Slashdot Mirror
Schneier: Make Banks Responsible for Phishers
abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
However, it doesn't seem very feasible.
... which I think there is more than enough uncertainty on the subject to prevent that.
There is no way we can get the government to do such a thing... and such losses may even effect federal insurance and our interest rates...
Depending on how many morons there are getting hit by phishing scams, this could have a large effect.
Of course... that's assuming it ever got made into 'law'...
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
Personal responsibility has to come into play somewhere. If people aren't educated enough to know NOT to email back their bank information to an unsolicited source, than just whose fault is it? The banks obviously need to do more, but in the end someone has to be responsible for their own actions.
I don't think there's much of a chance of this kind of thing ever getting implemented. The financial industry would kill any legislator who tried to introduce legislation like this. If anything got through, they'd convince the executive branch not to enforce it. I'm sorry to say this, but the banks hold our money and they're very cavalier about to whom they give access and they like it that way.
What's wrong with "all of the above?" It would seem to me that a multi-pronged attack to the problem would be best, because I really don't see how "just" holding the financial institutions responsible will make the problem disappear completely. Scammers are creative, after all, and the people who fall for their scams can be pretty friggin' dumb.
Forcing the responsibility on the banks is only going to encourage the banks to treat the customers worse than they already do.
Your bank already has your home address (and probably your home phone number).
All they have to do is to institute a "no email from us, ever" policy and spend some time getting that message out to their customers.
Sure, this will cut down on the ad revenue from the banks, so what?
If they absolutely need to have some form of email interaction, they can run an internal (no external SMTP connections) web-based email system so the clients (you) can email the bank's employees.
If you can't do something securely, maybe you should not be doing it.
The only way something like this works is if there is an neutral agency that one can report this to. Even then it probabaly won't. It's in the financial institutions best interest to keep all security problems secret. That is today, even with them not being responsibile, in a day where they are resonsible, they'll act just the tabacoo companies did/do "There is no security problem, Mr. Senator. No, there is no problem with identity theft, not at all, we have it under control.". The cheapest short term solution is the best one to a company, these guys pretend to think long term, but they don't. Don't assume they will.
Burn Hollywood Burn
In the end the consumer will always pay no matter what happens. If they exclusively make financial institiutions responsible for phishing then that just means they will charge us more for their services. If they don't do anything about it, well, then we still pay when some schmuck steals our identy and our money.
It amazes me that, for example, no-one really checks signatures on credit card slips or that you don't need a PIN to buy gas with a card at the pump.
If you tighten up all these processes then just knowing five pieces of data about a person won't let you access their accounts. Why sign your credit card at all when no-one even LOOKS at the signature and YOU are liable for fraudulent use of the card?
Legislation shouldn't be used as a way of solving a technical problem, and this is really just a technical problem with e-mail.
Find free books.
Actually, I don't believe adding additional protections to the websites is the idea. The idea is that the richest institutions in the world (banks) should be fighting phishers. They have the clout and the wearwithall to easily take scammers to court, and likely have branches in enough countries to try them locally, rather than sending futile "DMCA cease and desist"-like letters to non-US countries.
This might turn out to be a good idea, or maybe the banks will realize that the scammers are just doing what banks (historically) do, which is ripoff the poor and uneducated. Anywho, being a well-informed and adept engineer of the internet age, I still do all my investing in person because I'm paranoid as heck =].
When you're afraid to download music illegally in your own home, then the terrorists have won!
It will never happen.
Consider this: The credit card companies were getting reamed by people getting a boatload of credit cards, running them up to the limit, then filing for bankruptcy.
Now, the real solution to this would have been for the credit card companies to have done their jobs and really examined the credit ratings of the people to whom they gave these cards, and to have given people reasonable credit limits (I shall use myself for an example - I have a single credit card which has a limit of well over one-half of my yearly salary - there is NO REASON for me to have that much unsecured credit - and no, I did NOT request that limit, they gave it to me on their own).
However, that would require the credit card companies to actually do work and would impair their ability to take people almost to bankruptcy and make lots of money on revolving credit interest.
So, what did the credit card companines do? They took their enourmous profits and paid for immense lobbying to get a law passed to insure they get their money even if you file for bankruptcy.
Now, what is another word for "credit card company"? I'll give you a hint - it starts with "B", ends in "K", and has 4 letters. Wanna buy a vowel (at 15% APR)?
