Slashdot Mirror
Can Banks Shift Phishing Losses to Customers?
1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?
The banks with the helpful "report here" links also typically have helpful auto-responders, and their sites and form letters at least make it seem like they care about security. The banks who make it hard to hear from their customers usually don't reply at all. If I were shopping for a new bank, I'd definitely stay away from those that don't have an easy-to-find contact point near the front of their site. I get the impression they do not take security or phishing threats seriously at all. They'll probably be the ones that would fight their victims.
John
A little tough love. Hit 'em where it hurts and maybe they'll learn. If I got scammed on the web, I'd feel like such a fool I probably wouldn't bother seeking a refund.
Hacking? Yes.
ID theft? Yes.
Fraud? Yes.
Phishing? Man, I dunno -- seems to me that if you get suckered into giving someone your account information, that's kind of your own problem. It's not Paypal's fault if you actually believed that the poorly-worded email you got was actually from them because it had their logo someplace on it.
On the other hand, this sort of thing could also seriously undermine the confidence that people have in online transactions and the like, so I can't help but wonder if maybe it isn't shortsighted not to just take the hit.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I don't know if I can stand to hear about countless back and forth lawsuits that are coming. Why put it off. I'll just give up the rest of my money now.
It's just not so obvious to the consumer. Where do you think the money comes from? A magical treee?
If the bank don't cover the losses of customers, the customers will find someone who will. Be they other banks or the government.
I hope this caused some synapses to fire.
Phishing is no different than other scams out there. One in my area has two men dressed as workers from the water department who enter the home to "check the water pressure." While one sets to work inside the other takes the victim outside to check the faucets leaving the first to go looking for the jewlery box.
Does the water department have to cover the cost of the missing rings? No. Then why must financial institutions?
Banks create much more currency than governments do, so yes, it does essentially come from a "magic tree".
I think if the bank does not take reasonable care to keep the phishing from happening, they should pay. Otherwise, that's like saying the post office should be responsible for mail fraud... there should still be some personal responsibility. So I guess it all revolves around the phrase "reasonable care". I'm sure it will, like all such gray areas, end up spawning lots and lots of lawsuits. The lawyers will probably collect more than the phishers.
This space intentionally left blank
No
If they did so, then all you'd have to do would be to set up a phishing site, be a victim of your own phishing and then be payed back by your bank.
That, and also, blah blah people blah blah stupid blah blah genetic pool blah.
You just got troll'd!
"Can Banks Shift Phishing Losses to Customers?" asks the headline.
Of course. The customers are going to pay for all losses; the correct question is, will banks make the individual who made a foolish decision pay for his mistake, or will they make all of the customers (like me) pay, in the form of reduced interest payouts, higher lender rates, increased fees, etc.?
You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.
Moderate drunk! It's more fun that way!
Knowing my clients, I smell a new "insurance product" ... a general "electronic age" insurance product to cover online fraud (buyer/seller problems), identity theft and now phishing. "e-Policy" or something.
meh
It isn't clear to me that you have to do anything wrong to be the victim of fraud. The banks need to come up with a method to combat financial fraud, or they need to absorb losses as the cost of doing business. Bankrupting individuals isn't the answer.
Avoid Missing Ball for High Score
The problem is that the banks aren't taking appropriate steps to identify the customer before handing over the customer's money. Banks are legislated/insured to only release money to the authorized account holder. When the customer takes reasonable steps to protect their information and follows the banks security procedures they are not responsible for loss.
By putting in place technology that doesn't sufficiently protect the reasonable person from fraud the banks bring the liabilty to themselves. The reason you put money into the bank and pay fees is to prevent unauthorized persons from accessing your money and to provide insurance against such a loss. It is the banks job to put in-place controls and cover the losses that arise from insufficient controls. It is a balancing act between what the consumer wants to put up with in security and what they want to pay for service. It is the banks job to find the equilibrium between the cost of increased controls and the cost of fraud. After all it is the bank not the consumer who is offering the service of withdrawl over the internet.
A good step in the right direction might be two factor authentication.
Wouldn't it be nice if customers and banks alike used secure email?
People that give up their info that easily deserve to have their money taken away.
"You had this look that of an angel, it was such a bad disguise" --Dishwalla
If you send all your bank account details to some Nigerian "widow" based on the contents of an email written all in block capitals, then that's hardly the bank's problem, is it? At the other end of the scale if you visit your bank's actual website only to have your account details obtained by some cracker that managed to compromise the webserver then that is very much the bank's problem. In practice though, the vast majority of fraud is going to fall somewhere in between those two extremes, so really this kind of thing should be handled on a case by case basis based on a predefined framework set out when you sign up to the account. I suspect that means we are going to start seeing a T&Cs for bank/credit accounts that resemble insurance policies though; "We will refund your money in the event of A, B and C, but not P, Q and R, although we'll cover you for those too for a monthly fee. Under no circumstances will we be liable for X, Y and Z."
UNIX? They're not even circumcised! Savages!
If you want to take away the incentive to fix the problem from the party that has the most control of the security system, the customer should pay.
... or before long we'll be expecting the banks to also cover the cost of all the idiots that send cashiers checks to Nigeria hoping to get rich.
One way or another, people are going to have to learn some lessons... and financial loss is usually a powerful lesson.
I agree that banks should be liable for what equates to theft; but where is the security for their websites in the first place? Shouldn't there be someway to prevent phishers from being able to enter the data they phished? "Oh, hey, that IP has logged in to over a hundred accounts, he must be a phisher with customer data", or something akin to that.
Patrick "Diablo-D3" McFarland || http://AdTerrasPerAspera.com
The reason why phishing attacks work is that people are fooled into giving credit card information to what appears to be a legitimate website. This could have been avoided if the customer was more careful, but then again, we all get tricked from time to time.
Now, why aren't flags raised when $30,000 is taken out of a bank account electronically from an unusual location? A phone call to the account holder would be nice.
By analogy, if someone forges a check, and signs my name, and the bank cashes that check, the bank is on the hook for the cash. Also, if someone lies about their identity, and the bank doesn't verify their identity, they are also on the hook for the check. The same should be true with online transactions.
If European banks and governments wont protect customers from fraud, online purchases will be doomed.
FTFA: 1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs.
The rational answer should be that law enforcement should persue the criminals and put a freeze on their accounts and seek retribution in monetary and jailtime punishments.
Seriously, if we can find and freeze "terrorist" accounts, how hard is it to track where this money goes?
I mean Phishers have to get it from a bank or ATM somewhere.
Why don't the bank simply reverse the process and force other banks to freeze the accounts? What is preventing them?
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I have this to say about that.
It's the TYPE of phishing that should be investigated and judged. If I verify my contact info with the bank after an elaborate security hole makes it LOOK like the bank even after typing in the bank's direct web address, yes I think I should be protected under some umbrella of some insurance policy somewhere. (BTMK, in canada, our accounts are insured up to a certain limit, separate from the banks insurance)
If I GIVE authorization for someone to take the money, no, the responsibilty lies on me.
Trouble is, who can really prove either?
Canadian Bred with American Buttering
Won't seek a refund for $200k loss???
Bill, is that you?
First you need to prove where the money was lost from in the first place. You can't instantly assume that it was a user falling for a phishing scam. Particularly after so many companies have been losing backup takes, customer records through social engineering, and the list goes on.
I'm all for the victim of phishing being responsible for their own finances. After all, it was their inability to take BASIC security precautions that we have been preaching for DECADES people...not a few years, DECADES!
However, as more and more companies are being found to have lax security on their own part....
Let's just say, that if the bank can PROVE that the customer lost it via phishing and they were duped into gaving up their username and password, then sure, they should suffer for it. After all it was THEIR fault and not the bank's. HOWEVER, until the bank can prove how that information was snagged, they should be responsible.
I know that twice this year (yes, I said twice this year) I've had my debit card cut off (without warning only to find out sitting at a gas station with an empty tank) simply because of a security breach in some financial institution. While I applaud the fact that they shut it down to make sure I wasn't a victim, they could have been a bit more proactive. After all, I have no transportation without gas and that card doubles as my ATM card. If it wasn't for the fact that I make it a habit to keep $30 on me at all times in case of emergency, I could very well have been stranded 100 miles from home.
So yeah, bank's problem unless proven isn't the customer's fault.
It isn't clear to me that you have to do anything wrong to be the victim of fraud.
You haven't done anything wrong, neither has the bank. How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible? The customer for not being more careful? The bank for not making it more difficult for people to impersonate customers (and at the same time making it more difficult for honest people to conduct their business from afar). Insurance? (fat chance)
No sig
This question sure is a lot better than asking whether or not its unethical to "hack" the Governor of California's website.
Part of me thinks that if someone walks up to you on the street, claims to work for your bank and then asks you for some money, you're an idiot if you take out your wallet. However, the internet is still relatively new and even though most slashdotters can recognize a phishing attempt, my mom still wonders how all those porn advertisements know where she lives...
Reimburse the bank and the victim. That may stop the phishing activity.
My online terms and conditions state that if I give out my online account and password I am responsible for their use. So if I give a phisher the information I lose. If my information is gained without my consent ot knowledge, it is their loss. So it would depend on the phishing scam. If my browser is hooked and I go directly to the real bank website I should trust the technology (sorry LOL) that I should be secure in trusting that transmitting the data of my account, password, etc. is secure. I should not be responsible for "man in the middle" schemes even if instigated by phishers. On the other hand if I go to bankofamerika.com and don't notice they swiped all of bankofamerica.com's graphics, etc. (which BofA should prevent from being used on any page but their own anyway) then I am liable. Your milage and terms of service may vary.
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
Until the banks use the best available security measures to secure their customers accounts they should be heald liable. Two factor authentication schemes are well understood and cheap enough to implement that failing to use them is negligence, or at least culpability in any online loss. Using a random character generator like SecureID prevents replay attacks and makes man in the middle attacks much harder, using password protected smartcards eliminates them altogether. Just as using photo's on physical cards would greatly reduce the occourance of credit card fraud in the physical realm these methods would reduce it online, the fact is that it costs the credit card company's more whereas fraud only costs the merchant, because the fraudulant purchase is charged to the merchant's account who accepted the card.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Banks have no way to stop foolish customers from falling into phishing traps. They could try to recover the money, but ultimately it's the customer's fault. The bank is not at fault, apart from some not using SSL on their login page to prove their identity, which customers never bother to verify anyways, and there's very little the bank can do to remedy it, unless the FDIC is willing to foot the bill.
You don't really think the bank is going to create money to pay for the losses, do you? Make no mistake about it--banks, like every other convenient, abstract legal fiction--don't pay for anything. Individuals pay for things.
Exactly true in the short-term, but not true in the long-term because customers can chose which bank to do business with. Banks still compete and the ones that can levy the lowest fees because they have the lowest phishing related losses will get the most business. The interesting issue is that banks have three strategies for lowering phishing losses:
1) Deny claims for losses
2) Implement security
3) Screen-out phish-prone customers (e.g., preferentially market to young, tech-savy consumers with high credit scores)
Of these three, the first is a PR nightmare and may become illegal. The second is expensive and may inconvenience customers. The third is interesting but gets into nasty ethical issues if the bank tries too hard to avoid people it thinks are bad phishing risks.
Two wrongs don't make a right, but three lefts do.
justice must have a compassionate edge. because if justice is as brutal and swift as crime itself, it is no longer justice
so yes, the people who fall for phishing schemes are stupid. but no: they do not deserve what happened to them. the punishment they receive (losing all of their funds) is not commensurate with the mistake they made. if i get in the car with a drunk driver, i am stupid. but do i deserve to get paralyzed for life in the accident that happens for my mistake? no. so do you laugh and call me a moron or grieve at my infirmity?
whether you laugh or grieve at me is more revelatory about your own immaturity. because god forbid you ever make a little mistake in your life and suffer drastically for the consequences, right? that can never happen to you, right? yes: stupid mistakes have negative consequences. but if the negative consequences are way out of proportion to the error, you should not be so dismissive, you should demonstrate some compassion, or justice really isn't your motivation. if drastic punishment from a simple mistake happens to you, you're just going to suck it up and move on without complaining one bit, right?
well... experience teaches me that those laughing hardest at those horribly punished for simple mistakes are also those who whine the loudest when they become victimized the same way. so yes, banks should pay for phishing schemes, and everyone here shouting "you get what you deserve" are not speaking from a position of concern for justice. they are speaking from just sort of a smug hypocritical contempt for simple human fallibility. which they apparently imagine themselves immune from, out of simple ignorance at how cruel crime can be, and how fickle fate can be
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Given a few large lawsuits, banks will probably have to sign up for fraud insurance. But if their insurers set their rates based on an assesors' estimate of their security, it'll be in their best interests to improve security to get the cheapest policy possible.
It's how the civil court system and capitalism are supposed to work, anyway. It may just take time (and no freakin' governmental interference by passing "tort reform" limiting the banks' liability, otherwise there will be no financial incentive at all.)
John
...for banks, I mean. Because whatever version of windows it was had a phoning-home function, so that using the system to store customer data was actually a felony. I can't find the story, 'cause I don't remember enough details. Is WGA in this territory, or did that law get changed? Whatever happened to that; it was funny.
My turnips listen for the soft cry of your love
If banks want me to be responsible for my own dealings with them online then they can give me better login security. If it were easier to be sure that I was really dealing with the bank and not a phishing site then it would be more reasonable to hold me responsible.
How about a two-way cryptographical handshake where we verify each others' keys? A one-time password gizmo such as RSA fob? But no, instead all I have is a crappy password. OK so I can at least check their SSL cert but it's not exactly convenient.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
I agree completely. Regardless of the amounts involved, anyone retarded enough to be taken in by a phishing scam, despite the massive efforts of all the major banks to raise awareness of the issue, deserves to suffer more than simply financially. I refuse to believe that any user of internet banking is stupid enough to have ignored the warnings on their bank's website, the news reports and the constant bombardment of precautionary advice from all quarters on the subject. I do not believe in pandering to imbeciles, particularly if it gives rise to a justification for higher bank charges/smaller returns levied against intelligent and competent account holders.
