Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: Make Banks Responsible for Phishers

Posted by CmdrTaco on from the now-there's-an-idea dept.

abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""

1 of 429 comments (clear)

  1. Re:the problem is still unauthenticated SMTP by Todd+Knarr · · Score: 0, Redundant

    To me, it doesn't matter whether SMTP is authenticated or not. I'm not trusting e-mail claiming anything, no matter what. If I really think the e-mail might be legit, instead of clicking on the link it provides I open up my browser and use my bookmark to that site instead. The assumption here is that if, for example, Paypal has a problem with my account, there will be something about it in my inbox on Paypal or a notice on my account page or something. If an e-mail says I need to verify my Citibank account by filling in a form, and I can't find a hint of anything like that on my account pages on Citibank's site (accessed from my bookmark, not through anything the e-mail provided), then no matter how authentic the e-mail looks it's actually bogus.

    One of the problems with all the "We need authenticated SMTP!" proposals is that they're the equivalent of requiring authenticated snail-mail. USPS and SMTP are both transports. They have nothing to do with the identity of the entity sending the mail. No sane person would trust a bill for a large amount of money that arrived through the Postal Service just because it claimed to be from a store they did business with, the first thing they'd do is call the store and ask what's up. Same for e-mail: I'm not trusting an e-mail just because it says it's from someone, I'm going to contact that someone and see what's up.