Making banks actually take responsibility for phishing means banks would have to do work on their online banking and credit applications. It would mean they would have to make it harder for people to buy things online (read: go into debt). It would CUT INTO THEIR PROFITS!
So what is a good, responsible banker to do? Call 1-800-RENT-A-SENATOR.
www.eFax.com are spammers
Sadly, if one of these fraudsters gets enough info on you, you may find that "you" are doing business with a bank you've never heard of with a line of credit you've never asked for ;)
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
You can pick a Medeco lock, too, but that's not a reason to just use rubber bands to hold your front door closed. Right now, it's trivial to commit fraud, and it should be difficult.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
A properly formed e-mail from a reputable company nearly completely eliminates all possible intercepts. At least as many as can be eliminated by simply going to the website in the first place without an e-mail prompt.
case in point:
I recently received an actual e-mail from PayPal, this e-mail suggested that my on-file credit card was about to expire. The first thing that keyed me in and made me actually read this mail was that they referenced the last four digits of said card. Next, they suggested that I logon to their website and update the credit card's expiration date. Most importantly they didn't even offer a link to paypal.com, they simply said to logon and then gave instructions as to how to change it. Not the first link in the whole e-mail. This effectively eliminates fraud as a possibility. While it is still possible that paypal.com itself could be hijacked or some other esoteric scheme, the 99.9% possibilities are all eliminated simply by not providing any link.
Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.
Amex - does the same thing that Chase does on americanexpress.com.
CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!
-- these are only opinions and they might not be mine.
Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.
It's a minor pain in the butt to get to your account, but definitely more secure.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
Mac addresses can be faked and credit cards (and random number generators!) can be stolen. And whatever technical solution you can possibly find, it cannot interface with an insecure OS (such as Windows or many *nixs, prolly Macs too, but I'm not too savvy there) and remain secure. And as long as the vast majority of people use insecure OSes, a secure technical solution is unfeasible.
Thus, I disagree whole-heartedly. Law is the best safe-gaurd against criminals. Providing and advocating a legal recourse against online fraud will provide an avenue for banks to fight back. And it would be completely transparent for the end-user. They keep getting scammed while the banks go around pressing charges on the scammers until they're gone. I know it's fighting the symptom, not the cause, but sometimes that's better.
We all want to code like Torvalds and redesign the entire system from the bottom up whenever theres the teensiest bug, but we also all know that's unrealistic. Look at law as a CPU-intensive bug-fix for society. It'll provide it quick and easy stop-gap to the problems created by shifting to the e-commerce. We can worry about properly rebuilding the infrastructure in the next update =].
When you're afraid to download music illegally in your own home, then the terrorists have won!
Sadly, if one of these fraudsters gets enough info on you, you may find that "you" are doing business with a bank you've never heard of with a line of credit you've never asked for ;)
Personally, I like how he thinks doing his investments in "person" keep him safe from fraud. Does he have a seat on a Stock Exchange or trusting a guy in an office hundreds of miles from an exchange who claims to represent an investment firm (CLUE: Ponzi schemes pre-date the internet)? Perhasp he invests directly in local businesses, where he carefully audits the books, and works as an "internet guy" from the back office, watching the cameras while using his voice translation software? Does he deal only in cash, never uses an ATM or checks?
I work in the anti-phishing industry, and suggestions like the article makes are pie in the sky "corporations have magic powers" crap. Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.
You are in a maze of twisted little posts, all alike.
No, they're not. They're "give the problems to those with the money, sense and incentives to fix it" arguments. Makes excellent sense to me. My guess would be that you're either (a) too wrapped up in the "anti-phishing industry" to step back and wonder why we need such an industry; (b) invested too heavily in the "anti-phishing industry" to accept that it may not be needed; or (c) just not amenable to lateral thinking.
Seriously. Look at credit-card fraud. Do banks pay for this? Hell, yeah. Is there a cottage industry? Perhaps, but banks are EXTREMELY motivated to fix the problem, since it's costing them daily. Where five years ago was that CVV code on the back of your credit card? Where was "Verified by Visa"? These are industry programs introduced by the industry to reduce fraud. Why? Because it costs them.
Make phishing cost the industry, and you betcha they'll be right on it. And as far as I can tell, they wouldn't have to do much to top the efforts of the "anti-phishing industry" to date.