Slashdot Mirror
Schneier: Make Banks Responsible for Phishers
abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.
Amex - does the same thing that Chase does on americanexpress.com.
CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!
-- these are only opinions and they might not be mine.
Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.
It's a minor pain in the butt to get to your account, but definitely more secure.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White