Man wird am besten für seine Tugenden bestraft.
Maybe some others with merchant experience can back me up on this, but most of the fraud is actually assumed by the merchant.
x .html They had to drag the banks to court just to get them to stop abusing them on transaction fees.
The abuse the banks dole out to retailers is so bad Walmart is setting up their own bank just to get a piece of the scam. http://www.fdic.gov/regulations/laws/walmart/inde
In the end, the merchant will pay dearly for the priviledge of accepting a payment made with phished cards. That means the consumer will end up pay slightly more overall for everything.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
The basic way money is stolen is this:
(1) Somebody gets your account information. (Possibly through phishing, possibly just by rummaging through your mail).
(2) They wire money out of your account.
(3) They move the money someplace where it cannot be retrieved.
The problem is in step 2. The banks make absolutely no verification that a transfer is authorized. When I walk into a branch, I can't just pull money out of my account without first verifying who I am. When I write a check, the bank (at least in theory) is supposed to verify that the signature on the check matches the one they have on file. But, there is no similar verification when my account is electronically drafted.
The banks are basically betting that they'll lose less money through fraud than it would cost them to implement security on the back end. It's a calculated risk on their end. If their customers had to pay for the fraud, there would be NO incentive for them to improve security.
Incidently, the comment that "the customers pay for it anyway" is only partially right -- customers pay for part of it through reduced interest rates and so on, but some of it also comes out of the bank's profits. Banks are generally in a competitive market and as long as there are alternatives for savings (e.g. brokerage houses), the market dictates the interest rates paid by the bank.
There is no cure for impersonation if you provide a con man all of the details required to impersonate you. If you fall for a phishing scam you did as much as dressed up a con man to look just like you and gave him your photo ID cards.
In the pre-Internet days, a con man would have to work harder. You had to withdraw the money for him (like using the old Pideon Drop scam, http://en.wikipedia.org/wiki/Pigeon_drop ).
The bank could use things like a PIN for account access, but if you gave out our PIN, how is that the bank's fault?
the money is responsible beyond a certain point. Obviously the theifs are ultimately responsible but to blame the business? I don't think so. They could advertise indemnity or something to gain customers but that's an optional feature IMO.
The business site must have some ability to validate a customer and attempt to prevent phishing site copies.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
So, if we put pressure on banks by making them pay, maybe they'll do things to make phishing attacks harder to carry out. Sounds good... but
If we put pressure on customers by making them pay, maybe they'll do things that make phishing attacks harder to carry out.
In the end, I as a customer to my own bank can entirely prevent phishing attacks on my account, through very little cost to myself. Therefore, I would like to be held responsible for phishing rather than my bank, otherwise I'll be paying for other customers' negligence.
I'm an account holder with Bank of Ireland, and have had several accounts with Dutch banks. ALL Dutch banks use two-factor authentication when making payments, either with a digital "calculator" device or a list of passwords, where for every payment a different password is requested, and the list renewed when it has been used up.
Bank of Ireland, on the other hand, uses just a lame 6-digit password, your contact phone number and a 6-digit account number. Very lousy security there. I definitely don't feel safe using their internet banking facilities. Even 8 years ago my Dutch bank modem service already used 2-factor auth.
So, yes, I feel that in this case BOI is completely to blame for this.
Phishing seems to be good advertising for banks. I'd never heard of Fifth Third Bank until I was suddenly getting 5 phishing e-mails a day for it.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Unfortunately two-factor authentication has already been hacked. Basically (i can't remember the link but i'm sure it was posted here) the hackers copied the two-factor authentication and then used the window that their given (i think it was 5 minutes) and logged on using their system. simple. People need more diligence in their online activities to prevent them from being suckered, anybody can fake a site but it's pretty damn obvious when the URL isn't what it should be and there are lots of tools out there to help. The simplest way to prevent phishing through emails is that when you get an email from paypal or bofa or any where go to that site by hand never click on the link in the email. period. -Morder
So this is it huh? Pay people for their stupidity? Next thing you're gonna tell me is that we'll be able to sue McDonalds for not having a "Caution! Hot!" label on their coffee cups because we spilled it on our legs.
Oh wait... that did happen.
The banks aren't phishing, so there is no way they should pay a dime to anyone.
Where were you when the voynix came?
Phishing scams don't dupe people out of their money, People dupe people out of their money. Prostitution may be the oldest profession, but hucksterism and theivery are close behind.
This is just technology giving dishonest people a new way of getting "other people's money." Where neccessary, laws and policies will have to be changed to reflect this. Who's responsble? Like everything else, it depends on the situation.
How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible?
Well, credit card contracts explicitly mention fraud, and normally limit your liability to $50 in the case of fraud provided you report the fraud promptly.
By comparison, for fraud involving your ATM card, you are responsible for fraud when you disclose your PIN to someone.
It's not all the bank's fault. Ignorant/naive/stupid people are (largely) at fault. The customers are the ones giving people access to their accounts. How is this the bank's fault? (I'm sure someon can come up with a car analogy to help me out here.) My bank has sent me letters and has, from time to time, posted warnings on their website about phishing scams. They have done their part to warn me, and should bear no responsibility if I give my account information away.
No doubt some things need to be done to tighten up access to bank accounts, etc. But no matter what extra security you put in place, people will always fall for scams. Give them password protected smartcards and the next thing you know, you'll see phishing attacks saying "There's been a recall on your smartcard. Please send it along with your password and any cash you happen to have on hand to 123 Fake St, Springfield USA". Hopefully people won't fall for this, but I'm sure that some people will fall for it just as some people today ignore news reports, letters from the bank, etc. that tell them to beware phishing scams.
So until banks figure out a way to secure accounts from stupid customers, I'll answer the question "is it ultimately the customer's responsibility to make educated use of technology?" with a resounding YES!
Historicly, if you get conned, that's your problem.
If the bank sold phishing insurance, it would invite people to get in cahoots with the phishers.
The simple rule for ALL online banking is this:
All online banking transactions should be initiated by YOU. If someone who looks like the bank contacts you with something, even if it looks perfectly innocent, never trust them. Instead, hit the bank's web site as you ordinarily would, not by clicking on a link in an e-mail, but by going to their main site and logging in as usual. This constitutes a transaction intiated by YOU. Once logged in, you will, under many online banking systems, find something in your "message center". If it matches up with what you received via e-mail, then it really was from the bank.
It really is that simple.
Sadly, some legitimate financial institutions do put links in e-mails. Forbidding this practice would make phishing virtually impossible, so I would advocate forbidding banks to send anything containing a link in an e-mail, not even as a copy-paste. If the bank sends you a message telling you it's time to update your password, and there are no links, then you MUST initiate the transaction by their legitimate URL, and you cannot be phished unless the bank has been hacked.
If the bank is hacked, then yes, the bank is liable. This is more likely to be insurable; especially under a well-regulated banking system.
Convenient? No. But then neither is having a lock on your door.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
ETrade offers little RSA dongles and you append the everchanging 6 digit number to your passord. Might be helpful if banks offered this for regular online customers. Well, maybe if emails are delayed by the timeframe the 6 digits are valid.
An option to restrict online access to an IP or subnet would be nice too.
If someone forged your driver's license and went to the bank to withdraw your money in person, it's the bank's fault for giving it to them. Same principle should hold for online transactions. If the bank gives the wrong person your money, it's not your problem.
If the liability moves to customers, the banks won't have any incentive to improve security. Worse, the bank will start blaming you for breeches that are completely their fault. The bank will claim you didn't protect your password when their systems are comprised and your account is drained.
The bank has motivation and resources to implement a solution, whereas individual customers do not. This is because banks control the technologies that phishers emulate in order to con their targets.
For example, the company I work for is concerned about phishers stealing user accounts, by emailing links to pages that look like our corporate signin page (used for many properties in many locations, so commonly encountered on various sites by our employees.) As individual users, it was extremely difficult to tell whether the page being logged into was legitimate or not; so, the company now uses a cookie to identify you as an employee, and embed your picture (from the company's internal records) into the login page. If there's no picture of you, it's not legitimate.
Is that foolproof? No, because other employees could get your photo and fake the login page. It certainly narrows it down to internal employees and contractors, however, and it's a step that individual employees could never have taken on their own.
Similarly, imagine if ATM cards didn't have PINs, and possession of the card was enough to withdraw money from remote locations. Individual users couldn't do much about this, other than hold onto their card for dear life, but the banks could easily implement PIN codes so that theft of the card did not automatically enable theft of account monies.
Again, is that foolproof? No, because some people write their PINs on their cards (duh) and some people manage to set up "fake" ATMs to collect card swipes and PINs. However, banks now use the unique identifier on the card to access the customer's name and display it before the PIN is punched -- no name means you probably shouldn't use the machine. Again, another step (still not foolproof) that individual users couldn't enact on their own.
If a bank makes a service available, they are the ones in good position to improve the security of that service, and at some point the bank actually hands over the money based on their own assurance that the person using the service is who they say they are, using whatever method the bank provides. All of this is up to the bank, not the user, and so they should carry the liability -- if not, they can always opt to avoid providing those services that they cannot successfully protect.
Does this absolve the users of all responsibility? No, but there are still lots of stupid things users can do -- and shouldn't -- that cause them to lose money that the bank doesn't -- and shouldn't -- have to reimburse.
I guess you can think of it like this: if a bank's machine gives out money to the wrong person, it's the bank's fault -- and if the bank's machine gives out money to the right person, who is then mugged within half a second of the transaction, it's the user's fault.
I don't know how this guy Joe Lopez in Florida managed to get a keylogger installed on his machine, (Probably installed some warez or porn) but I would hardly classify him as a rube for having lost his banking information to some cracker in Latvia. When my credit card company notices spending on my card in a city 1000 KM away, they call me. Is it too much to ask a bank to do the same if an unusual transaction is being attempted from my bank account? Joe apperently did transfer money to South America regularly (hmm a name like Lopez... go figure) but you would think a single transaction to latvia would raise a flag somewhere.
And, as usual, the informed people will end up subsidizing the ignorant. This is not a security issue, so the banks can't improve it. The banks will have to pay, either directly, or through insurance premiums. This gets passed on to the consumer. Why in the world should the banks be liable for someone impersonating them? Should you get sued for a scam artist impersonating you?
My mom actually got an email supposedly from PayPal that she was worried about. I've warned her many times in the past, but you never know if people are really listening or not. She called up PayPal (with the number off the website itself), talked to them, and had it confirmed that it wasn't a legit email. I was pretty impressed that a 54 year old woman who doesn't know hardly anything about computers, was able to do all of this on her own. If someone with very little computer experince can use common sense when it comes to personal information and avoid being ripped off, why can't everyone. It falls on the customers to police themselves. If I fell victim to one of these scams, I wouldn't look for the bank to pay me back. It wasn't their fault, it was my fault.
This is a better description of the pigeon drop scam...
o n/MajorPerson/pigeon_drop.htm
http://www.crimes-of-persuasion.com/Crimes/InPers
The person who responds to the the phishing is responsible for their own actions. Or the phisher.
Many of them now say something to the effect of the customer having take "reasonable care" to protect themselves from identity theft / being hacked. If you don't, then no money back for you.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Lets rephrase the question
I run a business where I hold money for people to keep it safe from thieves.
I give their money to a thief.
Who is at fault ?
Sounds like the bank is trying to skirt their responsibility, and developed an insecure method of keeping their customers money safe from theives.
SecureID only has an ~30 second window for each password. This means that you have to get the passphrase from the user and use it to login to the originating website in less than 15 seconds on average, not impossible but more difficult then a static password. As I said mutual authentication with password protected smartcards is really the way to go =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
This seems scarily like insurance companies denying claims when a lock was bumped.
Granted, I want people to pay for their own mistakes, but what if that new intern in payroll made a photocopy of my direct deposit auth form for a rainy day?
Please, don't feed the phishies. And don't clean their tank, either, or they'll stay alive.
You will be baked, and there will be cake.
How are phishing emails different than, say, somebody calling you on the phone pretending to be from your bank's credit card department? If you fall for it, who should be responsible?
Not much. When a bank calls, Caller ID should show bank's name rather than "Private Caller" from some call center in India. When a bank sends an e-mail it should be digitally signed. My credit card should generate (say, with a keypad and LCD) one time use authorization numbers based on the charge amount. As long as the bank doesn't give users a way to distinguish between legitimate and fraudulent communication, they should be responsible for the results.
Financial institutions have the responsibility to protect us from unauthorized access to our accounts. It should then be the burden of the institution to show that the account holder was at fault.
However, We ALL have to take responsibility
As a consumer,
1) never enter personal information in response to e-mail initiated requests, etc. 2) report suspicious emails, websites, etc. 3) Use common sense (nevermind, that'll never work)
As for the banks,
1) Provide security measures to reduce chances of phising losses; while authentication is not perfect, it's a decent start (althoug I find it pretty annoying) 2) Educate their customers 3) Need to offer an easy, user-friendly way to report phishing (PayPal does a good job of this) 4) Make their policies clear; if they won't cover losses due to phishing attacks, we should know before putting our money in their hands 5) If they can't sustain the losses, then they need a new business model; what do banks do with those $30 fees that they love to ambush everyone with
Now the Government,
1) NEEDS TO PROSECUTE OFFENDERS by enforcing existing laws; it's amazing how apathetic the authorities are towards identity theft, etc. 2) Ensure laws are adequate for protecting consumers and prosecuting offenders 3) Educate the people
When the bank has to reimburse customers $200,000+, it's not like they can just go out to the magic money tree behind the bank and get another bushel of bills. All the money the bank has ultimately comes from customers, so one way or another they're ultimately going to be the ones paying for the loss. The REAL question is whether ALL of the customers should lose out (through higher fees and lower interest rates) or just the ones dumb enough to fall for the phishing scams.
