUE: Ponzi schemes pre-date the internet)? Perhasp he invests directly in local businesses, where he carefully audits the books, and works as an "internet guy" from the back office, watching the cameras while using his voice translation software? Does he deal only in cash, never uses an ATM or checks?

I work in the anti-phishing industry, and suggestions like the article makes are pie in the sky "corporations have magic powers" crap. Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.