Slashdot Mirror
Schneier: Make Banks Responsible for Phishers
abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
I seriously doubt the innovation of criminals with technology will fail simply because banks require additional information.
FanFictionRecs.net
However, it doesn't seem very feasible.
... which I think there is more than enough uncertainty on the subject to prevent that.
There is no way we can get the government to do such a thing... and such losses may even effect federal insurance and our interest rates...
Depending on how many morons there are getting hit by phishing scams, this could have a large effect.
Of course... that's assuming it ever got made into 'law'...
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
Personal responsibility has to come into play somewhere. If people aren't educated enough to know NOT to email back their bank information to an unsolicited source, than just whose fault is it? The banks obviously need to do more, but in the end someone has to be responsible for their own actions.
Yes, let's remove all responsibility from individuals and beg the big friendly government to make someone else take care of us.
While we're at it, let's make Slashdot responsible for trolls.
When will Windows be ready for the desktop?
I don't think there's much of a chance of this kind of thing ever getting implemented. The financial industry would kill any legislator who tried to introduce legislation like this. If anything got through, they'd convince the executive branch not to enforce it. I'm sorry to say this, but the banks hold our money and they're very cavalier about to whom they give access and they like it that way.
What's wrong with "all of the above?" It would seem to me that a multi-pronged attack to the problem would be best, because I really don't see how "just" holding the financial institutions responsible will make the problem disappear completely. Scammers are creative, after all, and the people who fall for their scams can be pretty friggin' dumb.
Dear Bruce Schneier,
We read with interest your comments on preventing phishing activities.
Our conclusion is that we are not taking appropriate measures to prevent phishing.
Therefore, we have acted to prevent such damages in the future. This action is the only certain method of fraud provention: Your account has been closed and we have placed you on a universal banking blacklist to prevent you being able to open an account with any other bank.
Thank you for your refreshing point of view, and good luck.
Sincerly,
Your Bank
---"What did I say that sounded like 'Tell me about your day?'"---
Forcing the responsibility on the banks is only going to encourage the banks to treat the customers worse than they already do.
Your bank already has your home address (and probably your home phone number).
All they have to do is to institute a "no email from us, ever" policy and spend some time getting that message out to their customers.
Sure, this will cut down on the ad revenue from the banks, so what?
If they absolutely need to have some form of email interaction, they can run an internal (no external SMTP connections) web-based email system so the clients (you) can email the bank's employees.
If you can't do something securely, maybe you should not be doing it.
This will always be a problem because people don't want to have to deal with complex security. I wouldn't mind keeping an RSA authenticated keychain that has a rotating cryptographic key that changes every 60 seconds (a pretty cool solution, I've seen in action), but moron hick who doesn't see why he should have to have more than one password will never stand for it. Juggling multiple methods of authentication is too complex for the average Joe.
Thankfully, that average Joe is also the same moron who will fall victim to phishing instead of me. I'll never lose my money, so it's not my problem. A connundrum, if you will - the only people smart enough to do anything about it (or be willing to do anything about it) are the ones that such scams don't apply to anyway.
(No offense to any geeks/intellects happened to be named Joe)
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
The only way something like this works is if there is an neutral agency that one can report this to. Even then it probabaly won't. It's in the financial institutions best interest to keep all security problems secret. That is today, even with them not being responsibile, in a day where they are resonsible, they'll act just the tabacoo companies did/do "There is no security problem, Mr. Senator. No, there is no problem with identity theft, not at all, we have it under control.". The cheapest short term solution is the best one to a company, these guys pretend to think long term, but they don't. Don't assume they will.
Burn Hollywood Burn
In the end the consumer will always pay no matter what happens. If they exclusively make financial institiutions responsible for phishing then that just means they will charge us more for their services. If they don't do anything about it, well, then we still pay when some schmuck steals our identy and our money.
It amazes me that, for example, no-one really checks signatures on credit card slips or that you don't need a PIN to buy gas with a card at the pump.
If you tighten up all these processes then just knowing five pieces of data about a person won't let you access their accounts. Why sign your credit card at all when no-one even LOOKS at the signature and YOU are liable for fraudulent use of the card?
Legislation shouldn't be used as a way of solving a technical problem, and this is really just a technical problem with e-mail.