How are other analogous situations handled? Let's say someone is 'tricked' into giving up their ATM card pin #, and someone withdraws money from their account without consent. Who's liable? Shouldn't the liability be similar online as offline? Also, the criminals should be the ones paying restitution.
The bank has done plenty wrong - they've allowed an unauthorized party to access your account and withdraw funds. They've cultivated a business model where financial transactions can be conducted over and insecure network without adequate identity verification and they've done so knowing full well that the network is rife with phishing scams which capitalize on those weaknesses. If they can now shift any loses back to the customer, there will be no incentive for the banks to improve security.
In Mexico, bankers may make fraud your problem
by DAVID ADAMS and GINA MANFREDO
St. Petersburg (Florida) Times, June 17, 2006
MEXICO CITY -- One morning last July Alejandro Sanchez got a worried phone call from the branch manager at his bank.
There had been some unusual activity on his account.
"She asked if I had made some transfers," said Sanchez, 46. "She told me not to worry and she would call me back."
A few hours later somber bank officials showed up at his office to advise him that his company accounts, totaling almost $300,000, had been temporarily blocked for security reasons. Sanchez says he was assured it was all "a misunderstanding."
It wasn't until a week later that the bank told him he had been a victim of Internet fraud. All his money was gone.
But the bank still insisted he shouldn't worry. "They said it was being investigated and I would get my money back," said Sanchez, a father of three and the Mexico representative for a large North Carolina electrical engineering firm, Reliance Electric.
But almost a year later Sanchez hasn't seen a cent. And his bank -- Spanish-owned BBVA Bancomer and Latin America's second-largest financial institution -- says he won't get any.
Such is the fate, it seems, of Mexican victims of online bank fraud. Whereas banks in the United States and Europe guarantee the security of client accounts, in Mexico the rules are reversed.
"The banks simply deny any responsibility," said Enrique Arias, director of financial analysis for the National Commission for the Protection and Defense of Financial Service Users, CONDUSEF. "Unfortunately there is a lack of regulation and clients have little recourse."
This is not a security issue, so the banks can't improve it.
Of course it's a security issue. All I need to do to is get your account number and the banks routing number and I can initial an ACH electronic funds transfer against your account. There is no sort of security in place where you can whitelist banks/accounts for initiating an ACH against your account.
Now you might say it's the customers job to better protect their info. Well guess what. You're in line at the grocery store writing out your check. See me behind you in line talking on the cell phone? Guess what...I'm not actually on the phone. I just used my camera phone to snap a photo of your check, which contains ALL of the information I'd need to get the bank to do an ACH transfer out of your account.
Now tell me...does that still not sound like a security issue?
It's unfortunate, but unless the phishers can be found (which is pretty much never) the customer has to be the one to bear responsibility. They need to keep track of who they give their information to, and while they don't deserve to lose all their money, others who didn't make the mistake shouldn't have to take responsibility for it. It sucks, but that's life.
"What is Internet Explorer 7? Are you saying we can't access the normal internet?" - I love tech support. Really.
Well, credit card contracts explicitly mention fraud, and normally limit your liability to $50 in the case of fraud provided you report the fraud promptly.
In the interest of full disclosure, doesn't the federal government require them to?
(Then again, my credit card waives the $50 liability even.)
In a Wired article from last year, Bruce Schneier said some very sensible things on this subject:
I think this is absolutely right. Faced with the financial losses of phishing, banks will simply institute procedures, technologies and processes to protect against fraudulent financial TRANSACTIONS. Doubtless, banks will gripe and complain about their new liability. But it was exactly this same liability that made personal credit cards viable - and gave birth to a multi-billion dollar industry.
-Sean
I agree that people should be responsible for their actions, but in this case the banks should pay. Why? Because the banking system is crooked and stingy. They operate on a system called 'fractional reserve banking' which means that they can lend out more money than they actually have AND charge interest on it! If you or I do this it's called 'fraud'. Unfortunately the banksters will likely figure out a way to profit from phishing. The term 'Internet User Security Fee' comes to mind. Of course, the fine print in the contract will completely absolve the bank of any liability from employing this 'service', and the service fee will merely be just another service charge (money grab) that makes the customer 'feel' safe, but offering no real protection. Banks steal from and defraud the average person every day. Someone said earlier 'Hit them where it hurts'. I agree wholeheartedly :)
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Two factor would make phishing harder, but what we really need is better built-in browser support for two factor auth as an extension to the HTTPS protocol.
In an ideal world, the browser supports two factor auth for access to the website via http auth, but would put up a warning that says "WARNING: Your password is being sent insecurely. (Send Anyway) ((Cancel))" if the connection is not encrypted with a properly signed cert. This authentication should require you to key in your account name, pin number, and password in separate fields and should be displayed by the browser, not as a web page that can be faked. By so doing, you basically eliminate the possibility of a phishing attack using an unencrypted channel that looks like the encrypted channel enough to fool someone into giving up the needed information.
With that single change, you have a solution that will dramatically reduce phishing attacks, as it requires the phishers to have a legitimate signed SSL cert, which means there is (in theory) a solid paper trail leading back to them. Phishing expeditions that involve SSL are very, very rare by comparison to the unsecured versions, require a much greater financial investment, are much more likely to result in a successful arrest and prosecution (because of the paper trail from obtaining the cert and the requirement that such certs are tied to a valid domain name, both of which make it harder to use hijacked machines as servers).
Unfortunately, it's a chicken and egg problem. The browser vendors probably won't add such authentication mechanisms into the browsers unless sites want it, and banking sites aren't willing to spend money on two-factor devices unless they provide a tangible benefit (and without such browser support, they really don't).
Check out my sci-fi/humor trilogy at PatriotsBooks.
The banks run this risk in deciding to have unauthenticated account withdrawls. So, just as you say, hit 'em where it hurts and maybe they'll learn.
Perhaps bank practices will improve as a result.
What if you don't fall for a phishing scam, and your money is gone? Until authentication is based on something only *yourself* know, there's no way to prove that you're responsible for someone else knowing enough about you to convince your bank to authorize the withdrawal of your money without any way of tracking him down.
So the Bank of Ireland hasn't a clue about forged From: addresses, encourages customers to involve innocent ISP's abuse departments, and takes no interest in pursuing malicious emails involving its own name. It suggests the police might care more about the Bank's security than the bank itself.
IMHO the BOI has no business berating its own customers for not having a clue/care, especially when they demonstrate so little themselves.
re:"Can Banks Shift Phishing Losses to Customers?"
Should read:
" How Will Banks Shift Phishing Losses to Customers?"
There's only binary logic here - bank starts to lose money - they decide to shift the liability - bank gets threatened with losing more money. Once they figure out how to avoid that second scenario (waiver anyone) then we can go back to putting our cash in mattresses again.
The real question is in how diligent the customer was. If someone who should have known better deliberately (if ignorantly) hands over all their pertinent details through open e-mail, then that is at least partially if not wholly the customer's fault.
On the other hand, in the case of a more sophisticated scheme where the customer was deceived despite reasonable dilligence, then while it is ultimately the fraudsters fault, it is right for the institution to shoulder at least most of the loss. For instance, a key logging program that came in an otherwise legitimate program could easily be on computers even with diligent owners and the customer should not then bear that responsibility.
While the people who get suckered into phishing scams probably aren't paying enough
attention to the world they live in, I still think that the banks are failing somewhat
in their duty to properly identify their customers, whose money they're holding in
trust.
It's telling that none of the banks want to let things go to court for this stuff.
They probably realise that the fault is really in their identification processes
but don't want to be held accountable for it (it would require huge change,
if it's even possible to do satisfactorily at all).
Banks gave up checking signatures decades ago. Individual tellers may occasionally make inquires about someone cashing a check (not very often) but there are simply too many checks in the system, and the rate of fraud is too low to make signature checking cost effective.
Over 10 years ago, a branch manager at one of the largest banks in the US politely but firmly asked me to remove the "two signatures required" option from a checking account before he would let me open a second one. The bank was no longer willing to assume the responsibility to ensure that the check had two signatures, much less match them with a signature card.
This comes down to a simple equation - if you give up your right to access anything on the web ( other than your banks website ), then they can be held responsible for the safety of your computer usage. If you don't agree to that limitation, the bank really has no way to guarantee that you won't be phished at some point - and thus, should not be liable for the $$. Further, if the bank undertakes the time and effort to create an infrastructure that can provide a guaranteed access point from your computer to their bank with no ability to circumvent and/or steal information from it - there should be a subscription and/or usage fee to partake in that service.
We were talking about this at work the other day. The conclusion that we came to was that because the bank make so much money, that this sort of fraud is a small breeze on a sunny day. Most banks in Canada are pumping in billion or so in profits a year. Its not worth them spending more money in order to educate their customers. Even if they don't have fraud insurance, they write it off as a loss. So, yes of course they don't really care that much. It would cost them more, if they actually tried to do something.
I have mod points and I am not afraid to use them.
When a bank calls, Caller ID should show bank's name rather than "Private Caller" from some call center in India.
Ummm, you do know that Caller ID is easy to spoof, right?
If someone gets scammed, why should the bank cover the butt of the idiot who gave out their info?
In that case, the customer is in part at fault for their ignorance..
However, there is also the problem of banks that get hacked.
In that case, the bank had better cover the losses but I'm afraid the bank would push it off as a phishing case and try to weasel out of it...
Anywho, I wouldn't be surpised if banks started selling phishing insurance as an extra service to cover any losses...
DEAD DEAD DEAD DELETE ME
As far as I know, neither of my banks EVER sends me email telling me I have to "click here to reactivate my account". Any individual who falls for that deserves what they get.
Don't thank God, thank a doctor!
Source? I'm curious how you'd go about doing such a thing...
But really, some Private Caller in India? Makes me think the banks aren't even trying.
Don't thank God, thank a doctor!
Heck, this case isn't even phishing.
Huh ?
Should it really be possible to drain somebody's account using only their account number & routing number ? Both of those pieces of information are available to anybody you give a check to for a start. Now tell me this isn't a security issue.
I am a customer of BoI, and currently arguing with them about their online banking service, Banking365. I used to be able to pay a limited number of bills, to a limited number of defined accounts (like phone and credit card and electricity) through an ATM. Since moving branches, they have removed that facility and insist that I must register for their Banking365 service instead.
I think that phishing victims need to take responsibility for their own mistakes, however unfortunate that is. However, the bank needs to provide its customers with the tools they need to assume that responsibility. Obvious measures they could take if they cared about their customers' security include showing IP, date and time of last login, an ability for the customer to specify an upper limit on transactions, or specify range of IPs they might use -- the kind of thing that any of us would regard as basic security for a server.
A paragraph from the story at The Irish Independent is especially worrying:
I've been through Bank of Ireland's Banking365 site and several discussions with bank staff, and from the information I have, I don't see how it was possible for the fraudsters to transfer the money from the receptionist's account to one from which they could withdraw the money. Risking your own money is one thing. Becoming responsible for any amount the bank claims you owe them is quite another, especially when the bank, while providing lots of Terms and Conditions for their own protection, provides their customers no options at all for self-protection.
Banks should not be held liable for phishing scams over email, provided they do not actually send similar emails -- which is more and more true these days. There simply isn't a legitimate reason to do this kind of stuff over email.
Banks (and credit card companies) should be held liable for fraudulent transactions conducted over the Internet, because the vast majority of these are inherently insecure, and it's difficult or impossible to tell the difference between a "good" website and a "bad" one.
Don't thank God, thank a doctor!
All you need to do is see a check or credit card and you have everything you need to pay. For a check, electronic transactions simply need an account number and a routing number which are printed clearly on the front of the check. And the same for credit cards. Until the banks come up with better security than that, I have no sympathy for the banks. The keys are printed right on the front.
In the first case the Bank pays, in the second case Aunty pays (after all, for all you know she lost the money at the dog track).
All the "make the banks do something" arguments boil down to "make it harder for customers to get their money".
Right now maybe the "get at your money" rules are a bit too lax, but be careful what you ask for, or the next thing you know you will be submitting biometric info to swip your ATM card for that next Starbucks.
And when that happens, does the Bank still pay if it really was Aunt Agatha's finger that authorized the payout?
This issue is a bit more complicated than you think.
one thing you need to realise when you read TFA is that Ireland is a plain dodgy place to do business - everyone will try to rip you off, especially the banks. i used to band with BoI when I lived there and frankly I would not trust them as far as I could spit.
I don't get it, how hard is it to just follow the money? the scammers got the credentials of innocent customers using a phishing site, then what's their next move? obviously they log in to the real bank, under the false credentials and do a wire transfer to move the money elsewhere. Just follow the money, reverse the transfer and find the owner of the account to which the money was transfered to. I thought the authorities already do this to fight terrorism, don't they?
Not only should banks not be able to shift the costs of phishing to their customers but if they can't prove that they took adequate steps to insure the security of their customers, the money lost to phishing should be docked from the salaries of the executive boards until they get a clue and hire some IT help.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Click away at your peril!
(Todays) Some older ones
If I got scammed on the web, I'd feel like such a fool I probably wouldn't bother seeking a refund.
While I agree about feeling like a fool I don't think you wouldn't bother to seek a refund if you lost 10's of thousands of dollars. No matter how idiotic it is to give out your banking information to some website it is still your banks responsibility to make sure all transactions are authorized by YOU and YOU ALONE (at least that is how I understand the current laws in the US).
