Slashdot Mirror
Cyber Gangs Raise Profile of Commercial Online Bank Security
tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."
As Bruce Schneier recently pointed out, MITM attacks are now much more common, and likely to become widespread.
Now, if they used that cell phone message to authenticate the exact transaction you are performing, you'll be much more secure.
Of course, if it's too easy to update the cell phone number, all bets are off.
The point is that as long as banks are not responsible for the losses, they have no incentive to implement strong security measures on their websites. A large number of the current attacks on customer PCs could be eliminated if banks didn't let people do everything with just a username and password. Imagine how bad credit card fraud would be today (or how few people would use credit cards) if you were responsible for fraudulent use and not the bank.
You know, Kelsey Grammer is only one man. You can't expect him to go out and fix all the worlds English language issues, now can you?