Find free books.
So I fall for a phishing email and enter my credit card info, bank passwords, etc. into some scam site. Said scammer proceeds to empty my bank account.
If I directly gave the scammer enough info to do such financial damage, how can the bank be held responsible? It's like if I forget my wallet on the table at some fast food restaraunt, and someone picks it up and maxes out each of my credit cards. Should the bank be held accountable that I forgot my wallet? Banks should make a better effort to confirm identities in cases of large sums of money being transfered/spent under strange circumstances, but holding them financially accountable for my own faults?
It will never happen.
Consider this: The credit card companies were getting reamed by people getting a boatload of credit cards, running them up to the limit, then filing for bankruptcy.
Now, the real solution to this would have been for the credit card companies to have done their jobs and really examined the credit ratings of the people to whom they gave these cards, and to have given people reasonable credit limits (I shall use myself for an example - I have a single credit card which has a limit of well over one-half of my yearly salary - there is NO REASON for me to have that much unsecured credit - and no, I did NOT request that limit, they gave it to me on their own).
However, that would require the credit card companies to actually do work and would impair their ability to take people almost to bankruptcy and make lots of money on revolving credit interest.
So, what did the credit card companines do? They took their enourmous profits and paid for immense lobbying to get a law passed to insure they get their money even if you file for bankruptcy.
Now, what is another word for "credit card company"? I'll give you a hint - it starts with "B", ends in "K", and has 4 letters. Wanna buy a vowel (at 15% APR)?
Making banks actually take responsibility for phishing means banks would have to do work on their online banking and credit applications. It would mean they would have to make it harder for people to buy things online (read: go into debt). It would CUT INTO THEIR PROFITS!
So what is a good, responsible banker to do? Call 1-800-RENT-A-SENATOR.
www.eFax.com are spammers
A properly formed e-mail from a reputable company nearly completely eliminates all possible intercepts. At least as many as can be eliminated by simply going to the website in the first place without an e-mail prompt.
case in point:
I recently received an actual e-mail from PayPal, this e-mail suggested that my on-file credit card was about to expire. The first thing that keyed me in and made me actually read this mail was that they referenced the last four digits of said card. Next, they suggested that I logon to their website and update the credit card's expiration date. Most importantly they didn't even offer a link to paypal.com, they simply said to logon and then gave instructions as to how to change it. Not the first link in the whole e-mail. This effectively eliminates fraud as a possibility. While it is still possible that paypal.com itself could be hijacked or some other esoteric scheme, the 99.9% possibilities are all eliminated simply by not providing any link.
Phishers use trademarked corporate ID images, names, slogans to fool victims into trusting the phisher as they would the simulated corporation. When a trademark holder does not "vigorously defend" their mark from dilution by others offering the same service, when the trademark owner knows about the dilution, they can lose their ownership. The Lanham Act defines the mark monopoly assigned by the PTO in terms of consumer protection. I'd like to see a phisher bring a new mark registration application for "Citibank" (and their logo), on the basis that the Lanham Act puts it up for grabs, after Citibank has slothfully ignored their dilution. That might wake up some of these banks to their responsibility to their customers, the flipside to the "brand equity" they cruise around on, garnering profits without earning trust with even the most rudimentary security that protects their customers, not just their branches.
--
make install -not war
Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.
Amex - does the same thing that Chase does on americanexpress.com.
CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!
-- these are only opinions and they might not be mine.
Technically, they are, but 9/10 times they seek to hide the problem and avoid liability. It is irresponsible in my view to put major databases in another country where it is known the information is being sold on the blackmarket, yet banks continue to insist there's nothing to be done. Remember, these are the same guys who organized shadow accounts so that the Russian mafia could siphon off billions in US aid to Russia a few years ago. It took the combined efforts of several governments to put political pressure on all countries where this method was known to exist (in places like Bermuda, etc). Banks will *never* act in the customer's interest unless forced, and yes, charge the customer for the privilege afterwards.
insecurity asks the wrong question irritation gives the wrong answer
I have two theories on this
1. Candy is a tangible commodity. Credit card details are not. You give candy to somebody, you have no candy. You give credit card details to somebody, your credit card details are still there, in your wallet, next to the photo of the kids, so there's nothing wrong.