A lot of damage can be done just by getting a persons bank account number and bank routing number. What if a person were to write a check at the local grocery store and the clerk ended up writing down the information on the check and then used that information to purchase goods online or in some other fashion. While this is not the same as handing your information over at some website it is similar and both situations should be the banks responsibility to verify the account holder authorizes the transactions.
Hey, there is only one Return and it's not of the King, it's of the Jedi.
In my bank, in order to make a tranfer online i have to:
1) go to the trusted secure (ssl) website
2) supply a 8 digit id number
3) supply a PIN code consisting of up to 12 chars (one different from my atm card)
4) fill in the form - if one of the values i filled in doesnt look alright the bank will outright reject the transfer (without giving notice via www, but by calling me on my mobile phone in person telling me to try again)
5) i recieve a one time token for this transaction to be use withing 3 minutes from recieving it to confirm the transfer
afterwards i get an email once the funds are transfered.
this schema requires that i have 3 diff codes, one of which is supplied by the bank itself on a one-time basis, i have the mobile at hand and i promptly respond to the sms with the token.
these are 4 seperate verification methods, and - amazingly - scammers dont even try to get my personall data (whreas i recieve daily mails from 53.com that tell me to update the info for the account i dont have).
There are phishing emails that i recieve daily since last year.
To the point:
1) if your stupid enough to give away your account information to a stranger - you have to pay for your stupidity.
2) since this outrages you - you WILL go to another bank that has a better security schema, that WILL NOT let you make that mistake again. Such security schemas are doable in todays day and age.
3) since you just left your bank - they WILL have the motivation to track down and sue the dailights out of any scammer. Banks do have an interest in keeping their customers happy.
This way - you learn a lesson, and the bank takes action.
Althou paying for 100% of your losses yourself may be a bit too much - in some cases the scammer can make a debit this way, and end up being robbed of more then you actually have!
Maybe meeting half way and paying for half the losses would make both parties equally unhappy ?
Besides - wtf does untracable mean in the information age ? The RIAA is able to locate the people that download a song that costs 2$ on itunes, cant a bank find the scammer that stole 3k$ from their customer ? I call BS.
And the banks that actually dont keep the records, and allow the scammers to thrive ? Ban them from the system.
Who (except for a few specific customers) tranfers money to nigerian/tunguska/whatever banks anyway ? Why not whitelist those specific banks for those specific customers.
Surprisingly - i havent heard of a single phisher caught and sentenced, or did i miss something ?
If there are actions being taken i want to hear about them in the news so that the spammer that makes his living advertising viagra (annoying and costs a sysadmin his time - but isnt exactly theft or fraud) thinks twice before taking a gig from a scammer.
Agreed, but this article is in the context of phishing scams. I would argue that there's a difference between someone impersonating an individual to the bank (like the example you gave), and impersonating the bank to the individual (phishing). In the case of you describe, the individual, is being impersonated, and the bank is the one involved in the transaction. I would agree that they need superior authentication systems in that case. In the case of phishing, however, the bank, through no fault of theirs, is being impersonated. A gullible individual will likely provide any information required for a bank transfer, including the information to change the whitelist. The same gullible individual would likely not even set up such a whitelist. Since the bank isn't a party to any of this communication, I think that the individual, rather than the bank, should be held accountable in this scenario.
Banks shouldn't even BEGIN to think about this until they fix their own systems to prevent phishing.
For example, I recently went to NewEgg to buy a cheap switch with my new Visa card. It forced me to enroll in Verified by Visa. Fine. But, the interesting thing is that instead of redirecting me to my bank's domain, it redirect me to arcot.com. WTF is that?! The site looks legitimate, and they knew who my bank was, but anyone could fake that. Arcot.com then asked for the last 4 digits of my social security number. The whole experience, even though it was completely legitimate, seemed like a phishing attack.
You can't except Joe Consumer to determine whether that site is legitimate or not. And worse, it created the expectation that you must enter in this info when asked, or you can't complete the purchase before the price goes up, etc. So, when a legitimate phishing site comes around, Joe Consumer will freely give away his information.
I agree... if someone at the checkout line asks if they can borrow your credit card for a second you'd say no, right? How is this any different?
Jeremy Logan's Website.
I'm sure they would love to. But we must not let them. We put our money in banks because it's supposed to be more secure than keeping it under the mattress. If they don't secure our money, then we have no reason to let them keep and profit from it. Phishing is a problem because the banks are too loose, lazy, cheap, etc. etc. etc. And it's way too easy for them to simply write off the losses. And we accept anything they tell us too easily. We presently have the same problem with the government. If they shift the problem to the customer, then it will get much worse. Make it their problem, and don't allow undue inconvenience to the customer, and it will decrease dramatically. Put your money back under the mattress until they fix it. For a really quick fix, burn your credit cards.
By now, I'm sure this is all very redundant, but it doesn't make it any less important. You have the power to change things. Use it or lose it.
What?
Banks bear the cost of fraud across teh board due to their size. The policy reason behind this is that the financial sector as a whole is in a greater position to absorb losses due to fraud then the average citizen. What would otherwise be catastrophic losses to Aunty Beth are but a fraction of a percent from the bottom line profit of a bank.
It is the same policy decision underlying mandatrory insurance. Furthermore, that the banks are ultimately responsible for the security of the financial sector is another policy decision on the part of the global fincnance community. As banks are the chief profiteers from the finance sector, security and credibility in that sector are, and properly so, their responsibility. To change that would be to undermine the very foundations of the global financial system.
Passing the costs on for breaches of security, no matter how careless their actions may have been, is as ridiculous as passing costs to them for bank robberies. If a potential bank robber asks me what I know of a bank's security, and I naievely tell him everything that I know, the bank is still not able to charge me if there is a successful robbery carried out using my information.
No, no no. Banks have historically been considered the gatekeepers of the financial system, with ultimate custodianship over it, and to charge customers for breaches of security would dangerously undermine their responsibilities and set a grave precendent for those who deal with financial institutions.
I hate printers.
There was a story in Canada of an old woman who had her pin written down in her wallet and she got it stolen. The robbers wiped the account and she complained. The bank want to charge her but folded from pressure from reader digest. In that case I think she should have been charged.
Banks are, and should be, responsible for errors on their fault. Phishing schemes are not errors on their part, and very little can be done, technology wise, to reduce phishing as a practice beyond consumer education.
Phishing is social engineering, and it has nothing to do with the security systems the bank has put in place to protect their accounts. It doesn't matter how much security they put in place, when the customer is handing over all of the information necessary to bypass that security.
Would I be pissed as hell if someone drained my account through a phishing scheme? Hell yes. Is it my fault? Yes, it is. Should the bank pay for something that they could not, in any way, have prevented? No. People not wanting to be held responsible for their own stupidity is what's dragging this country into litigation hell.
I get the feeling they're not the kind of person that has 10s of thousands of dollars in their bank accounts...
Certainly, having my accounts emptied would be devestating. I've got the deposit on a house, plus money to pay for furniture in my accounts, a lot of which was generously donated by my parents. If that went, it would take me something close to a decade to save it again... that's not a "Well, boy do I feel dumb, nevermind, just won't do it again", that's "Bloody hell, now what do I do???". I do what I can to protect my accounts; log in only from systems I manage myself, never click links in e-mails, change passwords regularly, maintain accounts with different banks and different passwords, but still...
I'd consider something on the order of not allowing people to use Internet banking for 5-10 years, a more appropriate level of punishment, not to mention common sense under the circumstances.
Banks do need to tighten up their act and have better methods to verify transactions.
However, phishing only works if you have somewhere to host a phishing site. Most ISPs intentionally make it impossible even for a knowledgeable individual to get hold of someone in their IT department - the phone numbers in ARIN records go to a black hole recording; they might call you back in a few weeks, and they might not.
At work, we host the online fundraising site for the American Red Cross, and in the weeks after Hurricane Katrina, a number of phishers were putting up sites to mimic it, mostly on trojaned home PC's on cable modems right here in the USA. One was on Yahoo!
Both I and the ARC security folks spent a ton of time just tracking down someone in IT at the cable providers to get these sites blocked. It's infuriating to track one of these down only not to be able to get it taken off the internet.
The reason ISPs make their tech staff uncontactable is that they would be deluged with quotidian requests from consumers. We need a way for genuinely urgent stuff to make it through the noise.
One possible way to would be for governments to step up and create a real-time service whereby people could report phishing sites to an automated system (maybe the FBI's I3C unit?) that would be able to indentify genuine reports worth investigating (same IP submitted many times) and have a human operator check them; they would need to have a private database of pager numbers for ISP's staff, with a mandatory requirement for ISPs over a certain size to provide them usable contact info.
The I3C does have a web form but it's literally over 100 boxes and reads like a police statement form (they ask what *county* you're in - yes, really) and it gets referred to an agent for investigation during business hours, not exactly what's needed for a quick turnaround.
Then append my birthday to it. Or better yet, work with my phone company to ensure secure identification. There are only like a dozen of them.
Should it really be possible to drain somebody's account using only their account number & routing number ? Both of those pieces of information are available to anybody you give a check to for a start. Now tell me this isn't a security issue.
u s-response-to-my-letter.html
Or by having a scammer simply confirm what city a customer's bank is located in?
http://wamublamesgrandma.blogspot.com/2006/03/wam
Are you saying that there should be some additional layer of security such as a PIN number or password for this type of transaction? It still wouldn't stop the phishers... That's their game. They get their victims to give them all of the necessary information to conduct a transaction on their accounts... regardless of what that information is. Check out this lovely phishing site which I cannot seem to get removed even though I've contacted the company associated with the compromised server. Notice what information it asks for. Any sane person would immediately know this wasn't legit just by the volume of inormation it wants. However, there are enough people who'll still fall for it to make it worthwhile for the phishers. It's so crazy to fall for a scam this obvious that almost the only reasonable explanation is that the victims are being lax with the security of their information because they know the banks will pick up the tab.
http://eastonbike.com//%20/www.amfirst.org/
But there's so much more that banks could do easily to attack phishers. For instance, when somebody sends Example-bank a copy of a phish that's really at phish.example.com, the bank could go to the website and start feeding it phony accounts, and then hunt down anybody who tries to use them. (It's also fun to feed them millions of bogus accounts, just to dilute the usefulness of anything they received, but it's more productive to target them.) Banks may theoretically try to trace phisher websites, but most of them are zombie hijacked PCs or else disposable Chinese websites rented with stolen credit cards, so that's not as useful as following the money. The initial trail with the money is usually going to be merchants, but merchants don't like chargebacks or fraud, and they may be more cooperative than phishing websites at providing useful information.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Anyone who read this article summary and who has been subscribing to the Cryptogram almost knows verbatim the answer:
When the burden of a security breach lies on another party, that is called an externality. The other party bears all the pain of the security breach, and so security is never improved.
Bruce Schneier has covered this topic in GREAT detail over the past several years. He knows exactly what will happen if customers bear the brunt of pain over this. Things will get worse. There is historical precedent. There's no unanswered question here.
The banks, who have all the control over the security, need to bear 100% the burden of security breaches.
fifth sigma, inc.
In an ideal world, the browser supports two factor auth for access to the website via http auth, but would put up a warning that says "WARNING: Your password is being sent insecurely. (Send Anyway) ((Cancel))" if the connection is not encrypted with a properly signed cert.
It does. 99,999% of the time people check "do not ask me again" after the first time they try to type something in google, on a forum, blog or the search box of any website (remember, the browser has no clue if it's a password or not). People demand the ability to send unencrypted data through web forms, ir's just not something that can be fixed.
This authentication should require you to key in your account name, pin number, and password in separate fields and should be displayed by the browser, not as a web page that can be faked.
Yeah, right. A little css magic to make a login image appear over the webpage, with the appropriate form fields? And don't think of putting it like a toolbar if the website can forge a nice top/bottom toolbar itself.
Here's a better suggestion: Demand that the username must contain the host, and will not be sent anywhere else. You're connecting to. Username: foo@mybank.com Password: ******. If a scammer got you redirected anywhere but mybank.com, the browser will refuse to send it. Of course, that kind of people would probably fall for "we've moved to @newbank.com, log in there to activate your account".
Live today, because you never know what tomorrow brings
It's actually more like being in the checkout line and a guy dressed in a suit with a "Joe Schmuck, Store Manager" name tag on his pocket.
He says, "I'm the store manager and this checkstand's credit card processor is not working right. Let me take your credit card and we'll run it through another processor."
The checker, who really doesn't give a fuck because he hates his job, doesn't interfere.
Milgram's experiments clearly demonstrated that people will go as far as to inflict near lethal shocks as long as someone who appears to be an authority figure tells them to. If you appear to be enough of an authority, most people will fall for your scam. Look at the American voters, for example.
Example:
Your grandmother loses her life savings. She sure had it coming because she couldn't tell the difference between bankofamerica.com and bank0famerica.com. Foolish her, she definitely deserves to be forced to go back to work at Wal-Mart for minimum wage so she can live like a college student again. Old bitch totally had it coming-- and it's wrong of her to seek reimbursement for wire fraud.
Yes I know that two factor authentication can be phished - but its much harder. What I find difficult to believe is that my company's remote access uses better security than my online banking. I have to use a SecurID token and it will lock at the first sign of incorrect access - which is a pain but there you go. Whereas my bank won't even give me any form of reasonable security even though I've asked for it - hell when I first started using them their logon page wasn't even https - so the credentials you entered were sent in a plain text POST. After many accounts were compromised they changed this (made the papers and I got a snail mail with a new password and a request to verify my balance!!).
The bank is obviously failing in its duty of care and should be liable. If I refused to take reasonable steps to protect my account then sure I should be liable but they don't even offer reasonable security in the first place.
Now, why aren't flags raised when $30,000 is taken out of a bank account electronically from an unusual location? A phone call to the account holder would be nice.
