Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: Make Banks Responsible for Phishers

Posted by CmdrTaco on from the now-there's-an-idea dept.

abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""

8 of 429 comments (clear)

  1. It's a good point but... by mackil · · Score: 5, Insightful

    Personal responsibility has to come into play somewhere. If people aren't educated enough to know NOT to email back their bank information to an unsolicited source, than just whose fault is it? The banks obviously need to do more, but in the end someone has to be responsible for their own actions.

  2. No Chance by derfel · · Score: 5, Insightful

    I don't think there's much of a chance of this kind of thing ever getting implemented. The financial industry would kill any legislator who tried to introduce legislation like this. If anything got through, they'd convince the executive branch not to enforce it. I'm sorry to say this, but the banks hold our money and they're very cavalier about to whom they give access and they like it that way.

  3. Whatever... by borawjm · · Score: 5, Insightful

    In the end the consumer will always pay no matter what happens. If they exclusively make financial institiutions responsible for phishing then that just means they will charge us more for their services. If they don't do anything about it, well, then we still pay when some schmuck steals our identy and our money.

  4. It makes perfect sense... by podperson · · Score: 5, Insightful

    It amazes me that, for example, no-one really checks signatures on credit card slips or that you don't need a PIN to buy gas with a card at the pump.

    If you tighten up all these processes then just knowing five pieces of data about a person won't let you access their accounts. Why sign your credit card at all when no-one even LOOKS at the signature and YOU are liable for fraudulent use of the card?

  5. Re:Hmmm... by jcr · · Score: 5, Insightful

    You can pick a Medeco lock, too, but that's not a reason to just use rubber bands to hold your front door closed. Right now, it's trivial to commit fraud, and it should be difficult.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  6. Chase, Citibank & Amex are big problems. by slashkitty · · Score: 5, Interesting
    Every time there is a banking security article, I start pointing to Chase bank and Amex, both of which use pitiful security practices on their sites. The most important one of all, is to teach the user to always login from a secure site, and one with the bank name.

    Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.

    Amex - does the same thing that Chase does on americanexpress.com.

    CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!

    --
    -- these are only opinions and they might not be mine.
  7. Try the ING Direct site by nightsweat · · Score: 5, Interesting

    Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.

    It's a minor pain in the butt to get to your account, but definitely more secure.

    --

    the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
  8. Re:Hmmm... by hepwori · · Score: 5, Insightful

    I work in the anti-phishing industry, and suggestions like the article makes are pie in the sky "corporations have magic powers" crap

    No, they're not. They're "give the problems to those with the money, sense and incentives to fix it" arguments. Makes excellent sense to me. My guess would be that you're either (a) too wrapped up in the "anti-phishing industry" to step back and wonder why we need such an industry; (b) invested too heavily in the "anti-phishing industry" to accept that it may not be needed; or (c) just not amenable to lateral thinking.

    Seriously. Look at credit-card fraud. Do banks pay for this? Hell, yeah. Is there a cottage industry? Perhaps, but banks are EXTREMELY motivated to fix the problem, since it's costing them daily. Where five years ago was that CVV code on the back of your credit card? Where was "Verified by Visa"? These are industry programs introduced by the industry to reduce fraud. Why? Because it costs them.

    Make phishing cost the industry, and you betcha they'll be right on it. And as far as I can tell, they wouldn't have to do much to top the efforts of the "anti-phishing industry" to date.