2. People are stupid. There are still people crying that wearing a seat belt is a volation of their rights. Obviously, anything that goes bad is somebody else's fault. Of course misuse of credit card details is not my problem.
By the way, send me your paypal login and password. I need to confirm that you are you.
Norman Cook's Ode to Sl
I get over a hundred a week from "PayPal". I don't even bother sending them to spamcop anymore.
The part about not having any links in the email is good. But not good enough. You could have been told to go to mypaypalsecurity.com and logon. Then you'd be back to the man-in-the-middle attack.
Not to mention that most people who do read those emails will not know enough to not click on a link when the company involved has not specifically stated that they will not send links.
Send someone a phish, get their money and teach them a lesson.
Teach someone to phish, and they may try to get your money!
Infuriate left and right
This analogy is completely wrong.
:)
The fire department is public service, put in place to deal with the consequences (fight the fire after it starts), while the banks are private business, which is there for customer's money.
The online banking is benefit for both parties - banks and clients. The banks save a big $ not paying for tellers and office space, customers do not need to drive to the bank.
And guess who gets more
So, the banks are much more interested in keeping the online banking. Then they have to be the ones more interested into improving the security (i.e. implementing a new/different type of client authentication, etc.). They are not going to do this unless start to lose customers and/or money.
It's a stretch, but there are still ways.
A hypothetical:
I set up a website to mimic PayPal's. I sniff traffic on a network that you happen to be routed through and spot the legitimate PayPal email you received. My script intercepts that email, finds those "last four digits," and drops them into the site I set up. When you visit PayPal.com, I route your traffic to my fake PayPal site. You don't know the difference, so you continue to enter your new credit card information. Once completed, I change the routing back to normal so you don't notice anything's amiss.
The weakest part here is re-routing you to a different site... I'm not sure whether that could be done without also changing the URL in your browser, but I know there are some ways to do that (Unicode URL hack, for example).
I'm just saying, it's not beyond the realm of possibility.
Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.
It's a minor pain in the butt to get to your account, but definitely more secure.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
Then you hand your credit card to the waiter, who goes into another room with it.
Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away.
Isn't the responsibility already on the financial institutions? If someone takes out a loan in your name, do you really think you're required to pay it back?
The victims of "identity theft" are the banks. The consumers only pay in the form of higher fees and interest rates.
I sent a nice email to Bruce, but I didn't keep a copy (sent through Wired).
Basically, we already have this with CC numbers, it's almost no hassle at all to get unauthorized charges removed. Yet CC fraud still happens, if anything, even more widespread than before. The little 3 digit number on the back was nice, but does it really slow anything down? After all, that number is now part of the databases, just like the expiration date.
So who pays for CC fraud? The CC company? No, they backcharge the merchant. Does the merchant pay? No, he raises costs for all his customers, either in hassle proving identity, or by raising costs.
In the end the customer always pays, so we might as well make it easy for him to solve problems.
Fellowship 9/11
"Hi, this is Joe Lieberman, and I'll be your Senator today. What can I do for you? Oh? Let me transfer you to my supervisor, Senator Biden"
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
As long as they make a backup copy, I'm fine with it.
Hi, i just lost $600,000. Can you restore my backup please?
#1. Acquire the 4 digits. Unless you're running your own email server, the email will be handled by someone else. Where I work, I keep every email going out or coming in. If someone sent that email to anyone where I work, I would have it. All it takes is one guy in the right location at google.com or earthlink or AOL and thousands of these would be collected.
#2. Fake the site. This is the easy part.
#3. Get the traffic to the fake site. Again, this will require ISP access (see #1). But it would be simple for the right person to set that up in the DNS servers.
So, all it takes is the right person in the right job at an ISP.
And that doesn't even begin to scratch the surface of what organized, technical criminals can do with a database.
People seem to lack understanding when it comes to financial fraud, and who perpetrates much of it. I'd like to relate to you something that happened to my friend's father, who works as an administrator at a retirement home. A couple of years ago it was reported to him that checks were being stolen, forged, then cashed. He reported this to the police and called the fraud department at Bank of America. He recieved a reply. They told him to stop getting involved before he got killed. In his area, he was up against the Russian and Armenian mafias.