I actually know someone who fell for a phishing email. The bank called him up the next day, and asked if he had authorized two $700.00 transfers to out-of-country accounts. He said "no." and they dutifully marked it as fraud. So apparently (some) banks do monitor transactions and flag anything that looks strange.
Similarly I've often had my credit card company call me to confirm transactions that appeared dubious. Often within hours of making an unusual purchase, they'll respond. The response time makes me suspect that they have computers watching transactions using heuristics to pick out unusual transactions.
So at least anecdotally, some banks are proactive enough to prevent phishing from generating losses for customers or themselves.
There's ways involving using VOIP gateways, and also a few that just involve routing your call through so many third parties that an operator just comes on and asks "What's your number?". Also, I believe anyone with a PBX (PBX? Is that correct? I should know this.) can set their CID to whatever they want. There's another level of identification-- ANI-- that's much more difficult to spoof, but you generally have to be on the recieving end of a toll-free number to be get that info.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
ANY suspicious mail that falls into my hotmail box (usually paypal, or ebay) I immediately go to the official sites and send them as much as I can. Usually, within an hour or so, the site in question has been taken down. If more people like us (hard core computer users) would take the lead in reporting phishers as quickly as possible, instead of deleting the junk mail, maybe it would help cut down on phishers. It only takes a minute or two to report them. Also, if we could do what we can with our relatives (we all know they call US when something goes haywire), to explain and show them what not to do, maybe it would go away. My dad has gotten in the habit of calling me on the phone before clicking on a linked website if he isn't sure. He even called me one time when he was going to buy something online, and he didn't see "the padlock" or the https in firefox. If we can get others in the habit of what to look for, phishing could be reduced. I'd much rather take a call from a friend or family member asking if a site is legit, then have them get scammed, or their computer hosed.
I doubt it would be hard to automate it. Just pass the information from the fake site to the real site in realtime. Granted, if there wasn't anyone on the other end, they'd either need keepalives or an automated "take all the money" script, and that could be combated.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
1. Get your bank to block ALL electronic transactions
2. DONT pay bills online
3. Use one use credit card numbers / gift Visa cards for online shopping
4. Get your bank to not allow any check to clear that is not writen in ??? color ink
5. My favorite, ANY witdraw over x dollars requires in person verification
e.g. Mine is set up that anything over $300 means I have to go to the bank
to verify that I wrote the check.
It pays to use small banks that want your business
My bank stated, very clearly, when I first opened my account that I should never divulge my security details to anyone. They warned me about the risk of phishing, and stated very clearly that they do not send unsolicited e-mails to the address they hold for me, ever.
That means any communication I receive purporting to come from my bank is easily diagnosed as fraudulent. Why should my bank bear any responsibility if I'm stupid enough to act on it? Should they also be responsible if I take my "chip and PIN" card into the supermarket, enter my PIN in plain sight of half a dozen people, and then leave the card behind?
Of course, banks may consider it in their interests to distinguish themselves from competitors by providing certain guarantees about on-line security, which may include taking out insurance against successful phishing attacks that compensates customers who fall victim. But that's a customer service decision for them to make, on a cost-benefit basis. I don't see why they should have any enforced liability at all for customers too stupid to believe the warnings they are (IME) invariably given when they sign up about security for on-line banking facilities.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Difficult or impossible? For what sort of ultimate moron is it hard tu read a f*ing URL, when they submit information to a site that can obviously drain their money with said info?
That is, "How hard is it to notice you're really on www.paypall.com?".
Making laws based on opinions that stem up from false informations leads to witch hunts.
This is exactly the sort of things that will eventually lead to a 'paperless, moneyless' society, where your microchipped card/hand/whatever will have to be scanned and match your personal information. Not that I am against multiple security layers, but...come on.... Anyway, for the record, IANARN
Not much. When a bank calls, Caller ID should show bank's name rather than "Private Caller" from some call center in India.
Caller ID information is little more trustworthy than the "From" address on an e-mail. Caller ID can be spoofed with readily available VOIP equipment and absolutely anybody can change their transmitted caller ID info to anything they want easily and inexpensively without buying thier own equipment. (Great stuff for prank calls, tho.)
Grandma is at fault for using a technology she shouldn't have access to, really.
If she can't tell the difference between bankofamerica.com and bank0famerica.com, AND she falls for "please send all your bank account info here", despite the fact that the bank tried to educate her, but she didn't even read the papers, THEN she deserves it.
Here in Belgium, we have a half-broke(n) retirement system, but old people are never really without money at all
Making laws based on opinions that stem up from false informations leads to witch hunts.
Bank payments associated with Phishing is by definition a transaction against the account by an unauthorized third party. A theft. I put my money in the bank to keep it safe from theft. I shouldn't have to put it in my mattress.
If someone tricks me into authorizing a transaction that's my problem. If someone tricks my bank into making an unauthorized transaction its theirs whether the theif has stolen passcodes or not.
There isn't a lot of credit card fraud any more. That didn't happen by accident: Congress passed a law making the banks responsible for unauthorized charges so they spent a lot of money building very sophisiticated systems to prevent that fraud. Why should the banks be held to a lower standard for my deposit accounts?
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
So, If someone steals a womans purse and writes $5,000 in bad checks, the bank will reimburse the customer, but yet if the person does not know enough about transactions and fraud emails, then the customer is responsible?
So, you don't have to be educated on how to keep checks from getting stolen or lost - ie, you can leave them on the sidewalk in broad daylight and if someone takes them the bank will reimburse you if someone else signs your name, but you have to be educated on the net and not have your identity stolen or else the bank holds you responsible? Is it me or does this seem a bit... well.. like an escape goat for banks?
requires banks to cover the losses..
In the US, it would fall to the FDIC, I think. Its just another form of bank robbery.
Cool art gallery, if you're into that sort of thing.
Until you make people responsible for their own money, they'll never act responsibly. Right now, it doesn't cost consumers anything to be lax with their personal information. Start telling customers "too bad, not our fault you gave you information to someone" and they'll start being more careful who they give their information too. But ultimately, you'll still have banks not holding people responsible for fraud, and those banks' customer base will grow. Will it grow enough to make it worth the additional cost of paying for fraud?? That remains to be seen. But I know for certain that if you don't hold people responsible, they're far less like to ACT responsibly.
Now with more sodium!!
No. Absolutely should the user take some of the blame. The bank is POWERLESS to keep all these phishing incidents from happening. Some, sure, but never all.
If there's one thing we know phishers sure are clever. However, short of a full blown DNA test and firstborn in a cage as collateral, some bad guy somewhere is going to figure out how to collect stuff from careless users who then get their accounts cleared out.
Just to be clear, I work with (not for) bankers, and I have developed a strong hatred for them, and fear for my money every day with some of the shit I see them doing. (Stops to check anonymous checkbox.) However, the users are stupid stupid stupid.
It would be relatively easy for a banker to add an auditing guideline (which they have lots of already) that checks off a list of due dilligence stuff they could do;
- HTTP-Refferer analysis on online banking sites to catch images being used
- Image remote linking blockage (makes the phisher rehost them, and completely blocks some scripts and emails that phishers use)
- NEVER, I mean FUCKING NEVER emailing a user for anything but "come log in for your e-statement" in plain text. I see this all the time, stupid HTML shit emails with links all over coming FROM THE BANK's inept marketing department. Then the same damn email two days later from a phisher.
- Force users to use SSL for every part of the web site, every time for all pages.
- General education, etc.
- A FREAKING RESPONSE PLAN. I get calls "what do I do" to which I say "i dunno, you are the security officer, I just sold you the hard drive, you figure it out" If the guy is linking to your page for images, CHANGE THE IMAGE, PUT GOATSE or something out there!
All of this, and users STILL get half way or all the way through the "what's your dog's name and SSN" forms before figuring out it's bad.
90% of the time, the user has missed some obvious clue that should send alarm bells off in their heads. Sure, the banks need to get way more educated than they are (small banks have _no_ expertise on this stuff, and big banks have the IT ivory tower that never gets in the trenches with the marketing department, the tellers, and the phone answerers to teach them).
So the bankers need to get on the ball and have a list of things they have done, and some simple training and a response plan. They can't force people to learn how to prevent this. So they shouldn't be held responsible if they do basic steps.
Too bad it means more stuff for the ignorant "auditors" to do (outside Government) and some arbitrary plan that can get done by some consultant that splits as soon as it is done. But come on, users need to figure some of this out.
The last time I checked thoroughly, the bank-client agreement specifically included a line to the effect of "the bank bears no responsibility for transactions taken including those in error". Originally, it was a line to deal with someone cashing a post-dated cheque early, but the statement also covers all sorts of other errors too. Here in Canada at least, the banking agreements say the bank is not responsible for transactions in error.
Once, it happened that a bank cashed a cheque in the wrong amount. We were a multi-national business client. The bank wouldn't fix it. Once a cheque clears, it is very difficult to reverse the transactions.
It should be the next bank.
Make it the receiveing bank's problem.
Fraud? Transfered to First Dumfuck Bank of Godwanaland? Oop, too bad, we'll just be taking that back. You can deal with your customer to figure out why you and they were trying to recieve stolen funds. Have a nice day!
Heck, just cut the friggin wires to the entire nation of Nigeria while you are at it. I'll bring my axe.
In the case of phishing, however, the bank, through no fault of theirs, is being impersonated.
To what end? To get the information necessary for impersonating the individual to the bank, right? That is where the actual loss occurs, no matter how the thief gets the information in the first place.
I think one way banks could help is by providing information to help us identify them. For instance, state very clearly when you sign up for internet banking (and when you receive confirmation) that ALL emails - without exception - from them will state your full name, the last 4 digits of your bank account number and a set keyphrase. Also beef up notification/authentication: every time you login to internet banking, the bank should send email notification with a "If you do not recognise this login attempt please call us immediately on telephone number xxxxx stating only that you do not recognise access X8N49J3KC8" (of course, have a 'slightly hidden' setting on internet banking where you can get notifications only once a day). And if this is the first time making a payment to a "new payee", send the customer an SMS text message or automated phonecall to the registered (unchangable by internet banking) phone number just stating "This is xxxx bank calling to authenticate a transaction of the amount xxx.xxx . Please enter the last three digits of your internet banking customer number to authenticate this request".
Banks and their associated consumer issues are supposed to be regulated by an independent federal agency, the Office of the Comptroller of the Currency. No state legislature or attorney general may regulate nationally chartered banks. Unfortunately, OCC is a total lapdog of the banking industry. Whether it's excessive overdraft fees, or $3 to use an ATM, or fobbing phishing liability onto the backs of consumers, only OCC has the power to do anything about it. And OCC chooses to do nothing, over and over again. You can write a complaint letter to OCC, and it will go into a black hole in Texas.
You underestimate the problem. Phishing is actually a two-pronged attack -- or at least this is my experience in Australia. (Not that I've fallen victim, but I've conversed quite a bit with those that have.) The first prong of the attack is the fake bank message and website that we all know and loathe. The second prong doesn't even look remotely related: it's usually an employment scam, like the Norway Consulting Employment Scam which is arriving in my inbox with tedious regularity.
This is how it works. Phisher P (probably located in Russia, or nearby) obtains access to online bank account of victim V. At the same time, P also runs a job scam like the "Norway Consulting" job scam and ropes in "employee" E, who happens to have an account at the same bank. E is told that their job involves accepting payments from customers and forwarding the money via Western Union or Money Gram. (The exact pretext may change, but the money transfer part remains steadfastly constant.) So P then transfers funds from V to E, then contacts E and has him quickly withdraw the money and go make a Western Union transfer. By the time anyone realises that they've been had, P has his money and has vanished. The remaining question is whether the loss is to be borne by V for being a sucker, E for being a dupe, or all the bank's customers generally.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
The customer opens the e-mail, falls for the scam, and wants someone else to pay. Let it be the cost of a lesson learned. It's already something that banks will reimburse money you claim you didn't spend, but to pay for your stupidity?
It's a girl!
So you're suggesting either trusting Paypal, or actually going and verifying not only that the url matches Newegg.com, but that they are trustworthy and reliable? I mean, I try to do that a little bit, but really, I shouldn't have to be the one doing background checks on the company. Knowing the f*ing URL is from floobysoft.com doesn't tell me anything about floobysoft.com.
So, not impossible, but much more difficult than it should be.
And all that's assuming we're using SSL, and that no Certificate Authority has been compromised, or that my DNS is secure (hint: DNS isn't)...
Don't thank God, thank a doctor!
I might be able to tell the difference right away. However, a ransom user might not notice a problem between BankOfAmerica.com and Bank0fAmerica.com, or bankof11ama.com and bankofllama.com - especially with certain default fonts that don't give much of a distinction between the characters in question.
While the fixed-pitch font in Slashdot's textbox works fine, as does the address bar, it's easily trivial to display the URL in a smaller-than-normal font that is difficult to distinguish.
The anti-spam agency, Blue Frog, was essentially defeated because of a Russian spammer knowing enough corrupt/criminal network engineers along the Internet backbone to be able to blackmail them. This means that a phisher could potentially inject scams that even the most discerning of geeks could not distinguish from the genuine article. This is only in part because the Internet depends so heavily on trust. It is also a major failing of the banks and other organizations who only use security for logins (and even then are starting not to). It's usually very bad security, as well.
Where a scam is made possible because the organizations are failing to adhere to any kind of meaningful security standard, the banks should pay not just in full but double - once for their neglect and once for their incompetence.
Going back to the backbone issue, I'd add one further point. Where a scam or other criminal action is made possible because of corruption by network engineers on the backbone, those engineers should never see the light of day again and the network company should be fined to within an inch of its miserable corporate life.
Finally, where a country either passively or actively encourages crime over the Internet, I would prefer at the very least if there was some process to electronically isolate them. Completely cut all wired and satellite links that can be identified with that nation. Zapping a few Internet Cafes with Predator drones would be kinda cool, too.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
my bank (banc/bank one) was purchased/merged with chase last year. when it was bank one, the online account usage was very straightforward. no problems.
new bank (chase), new TOS. a couple of key things caught my eye: a) i had to give them an email address to get web access to my account. b) they would send me stuff to that address. c) if i wanted the chase spam to stop, i would lose the access to the web interface to my account. d) if their email bounced i would lose access to the web interface.
i decided i didn't like their attitude. so i didn't sign up. i go visit an atm and check my balance there. i wonder what costs them more.
but my point is that chase opens the door because they state that THEY will be sending you email. i am curious if this provides them with more legal risk.
eric
As someone who does work in the systems of a top-10 US card issuer, I can tell you we lose over 3 million USD to fraud every MONTH. And the company I work for is nowhere close to being the biggest! (The top couple of banks are separated by a decimal place worth of volume from the rest)
As most of you probably know, banks make money by earning a small amount of money on each of a lot of transactions. $3 million worth of loss takes a LOT of transactions.
Every time some fraud scheme comes up on Slashdot, everyone bitches that the banks don't do enough.
Do you really, truly think that banks aren't interested in plugging a $3 million/month leak?
The problem is that, a lot like hackers vs. DRM - or spammers vs. every geek on Earth - the people looking to break the system are always one step ahead.
Phishing will die off on the same day we geeks manage to stop the last spammer. They have similar tactics, and do at some points overlap. And, since we are much better equipped than banks to fight that battle, and we have yet to win, you can assume that day is far off.
Remember, banks are in the business of making transactions, not software. Keep in mind what you're asking them to be good at is in no way how they make money. Find/invent a solution yourself and sell it to them. I guarantee they'll be interested, so long as your answer costs less than $3 million USD/year.
may come from the people who stand to lose the most. and it's not the users or the banks. it's the (real) people selling stuff.
imagine what would happen to ebay and paypal if 20% of the transactions went away due to fear?
between ebay, paypal, amazon, & a hugh number of serious ecommerce sites (barnes&noble, etc) i could see them working on a solution for this.
if i had to stop doing online transactions, my life would go on. amazon would hurt. a lot.
eric
They should make the victims pay. Seriously, the only thing that's going to cause people to educate themselves is a little bit of accountability. Why should it be the bank's responsibility when they have no involvement in the phishing transaction at all? Because they don't send an employee over to hold your hand every time you want to browse the web?
:)
Besides, if banks establish that they will always take care of these kinds of losses it becomes very tempting to just say you had your identity stolen every time you withdraw a large amount of money
Game... blouses.
There is only one way to safely access sensitive information across the net and it does not involve using a general purpose browser, and it does not involve any software from Microsoft.
because yes, there is a scene about that
;-)
good call
heh
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If they had not been so anxious to expand the scope of general electronic documents before the basis was in place, if they had not been so willing to adopt the internet ahead of the curve, if they had not been so willing to give us HTML in our mail, ...
.net as solutions for business use. Either that or they set themselves up for being sued for establishing public nuisance or worse. Eventually, the banks are going to start suing MS for making false claims about their products.
Okay, Apple and a bunch of others are also partly to blame. But Microsoft is the ones who pushed the competition so hard that software companies that took the time to make real products couldn't stay in business.
Microsoft has to quit selling IE and VB and even
The banks, also, have to start building their own special purpose browsers. A special purpose browser can force all connections to work some protocol established and encrypted by the bank, and can check both the URLs and the IP addresses against verification servers. Not impossible to game, but the speed bump can be made big enough to keep the script kiddies at bay.
If someone comes into my bank and steals all the money, I will get it back because of FDIC insurance. So what if someone steals money electronically, same thing. Before FDIC bank robbers got people's money and they were pretty much screwed. I guess that is why bank robbers got hung or shot.
banks have FDIC insurance in the event they are robbed.
phishing is the same as being robbed.
They're using their grammar skills there.
Being phished is not like the Bank being robbed. Does FDIC kick in when you get mugged?
I've been told that anything less than $xxx almost never gets a signature check. Over some unknown limit, however, the signature does get validated. If you still get voided (is that the term?) cheques returned to you, you can see hints of this sometimes. I've seen this on a few cheques -- there's a little sticker with a lot of extra routing information, employee ID numbers, and initials on it. FWIW, two signatures required accounts can still be opened, at least here in Canada. I had to do that about 2 years ago.
The problem is old people on the internet. Grandma can barely use a mouse, and can't remember where she put her medication, how can someone expect her to know the difference between a real and fake bank website?
Yes, that bastion of reliability known as Caller ID.
I've never once had a (land-line) phone number where my Caller ID info was correct. Ever. And I'm talking about 4 different numbers over the last 10 years. I never bothered to do anything about it the 3 times when it was just misspelled, but my current one shows someone else's name entirely (I assume it is the previous owner of the number). I called SBC for a month trying to get someone who could/would change it before I gave up.
On the other side, I bet half the time I get UNKNOWN when people call me (again, talking about my land-line - I've never had a cell), even though they will display correctly other times. I don't know if it's the phones I've bought or the phone company, but it's completely random.
Sorry 'bout the rant. Your mention of Caller ID got me riled up again. Maybe I'm just cursed.
I have found there are just two ways to go.
It all comes down to livin' fast or dyin' slow. -REK, Jr.
There are lots of things the bank could do besides using a PIN. They could come up with a secure system that was easy to use and facilitated business. The problem is that they don't care to do so. Therefore, the responsibility for paying for the fraud needs to be on them. They are the ones who control the system and have the power to choose to change it, not their customers.
Avoid Missing Ball for High Score
She certainly should seek reimbursement, and she's entitled to it... from the phisher, not from some innocent third party like the bank. Yes, it's really sad that someone has lost a lot of money, and of course that person is going to be angry and TRY to pass the buck on to other people, but just because they're angry at the bank as the nearest identifiable target for their anger doesn't make that bank liable. This is almost akin to an episode of Judge Judy I saw a while back (yes, I know, trash TV, but give me a break) where a lady was suing her neighbour because her kid hurt himself. The neighbour hadn't done anything to hurt the kid, he'd just been an idiot, and Judge Judy was attempting to explain that the neighbour was therefore not liable, while all the mother could do was scream "but look how bad his injuries were!", completely missing the point that actual liability has to exist in the first place before the amount of damages are even relevant.
So, to get back to the point, why should the bank pay for someone else's loss that it had NOTHING to do with causing, and no ability to stop? People keep talking in general terms about how the banks should "do something" to stop phishing, but the reality is they offer a service via internet banking. Everyone knows how it works, you have your account number and password, and that's the security. If you activate internet banking for your account (my bank at least require it to be activated, I'd assume most others do too, and anyone who falls for phishing must plainly know their password, meaning they use it), you know what you're doing, and you know what you're getting into, so it's hardly fair to blame the bank. If the banks added a new feature where anyone could withdraw from your account without your intervention, then sure, blame the bank, but when it comes to phishing, if a loss must be suffered by either the bank or the customer, the bank has done *nothing* to cause the phishing, and has absolutely no way to reasonably control it, while the customer is the one who has fallen for a scam despite countless clear warnings.
What would the "bank is liable" crowd want the bank to do to verify transactions are really authorised? If I make an internet transaction on my account, I want the damn thing to go through, I don't want to have to call up and confirm I really want it done, fill out forms in triplicate to that effect, and wait a week for a handwriting analysis of my signed forms, that defeats the point. So, really, apart from the "but the grandma who lost the money is so sympathetic, let's give her some money to make it better" factor, with the bank being a set of deep pockets to take the money from, why should the bank pay for an action they had nothing to do with, to indemnify a customer who *did* do something to cause the loss?
On the one hand requiring consumers to bear the cost of any personal information loss is unworkable. It would open the door to personally targeted attacks (say for revenge). Given enough time and research it is possible to put together a nearly unavoidable attack (say using a 0-day exploit against their computer to undermine security features). It is in both the banks and customers interest to avoid setting up a situation where ex-spouses or angry lovers can screw each other over by stealing personal information. Moreover, any attempt to distingush phising losses from personal information theft just wouldn't be workable (do emails that use a clever technique to disguise the true URL count as hacking or phishing?).
On the other hand it is unfair to make contientious carefull people who follow all the anti-phising tips pay for the carelessness or ignorance of other bank customers. Moreover, it is important that people be given an incentive to avoid phising scams. At the moment that incentive is the extreme annoyance of dealing with the bank but it would be much better if this process could be made easier.
Thankfully their is a perfect solution. Banks should offer phising insurance, perhaps even require that you purchase it. In this system rather than the paperwork and annoyance of getting your money back it is your phising insurance fees that provide the incentive to be responsible. In this scheme people who choose not to use online banking at all, or who upgrade to two-factor authentication schemes can be given discounts while people whose credit card numbers are found floating around the net or who are otherwise engage in risky behavior pay more in premiums. Banks could even send out fake phising schemes to customers to check their likelihood of falling for a phishing scheme.
This seems like a win for everyone and a good way to encourage adoption of new security measures.
If you liked this thought maybe you would find my blog nice too:
I think the pressure will come from customers and the bottom line. If I hear that my bank screwed up and let a scammer make a withdrawal, well, that's bad, but as long as the bank takes the hit for the mistake, I'm not going to get too concerned. But if I hear that my bank made a customer take the hit, then I and probably every other fellow customer will move our money out so fast that the FDIC will wonder if the good old days of 19th century style panics and bank runs are back.
So far, the losses haven't motivated banks to work on their abysmal security. And it is abysmal. The way credit card and check numbers work remind me of the old /etc/passwd, before /etc/shadow, where everyone's password was right there, in the clear, for the system administrators to see. Check and credit card numbers are worse. They're right there, in the clear, for everyone to see. Mothers' maiden names are publicly recorded facts. I think banks have calculated that the inconvenience and expense of better security is not worth it. It's actually more profitable to lose a bit more to fraud than to slow down transactions and drive off customers with overly anal security. When technology advances to the point that we can embed a cheap enough computer in the credit card to do a random number salt and a one way hash, then maybe the cost/benefit ratio will finally tilt towards reasonable security.
In the meantime, any bank that dares blame the customer is not long for this world. Authentication is one of the basic functions a bank is supposed to handle. As long as they're willing to bear the costs for the methods they choose, they can be as insecure as they like.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Rather than trying to get the sites taken down, which can take a day or two, why not create a p2p project that has thousand of computers log into every site and submit completely random account details.
That way they'll be sufficiently overwhelmed with fake data that it'll be hard to get the real stuff.
Let the Scottish handle the banking so the Irish can take care of what they do best - drinking.
The problem with certificates is that the sheer number of legitimate sites who screw up their certificates is astounding. While it is getting better, even now Safari will pop up a large number of warnings for sites that I know are legit(although none are banks, one site was the application page for grad school, another was a friggin' page about security certification I needed from the government!). So it's a "boy who cried wolf" type of situation. If you present people with a large number "This site may not be who it is saying to be" even though the site really is(the warning is generated because of a sloppy sys admin) and nothing bad happens, then when a site really is masquerading as someone else, people probably will not consider the threat real and click through anyway.
Now how to fix the problem is another issue, but someone really should start complaining to sites with poorly configured security certificates.
Monstar L
Source? I'm curious how you'd go about doing such a thing...
The CLID is passed across the SS7 network as informational metadata (it's not used for actually routing the traffic so it doesn't need to be accurate). If you are a node in the SS7 network then you can place a call with whatever CLID you like. If you're using ISDN instead, you *may* be able to do the same thing, although in that case your telco would usually filter on the CLID you've set and refuse the call if it doesn't fall within the DDIs allocated to you.
Basically the problem is that the SS7 network assumes none of the nodes are hostile, which may not necessarilly be the case these days.
http://blog.nexusuk.org
In that case you clearly dont grasp the whole idea behind phishing scams.
These sites impersonate the bank to you, so that they can impersonate you to the bank. There is still a security window that the bank is responsible for, like perhaps maintaining a whitelist of IP addresses authorized to write charges to customers.
In any case, banks already guarantee that only transactions authorized by you will get charged to your account. Even if your info was phished, you did not actually authorize the transaction. They did guarantee against that, and it is their fault that their gateway erroneously accepted mr. phisher as being you. So there is definitely a security issue there.
The banks should be paying hit men to kill the phishers. Then it would stop. Failing that, they could take reasonable measures to force the law enforcement officials to do their job.
We, the ordinary people, can not be expected to explain to our elderly relatives that when it says "This is from Barclays Bank" or "Brisish Telecom" and shows all the visual cues they would use to validate that, that it is actually from a bunch of students in the pay of criminals. For one thing, they would have us sent to mental institutions. My family already think I am paranoid because of making this kind of claim!
Sent from my ASR33 using ASCII
I got one of these last year and decided to attack them directly.
I knocked up a small java prog that repeatedly sent random entries back to their server and ran it over the weekend on my spare linux box. By the monday morning they'd gotten over 3000 false account details. That'll take them a while to sort through.
(java.awt.Robot typing and clicking right in the browser in case you were wondering).
I don't agree.
The online banking security is too weak if it is based just on a piece of information (username+password). There's already been cases of viruses that do keylogging to gather online banking information for criminals.
The security needs to be based on a combination of something that you know (username+password), plus something you have (e.g. ATM card). No virus can steal your ATM card, and if your wallet gets stolen your PIN code is hopefully unknown to the thief
I've used online banking both in Sweden and in the US.
In the US, the online bank security seems to be about par with Slashdot's. Once someone has your username+password, they can get your money.
In Sweden most (all?) banks don't let you transfer money from your online account with just a username+password. You also need a one-time code for each transfer. These are either generated by a small device, or sent out on credit-card sized cards with ~100 codes. This is a little bit more cumbersome, but it sure feels more safe, especially when using public terminals that may have keyloggers on them.