I only tell you this because banks simply aren't equipped to go up against organized crime. Problems such as these must be dealt with by government authorities. That doesn't mean that banks can't help through better verification procedures, or by better securing customer information, but to lash out in frustration by saying that banks should shoulder complete responsibility is either irresponsible journalism or naivete on the part of Mr. Schneier.
Right now people can be somewhat proactive against fraud. Be careful who you are dealing with. Phony emails often have phony headers and always go back to phony websites, so check those URLs. Don't give personal info over the phone, either. If something does happen, report it to the bank right away and notify all three major credit reporting agencies. Remeber to use change of address forms when you move. Don't just toss documents with critical information in the trash; shred them first. One more thing that you can do: once a year you are entitled to see and review your credit report. Do it. You do not have to pay for it, and you do not have to mess with outfits like freecreditreport.com et. al.
I like to think of this line when it comes to protecting identity, "I may be paranoid, but that doesn't mean that someone isn't out to get me."
Even organizations that should know better sometimes fail to do this. I once received an email message from an address at openvenue.com claiming to be from the ACM and asking me to go to confirmit.com to fill out a survey. Imagine my surprise when it turned out to actually be from the ACM. (To add further insult, when I emailed the ACM about it, the two line response was followed by two copies of a ten line signature, without delimiter. Sigh.)
It seems like any university that claims to give a well-rounded liberal arts education should include a course that covers issues of computer-related common sense and etiquette, such as "don't give your account details to strangers" and "don't use a signature 10 times as long as the body of your email."
It's not that hard to make sure you're on the right site, make sure emails are legit, or login securely. All together, a pretty good system. Sure, you can still get tricked into entering your info elsewhere, but then you should probably not be banking online anyways.
Yea, lets make someone else responsible for me being a dumbass, and make it harder for everyone else to do business with their own financial institution because I'm too stupid to realize the email is a phish scam.
Sorry, that falls into survival of the fittest. If your too stupid to keep your money, you don't deserve it.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
I love the folks who sell their latest and greatest encoding schemes for mail messages, like HTML, MS-Word, quoted-printable, base64 etc.. Perfect breeding environment for phishing attacks. Sure, you can rightfully blame Microsoft. But then also blame the developers of Pine and MIME. Same junk, just with a bit of penguin dung. What was actually wrong with plain simple ASCII text mail messages? Or take web sites and HTML. Why do we need JavaScript on the Citibank web pages? Or Macromedia Flash files for Citibank's "secure" virtual account numbers? This kind of software was developed for entertainment purposes, not bank transactions. Maybe the people who develop and sell such stupid solutions are also the ones who benefit from fixing the problems, because it keeps them employed. Make the banks and their software developers responsible for their mistakes, and we get secure, simple solutions.
I believe in the US of A, your liability for fraud on CC is limited to $50, although most CC companies waive that to $0. It's a pain, but it's often okay...
However, once a phisher has enough info on you they can do things that you aren't aware of and will not catch until it's really far to late. For example, they'll go buy a used car and finance it with the used car dealer back by a credit card and then sell the car for parts. Some used car dealers take just about any credit indication (e.g., the fact that you have a credit card) because they sometimes make money by selling/repo-ing the same cars over-and-over to people that have marginal credit. They can also rent furniture, electronics, and major appliances (and resell-them), and sometimes they can open credit union accounts and write overdrafted checks which are kite-ed at pay-day-advance loan stores and so on. Of course they don't use your address and phone number on any of these additional credit applications, so it's pretty hard for you to track...
By the time you find out about all your potentially fraudulant accumulated liability, you are getting non-stop harrassing phone calls from some ABC collection agency that doesn't really care how your name got into their to-be-tracked-down-and-harrassed list. Then you spend a year cleaning up the whole mess on your credit report.
If you don't think this is possible, go into a store that usually sells/rents items to people with less than stellar credit and see if you can get store credit with only a major credit card number, a temporary driver's license (one w/o a photo), and a university id (that is trivial to forge). You may be shocked...