I mean, seriously, how useful/safe is online banking if you can only use it on your own computer (because of possible keyloggers on public terminals), and even at home you have to make damn sure that you didn't get a keylogging virus through the latest security exploit???
Freevo - Linux Multimedia Jukebox
Muti-Factor Authentication will be required for all US Banks websites as of Jan 1.
TFA isn't talking about an all or nothing situation though - it's talking about banks trying to refuse to cover losses where the customer has definately been negligent.
Take an extreme example. If I posted my online banking details here, and someone used them to drain my account, should I really be able to turn round to the bank and tell them they should refund me since it's a cost of doing business?
Obvioulsy real cases are much more of a grey area, and to be honest I'm not to sure where I stand or where I'd draw the line, but I do think there is at least a hypothetical level of idiocy which the banks shouldn't be obliged to compensate.
This sig all sigs devours
The bank's routing number has to be in the check's MICR line, right? And ones' account number is almost always right next to it on the other side of that funny looking colon, right? So, any check one writes is a gateway to one's account via an ACH transfer? If so, surely that is a security problem. And how can it be the account holder's fault -- When was the last time your bank asked you what to put in the MICR line in your checks?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Um, This is Slashdot. How many of the slashdot community do you think actually still use cheques for, well, anything?
I litterally use 12 of them a year, because my landlord has yet to give me a method of paying him electronically.
Everything else I do via more secure methods, or with cash.
There are two major issues at play that I see that make it hard to find solutions. They are International issues and customers are getting older.
/. readers is that it appears that security conscious geeks are hit the hardest. The part of the brain that decides if there is a risk goes before the part of the brain that knows it knows how the scams work. The result is typically a stubborn retired engineer that you couldn't scam 3 months ago that just got cleaned out. There is plenty of research that shows that con men also suffer from this as they age even if they gave up crime decades before.
The international issues are a real problem because it is hard for the FBI to shut down servers even in the UK. It gets very difficult for a NZ bank shutting down a server in Russia and nearly impossible for a bank in Columbia to shut down one in Gambia. Many people complain about the lack of international law enforcement but until a new world order happens, that just isn't viable. There are two groups that do have resources and connections to stop this nonsense. Its Visa and MasterCard. Both of them are mostly owned by their member banks so it seems to me that the member banks should be screaming to get Merchant accounts pulled for companies that refuse to stop phishing sites. All it would take is a change in terms and in less than a year any ISP in the world could be given the choice between shutting down a site or losing the ability to have the customers pay them. I expect it would be very effective.
The second issue is that as people get older, they almost always lose some ability for rationality. Sometimes its quick and sometimes its not. This can result in people who knew better one week giving all their money to someone in Nigeria the next. The scary thing for
Many smaller banks (the ones that may still be a Bank and Trust) are starting to open senior accounts where most of the money is in one account that is controlled much like a trust and it transfers money to a second account. Some banks are even using a third account for use with checks and ATM cards that pulls money from the 2nd with a limited overdraft like mechanism or dual signature mechanism. This way if grandma writes a $10,000 check to someone, it will bounce unless approved by the trustee or family member.
Expecting the customer to take "reasonable care" is all very well, but when are the banks going to start taking reasonable care and sign their e-mail using S/MIME?
Just about every mail client supports it, from Outlook Express to Exchange to Lotus Notes to Apple Mail to Mozilla Thunderbird. There's really no excuse for the banks not using it.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
At my house, I don't always control who uses my computer. I've got a wife, kids, and babysitters using the computers. When I realized the kids and babysitters download and run programs, without, what I'd consider a reasonable amount of thought, I figured I'm vulnerable to a trojan password sniffer. Since I cannot realistically lock their priviledge level down, I called my brokers and banks and had them turn-off web-access to my accounts. They were puzzled why I'd want to do this. I explained to them that there's no law protecting me if my PC's security is breached and my account is drained. I figure it's a long-shot...about 10x as likely as winning powerball, but the magnitude of loss (my life savings) is too great a risk.
Most of the posts here make the statement that it is the bank's responsibility to verify that the request is coming from a legitimate source.
Here's the basic problem: There are procedural and legal requirements for that process. If the bank meets all of these requirements then it can be reasonably argued that they are now off the hook. What most of the discussion seems to be about is what is a reasonable procedure. We should also discuss what should be done when the process although followed, didn't work.
I.E. Several posts state that 2 factor identification is the "solution". Lets assume that the bank uses this and its still not the right person. Who should be on the hook, the customer or the bank who did everythng "right"?
As far as I can see the problem is that we don't have a foolproof method of uniquely identifying everyone. The privacy issues that get raised when we do have that method then become an issue.
I can see a couple of ways to improve things:
Personally I think that if the individual did unreasonable stuff that compromised an otherwise secure system then they are on the hook. If the bank has an unreasonably insecure system then they are. When both parties are "at fault" then you have to allocate percentages of responsibility
You're in line at the grocery store writing out your check[sic].
.....
In this case, 'sic' must stand for "spelling is correct". From Merriam-Webster:
Main Entry: 1check
Pronunciation: 'chek
Function: noun
7 : a written order directing a bank to pay money as instructed : DRAFT
Main Entry: cheque
Pronunciation: 'chek
chiefly British variant of 1CHECK 7
Multi factor authorization provides only limited protection by itself. There is nothing stopping a phiser website from using the user/pass + external factor that very instant. The proxy delay the system induces is on the order of miliseconds. This has actually been done in the US. It does generally speaking reduce access to once though. So if you require a few days to set up a transfer out account you protect reasonably well. Actually such speed bumps are a big part of protection. The other option is out of band communication before big transactions (i.e. before you transfer your entire account balance to some place that you've never dealt with before you have to answer a phone call at your number of record, or copy a code from an email that explains what you are about to do) A combination of all three generally secures things well enough.
I'd do something interesting, but my server can't handle a slashdotting.
I agree with you in spirit, but in praticality, I don't think your ideas are particularly feasible.
Let's take the internet out of this, and look at it as a normal con-job. If someone masquerades as a bank official for the purpose of defrauding money from a bank client (ie, they put on a teller's uniform, call someone out of line at the bank, and say, 'I'll handle your deposit for you, one sec.'), the bank is obligated to prevent such fraud, regardless of the technology used to make the 'pitch.'
I wouldn't want to phone my bank when making an internet purchase, either. However, if the internet purchase is *for the entire balance of my account,* I'd probably appreciate the bank calling me, just to make sure I really do want to deplete it.
In the US, we have the FDIC, which insures deposits in banks. It's funded by taxpayers, and heavily regulated. Individuals pay into the system, but there is no such thing as an individual FDIC insurance policy-- it's the banks which are insured, not the bank's clients. The money to replace that lost due to fraud is from the FDIC-- not just out of the bank in question.
If an individual is defrauded, what's more *socially just?* For the person to perhaps lose their entire savings, retirement, college fund, etc? Or for the loss to be spread around all of society, costing us all a negligible amount in our income taxes? Naturally, we'd prefer not to pay said taxes. Of course, when it's *your* money which has been stolen, one would be glad to recieve the benefit of that safety net. Which is of greater cost for society as a whole-- millions of people tossing a few bucks a year to a federal fraud insurance program, or millions of homeless vagrants, victims of fraud?
Before you answer, think about this: During the 1930s, in the US's Great Depression, we tried the one with no FDIC, and millions of homeless. It was underwhelming, as you might well imagine.
Finally, fraud has always been a factor in bank managment. They *plan* for it, because it's a fact of doing business in that industry. I'm sure it's a line item on their budgets. Banks are also in competition with each other-- how many customers would a bank which makes their clients liable be able to attract, compared with those banks which don't?
Phishing is simply a new take on an ancient, ancient crime-- just tricking people out of their money. It's disingenuous for banks to act like it's an entirely new phenomena, and for them to hold thier customers liable is, well, just them being cheapskates. I'm sure they'll end up doing just fine, with their $10/mo account fees, $35/check overdraft fees, tiny interest payouts, near-usurious interest on loans, and one-sided credit management.
If you've ever been awake in the last several years, you'll notice that one of the primary ways that people get exploited is through Internet Explorer (IE, aka Internet Exploiter). Scanit's Browser Security Test group found that in 2004, 98% of time Internet Explorer was vulnerable to dangerous known remote attacks, with no patch available to prevent it, compared to 17% for Opera and 15% for Mozilla/Firefox. There were only 7 days in 2004 where Internet Explorer could be safely used (where patches were available for all publicly-known worst-case vulnerabilities). That's just one study; study after study shows that Internet Explorer should not be used for normal browsing.
Papers like my Securing Microsoft Windows (for Home and Small Business Users) note that one of the most important ways to improve the security of Windows (while still using it) is to replace IE and Outlook (the most insecure programs around) with something else (such as Firefox and Thunderbird). Nothing's perfect, but when you junk the programs with the worst security, your security gets better - isn't that obvious?
Many banks are starting to wake up to the fact that people are using other browsers. But while most other sites now work fine, banks are some of the last people to support Internet standards, and instead some still insist on vendor-specific codes... using the browser most dangerous to use.
So, let's hit 'em in the pocketbook. If banks won't let you take reasonable care by allowing you to select a secure browser, then they should be held responsible for forbidding customers from taking reasonable care.
- David A. Wheeler (see my Secure Programming HOWTO)
Who decides who has access to what technology? Many more elderly fall for telephone scams than computer scams, and you very rarely hear about people lobbying to take telephones away from old people. ;-)
Belgium (been there, btw-- lovely country, very nice people) is more socially enlightened than the States. Despite your problems with your retirement system, I can scarely imagine how it could be worse than our Social Security program. Anyway, though, America will cheerfully dump old people on the street-- I see them pushing shopping carts filled with old clothes on a daily basis.
Now, I'm not saying that all homeless have been defrauded, or that their own actions haven't led to their situations. In most cases, they probably have.
However, my point is that someone's life shouldn't be ruined because of a single mistake made on the internet. The cost to the entire society is too high at that point, because poor people turn to crime, they get sick more often, they're more likely to be victims of crime themselves, etc. I'd much rather pay a few bucks via my income taxes into FDIC (the US bank insurance agency), than pay a lot more bucks via my taxes for services designed to help the destitute. Given my preference, I'd rather they never became destitute at all.
However, the massive problem with that analogy is that a person walking around pretending to be a bank teller IN A BANK is something the bank itself can and should notice, and can easily stop, while the customer is in a position where they can fairly expect they're talking to a real bank employee. As a result, it misses the entire point I was trying to get at, which is that the bank has absolutely no power to stop a phisher. A more accurate analogy would be someone masquerading as a bank official and knocking on your door claiming to be from your bank, and wanting to know if you have any deposits you'd like to hand them, and, honestly, would anyone expect a bank to be liable if you coughed up in that case? Or, if that's insufficient money at stake, someone shows up at your door claiming to be from Sony, here to take your plasma TV in for a safety recall, should Sony have to pay?
Do correct me here if I'm mistaken, since I'm not from the US and don't know all the specifics of the FDIC, but my impression was the FDIC insures banks in the sense that it will guarantee a bank's deposits if the bank goes bankrupt. It wouldn't hand a penny over to a bank in a case like this, and so isn't really applicable.
Hey, if you want to support a government funded solution, like the FDIC as you portrayed it above, I'd not have a huge problem with it. I'd personally not think it the best idea, since it's making everyone pay for the mistakes of people not looking out for themselves, and I don't think people deserve indemnification for that sort of thing (but by the same token, if they would be destitute, then I support welfare, I just don't think one's government payout should be greater because the reason you're broke is you were an idiot as opposed to simply unfortunate). I'm however extremely opposed to a specific person or corporation being required to pay for the loss of another they had nothing to do with, it's that kind of "deep pockets" mentality that is so horribly overused these days (lawsuit mania anyone?), and I think it's out of control. While it may seem so easy to say in a sympathetic case "let's take the money from the rich bank to give to the poor old grandma", it's a horrible precedent to set.
Another potential solution, and something I routinely do, is reply, only using made up names and other information. It seems to me that if they have to sift through the haystack to find the needle, this sort of activity will be much less attractive, at least from a cost / benefit perspective...
...not from some innocent third party like the bank...
The bank isn't a third party. They are one of the two parties involved in the transaction: the thief, and the bank.
I acknowledge your points about complexities of actually enforcing innocent third party protection here. The practical realities are two:
1) the banks in most states that I know of aren't required to do this, and
2) they actually do, generally, cover these sorts of losses.
In the mentioned incident where the lawsuit was threatened, I'd hazard a guess that they caved not due to fear of loss (the law sides with the banks, has a long precedence of siding with the banks), but rather fear of publicity.
Publicity is practical. If people think their money isn't secure when they put it into the bank, they won't put it there.
Shooting from the hip, I'd say the best way of handling these things is make the banks cover a dollar figure below a certain amount, and use something like the FDIC for dollar figures larger.
C//
Umm, the bank for using the brain-dead stupid authentication methods they use, and not taking easy steps to make it impossible to imitate the bank. There's no reason authentication has to be entirely one-way, as is is now. The banks could easily change their system, but that would cost a bit of money, and they'd rather eat the cost of the fraud.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Well, it would be expected for the bank to take the hit if they screwed up. Unfortunately, this isn't how phishing typically works.
Phishers send emails to many recipients, telling them to go to a link which is designed to look like the bank's website. Here, they ask for certain information which is required to access the customer's account online - such as username, password, and secret answer.
At my bank, there's a few secret answers; mother's maiden name, father's first name, my first school, place of birth, mother's first name.
So, if a customer was to fall for a phishing email and provide this type of information, I'm not sure why anyone could legitimately blame the bank rather than blaming their own naivety and learning their lesson.
And it's not like this issue hasn't been publicised, now is it?
Backup not found: (A)bort (R)etry (P)anic
The customers need to not give their account info to other people. The bank can't stop them, so the responsibility lies with the customers.
"What is Internet Explorer 7? Are you saying we can't access the normal internet?" - I love tech support. Really.
cookies are a way, but you have to be careful of what you wish for.
my bank recently implemented a new "secure" login using a similar picture approach. unfortunately in doing so they have lowered the effective security of the overall system. hackers can simply guess for a valid login and know beforehand that it is valid (by being presented a picture, rather than just a generic page ). make sure this doesn't apply to your system either
just shows, there are dumb people everywhere. and no need to say, i'm in the process of switching away from ING to a bank that has real security
Yes, and yes. What I'd like to see from my bank is a published set of expectations in plain language. These can be appended to the usual account agreements as required by the laws of each country. These expectations should make clear to me what I must do to avoid being phished - specific, concrete actions I must or must not take. For example, I must always manually type in the bank's URL and examine the owner and issuer of its SSL certificate. I must never click on any link claiming to be to the bank's site, and must never enter my username and password on any site until I have performed the first two steps. If I receive mail (from any source) containing a link that is or claims to be to the bank's site, I must forward the message to the bank's fraud unit and then destroy it. I must create and secure for myself (using tools provided by the bank, if I lack my own) a cryptographic private key, and to use that key to sign messages to provide instructions to my bank or make requests of it. I alone am responsible for the security of this key, and I agree to revoke it in person if I believe it to be compromised.
Hand in hand with this is a set of specific concrete steps the bank agrees to take on my behalf. For example, they must destroy all paper records containing any information about me or my account on site using an industry-standard cross-shredder. All electronic media which contains that information, if transported or stored outside the bank's control, must be suitably encrypted using keys solely in the bank's control. The bank must control access to my personal information by employees to a degree even stronger than required by current regulations - for example, my name and address must never be shared with anyone who is not an employee of the bank specifically servicing my account on my behalf. No more joint marketing agreements or upselling arrangements with subsidiaries. The bank must also agree not to share my information with "law enforcement" without a valid subpoena, and if it receives such a subpoena it must give me 48 hours' notice before complying, to give me time to quash it. Finally, the bank agrees to provide information about my account only when presented with a message signed by my private key. The bank also agrees to establish a protocol for key retirement and revocation, and provide appropriate tools for performing these actions in person.
There are technical and logistical challenges associated with key management, a well-known problem in applied cryptography. Nevertheless, the use of a single security device (which in turn may be secured by multiple physical devices and/or passwords) which uniquely and absolutely identifies a valid customer, helps to draw a line between the customer's responsibility and the bank's. If the bank leaks my information, the agreement should specify that it is liable for repayment of all losses. If my private key is compromised, I am solely responsible for all losses until I revoke it. Revoking a key requires either the key itself or an in-person visit to a branch, and is irreversible. Because the private key is not a piece of personal identification, and is not stored anywhere in the bank, the only way for a criminal to obtain it is to attack me directly; I am responsible for securing it, and can decide for myself how to manage risk: if I'm especially paranoid, I might write the key on a piece of paper and put it in the vault at a different bank, storing it nowhere else. If I value convenience and am willing to accept more risk, I might store it on a single computer, symmetrically encrypted by a passphrase I commit to memory. If I'm a moron, I might store it in the clear on an Internet-facing Windows computer. Point-of-sale transactions could be restricted using a chip-and-pin system as is being implemented in the UK; however, it needs to be adjusted so th
It does. 99,999% of the time people check "do not ask me again" after the first time they try to type something in google, on a forum, blog or the search box of any website (remember, the browser has no clue if it's a password or not). People demand the ability to send unencrypted data through web forms, ir's just not something that can be fixed.
You didn't read my post carefully enough. I said using HTTP AUTH. In other words, that little custom window with a different looking layout, OK and Cancel buttons, which is supposed to be A. modal and B. generated by the browser itself, not by content on the server. It often is in the form of a sheet rather than a window. And since two-factor auth and insecure websites have basically zero intersection, there is no reason for the browser to allow you to disable that warning. Ever.
Yeah, right. A little css magic to make a login image appear over the webpage, with the appropriate form fields? And don't think of putting it like a toolbar if the website can forge a nice top/bottom toolbar itself.
You're thinking of creating a fake modal dialog box with JS/CSS that can be drug around the window. Problem is that it is bounded to the window, so it won't behave like a true modal dialog. This distinction is trivial to enforce in the browser design---guarantee that the dialog will not ever be 100% overlapping with the original window. Better yet, make it pop out as a drawer from the top of the window or something. That way you can't do it with a pop-up window because again, you design it so that it doesn't look remotely like a web page window.
It is also important to make the browsers guarantee that the modal dialog box or sheet design chosen by the browser vendor does not look remotely like one that can be created using a Javascript alert. In particular, this means that it should be a custom, graphical layout with no menu/title bar to prevent any web page from looking like it, and with a giant image of a lock so that no Javascript Alert can look like it.
As an additional security feature, you could super a moiré pattern over the other browser windows, grey their buttons, and make all the menus become greyed out. This is stuff that JS/CSS can never do and should never be allowed to do because there is no practical reason to ever allow them to do such things.
Do all of this and it cannot be faked (unless Java/ActiveX create a loophole somehow).
Check out my sci-fi/humor trilogy at PatriotsBooks.
Sites that need two factor will have valid certs. As you said, you've never seen a bank with a bad cert. If a company/organization cares enough to spend $50+ on a secure token for every user, they care enough to spend $125 on a valid SSL cert.
The dialog I'm describing should be special, and should just be for two-factor sites. In fact, I would argue that maybe there should be no "Ok" button at all. Two-factor should be limited to SSL, period.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Too many people nowadays are saying the whole world needs to protect them, from themselves. I hate that.
If you are stupid, the world does not have a responsibility to save you from yourself. Stupidity in this case acts like Darwinism. If you are stupid enough to give your bank account number to a phisher, he will do you the service of taking all your money. And then you don't have to worry about being phished again.
I believe a person should be 100% responsible for being phished.
I work for the Department of Redundancy Department.
You give your account information to anyone you write a check to. Phishing is bad and obviously it is stupid to fall for it, but how do you combat a dishonest employee at a company that you have to mail a check to?
Avoid Missing Ball for High Score
Unless you want a system where it's physically impossible for a dishonest employee to misuse your information, which I don't we can do. When you give someone a check or credit card, you are basically giving them access to your account, because how else would they be able to withdraw money? They need to have information that they can give a bank or credit card company that will allow them to get money, and that requires giving them enough information that they could forge another transaction and get more money. Changing that would require changing how our whole financial system works. Good luck with that.
"What is Internet Explorer 7? Are you saying we can't access the normal internet?" - I love tech support. Really.
i live in the philippines and banks here require registration of accounts before you are allowed to move funds to transfer to them. registration will have to go to the bank branch and do it one time.
by doing this you won't be worried that all of a sudden, your account will be drained. if ever someone will be able to access your account, they will just be able to view the account information instead. at least damage is minimized.
Live your life each day as if it was your last.
Say a customer falls for a phishing scheme. Why did that happen? Because the customer was "stupid", but also because the banks use terrible security. So, yes, I do blame the banks. We know how to do better, and it's not that hard to do, so why don't they?!!
First, the banks use appallingly lame proofs of identity derived from various publicly available info. Granted, a lot of that info may not be so easily obtained. Still, not good enough. Banks should stop telling customers to use mother's maiden name! It shouldn't be "stupid" to tell someone, like that nice police officer who wants to see your driver's license, when you were born and where you live. You shouldn't have to shred or burn credit card applications to stop dumpster divers from opening an account in your name.
Second, even when I do use a good password, some banks make it nearly pointless by recording the actual password, so that their customer support can tell me my own password should I ever forget it! In a good authentication system, they should not be able to tell me what any of my passwords were, they should only be able to empower me to get a new password.
Next, there are problems that are not entirely the banks' or their customers' faults. The customer often has no good way to tell whether a website is authentic. Even when banks use Verisign and similar services, that verification is fragile because for one, the certificates may have expired and not been renewed, or Verisign might be down that day, or whatever. Seen that sort of thing too often. Get too many false alarms about the browser being unable to verify the authenticity of some web site. Then there's the issue that while Verisign is assuring you that a site is authentic, who's making sure Verisign can be trusted? I'd rather have the web of trust. Now, the phishers usually don't go to the trouble of such things as poisoning DNS caches. Instead they rely on victims not thinking to check the site's address which the browser displays in several ways. One of the things making such spoofing too easy is the way a link is done in HTML-- make the tag say one thing and do another, built right into the HTML specification! Slashdot at least is trying to work around that HTML problem.
We can do better with the authentication. Excepting possibly when it's created, a user's password should never be sent over the net. Cryptographically hash that password locally with a randomly generated "salt" number (and with a better hash algorithm than MD5), and send that. Then it wouldn't matter if customers were fooled into believing a phishing website was real and they were tricked into sending a hash of their password. Also, the website ought to authenticate itself to the user in some fashion. Wouldn't have to rely on the likes of Verislime. There are other attacks, sure, but for that particular one, there's a technical solution. And banks and others aren't using it. They might have to learn enough about security to avoid being scammed in their turn, and then pay some reputable computer scientists and software engineers to implement it. Too expensive!
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Actually, my bank posts a warning into my statement before an ACH transfer can be made. This has helped me prevent fraudulent withdrawls from my checking account.
No, I will not work for your startup
Why can't we use SRP6 for authentication? In SRP6, in addition to the client proving to the server that it knows the password, the server proves to the client that it knew the password as well (or rather a hash of the password). The server does not end up knowing the client's password either. This makes it basically impossible to set up a phishing site from a technical standpoint. It's also impossible to do a man-in-the-middle attack, because the client and server exchange a nonce to use for following encryption.
The only risk is setting up a web form that looks like the real thing, but actually passes the password as plaintext to the server instead of using SRP. For this, you can modify the web browser to show an unfakeable screen when you are trying to use SRP to log in. If you attempt an SRP logon to a fake server, the only information the site learns is your username.
Getting Microsoft to implement something is basically impossible, but Firefox, Opera and Safari would be much easier. The banks could recommend Firefox to their customers.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Yes but the system operates the way it does for the convenience of the banks ... in return for that convenience they have to cover some bogus transactions out of their pockets ... they're obviously still making money.
Agreed. How many times do you get phone calls in a month from companies you do business with offering to sign you up for automatic payments if you just give them your bank acount info ... I know these aren't phishing scams but I don't sign up on principle ... I don't give my information to people who call me.
"What is Internet Explorer 7? Are you saying we can't access the normal internet?" - I love tech support. Really.
I find it ironic that when things are shipped via USPS, UPS, FedEx, etc... they ask me if I want "insurance".
Their job is to move the package from A to B, nothing else... Why should I have to PAY insurance for them to do their job?
"Credit protection" fees on credit cards are no different.
If banks offer "insurance" then they will get to use all their existing fees for profit!
In order to fix this problem, the concept of trust is going to have to be expanded to the users, and probably via a hardware mechanism. (I hate to suggest the TCPA but that might be a part of a possible solution.) The best (and obviously most expensive) fix would be a smart-card reader issued by the bank that would read a smart card also issued by the bank. They'd have to send out a heavily advertised mailing that says "To prevent con-artists from ripping you off, we are disabling online banking until you stop by your local branch to pick up your new 'electronic passbook'." You'd have to physically go to the bank and present a couple forms of photo ID (perhaps a signature verification, too), at which point you'd be issued a smartcard and reader.
The best solution would need to include a "red light / green light" on the smartcard itself, otherwise a phishy web page could simply lie and say "Congratulations, your smart card is working and you are now connected to the bank, please enter your social security number."
Ultimately, though, many people will simply be unable to comprehend security. Misguided tinfoil-hat wearers will preach nonsense and lies such as "the chip is the devil's work" or "it's part of a gubmint plot to track you." Others will find the instructions too complex or too confusing, and for their own security should never bank online; they'll fall prey to future phishers promising to make "online banking easy." Phishers already feed off these gullible people; in order to truly stem the losses will require banks to take a new approach to dealing with customers.
And you're right, forcing customers to at least share in their losses might educate them enough that they seek out a more secure bank.
John
enough said
And I say, get off your high horse! There are plenty of intelligent, rational people out there who may not be very computer-savvy and/or internet-savvy. Some of the phishing scams are quite well done, and would make *most* people at least take a second look at them.
In fact, despite working in I.T. for 15 years myself, I was tricked once into turning over my eBay username and password by a phishing scam. (Someone sent me a perfect duplicate of one of eBay's emails they send when you've sold enough product to become one of their "Powersellers", and asked me to click to sign in and activate said account.)
I actually had "Powerseller" status at one time, but didn't maintain enough $ volume each month to keep it. So when I got this email, I assumed they were offering it to me again (since it just so happened that I sold quite a few larger, more expensive items shortly before this email arrived).
Sure, you can be all smug about it, and say "Well, you should have examined the URL it took you to, to see that it wasn't really one of eBay's servers!" or what-not. But when you're in a hurry, trying to sift through and reply to a bunch of email - eventually, it's possible to slip up.
Your argument doesn't make any sense.
ING is adding an individualized picture to their website that *you* choose in advance. If you don't see *your* picture, this is an immediate tip-off that the web site may be a phishing attempt. You have to type in your customer number and answer security phrases (on an unregistered computer) before you even get to this point!
How in the world does this lower "the effective security of the overall system"?
I don't work for ING but am a generally satisfied customer. Ironically, my only complaint is that I find them too anal about security. (Case in point: There is a 2 day waiting period before on any tranfer of funds).
it lowers the effective security because a random guy looking for accounts can now tell which account numbers are legitimate. just scan the account space, and record which ones have a funny picture
the security phrase thing is easily bypassed with a good dictionnary