I think the poster has a point. I've not had a problem with my bank, but I did have a situation with a cellular phone company that issued an account in my name to someone who was pretending to be me. My conclusion from that experience was that the phone company was much too eager to open a new account without due diligence. Ultimately I didn't have to pay anything, but the experience was moderately expensive in terms of time and fees for certified mail, etc., and quite unpleasant. A simple legal principle something like "if you give someone who claims to be me some money, and it turns out not to have been me, too bad for you" is what I'd like to see. I think then we would see some real attention paid to the problem of securing transactions over the Internet and the POTS. Yes, I suppose this would make it more expensive for banks and others to do these transactions, but it seems that a reduction in fraud would make their overall expenses lower over time. Under the present system, much of the risk and frustration is borne by the consumer, who can do little to prevent fraud other than follow the boilerplate advice given out by government and commercial representatives.
Japan recently enacted a law along similar lines. The target is skimming, not phishing, but it makes banks 100% responsible for account owners' losses from duped ATM cards (with a few limited exceptions, like if you write the PIN on the card you don't get your money back). The net effect has been to speed the introduction of IC-based cards, some of which use biometric verification as well--my own bank (Tokyo-Mitsubishi) has this funky palm reader thing on their latest ATMs that makes me wonder if it tells you your fortune while it's processing.
I'm quite happy with my bank, the HSBC here in Hong Kong: they have started to provide their customers with a hardware security device that generate encrypted sequences of 6 digits at the press of a button: you need to register your device once online with its unique serial number and then, every time you login or you do a bank transfer online, you're requested to input the digits generated by the device.
This effectively makes phising impossible since all they can do is collect your login and password, but won;t be able to access your account with that information alone: they would need to be able to generate proper security codes as well (and getting a single instance of that code won't be enough).
Only way left for scammers and thugs to get into your account is by stealing your physical device and your login info. Always possible, but not very likely.
This solution is too draconian to work. In real life much of the problem lies in ignorant users getting tricked. There also needs to be a tough love solution whereby stupid users get punished financially.
Right now, when someone gets their credit card stolen and a crook uses it to commit fraud, it's not the bank that gets to eat the loss, nor Visa/Mastercard/Discover/American Express. It's the merchant who gets it in the rear. The banks would love to make you think it's them protecting you, when in fact they're doing really little. After all, it's the merchants and not them eating the losses.
So, if say stupid Joe gives up his cc info to some crook, who is smart enough to circumvent most fraud screening methods like AVS, IP geography check, and inputs a fake phone number (remembere, phone numbers are not verifiable by AVS), the merchant really has no way of knowing it's fraud.
The bank wins, Joe wins (because he can do a chargeback), the crook wins, and the merchant loses.
eTrade SUCKS
There is a simple and cheap solution that banks can implement to stop phishers cold. They can use disposable pins for every outgoing transaction. When the customer opens an account, he gets a plastic card with pins. The card is either given in person, or sent by postal mail. Whenever the customer makes a payment, he is prompted by the bank to enter a pin. One pin - one transfer, the pin is never reused. The standrd credit-card sized card can hold about a hundred pins covered with scratch-off paint. The phishers can get the password and see the contents of the account, but they will not be able to transfer the money out of the account.
Why don't the banks do it? Becuse such system would seem like an unnecessary hassle to the majority of customers.
Here's a link to the article:
http://www.sims.berkeley.edu/~hal/people/hal/NYTi
Hal Varian is a professor of Economics at UC Berkeley, and generally a bright guy.
http://www.welton.it/davidw/
Crappie
It seems that a lot of people in this discussion seem to think that this would be (a) impossible, or at least (b) horribly expensive, so I thought I'd illustrate how it could be accomplished cheaply and effectively.
First, the bank would need to have a readily recognizable web address that fully described the company name. www.wellsfargoofnorthamerica.com, for instance. It's kind of long to type, but we're talking security procedures here.
Second, have ALL FINANCIAL INSTITUTIONS institute a policy of never sending a link in any email. Announce this policy on TV commercials. Make people sign a notice recognizing this policy when they sign up for an account. Put it in big letters on the initial credit card contracts. Put posters up in the bank lobby, that kind of thing. Awareness is truly the place where we're falling down here.
There will always be idiots who fall for this stuff, but if people in general know that banks won't send these links, then they won't fall for this kind of thing nearly as often.
Wake up - the future is arriving faster than you think.