Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why the FBI Director Doesn't Bank Online

Posted by samzenpus on from the crime-almost-paid dept.

angry tapir writes "The head of the US Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt. FBI Director Robert Mueller said he recently came 'just a few clicks away from falling into a classic Internet phishing scam' after receiving an e-mail that appeared to be from his bank."

54 of 360 comments (clear)

  1. After reciving an e-mail that appeared... by fluch · · Score: 4, Interesting

    Why does he even consider any such e-mail worth reading?! That is the biggest fail in the chain of his doings....

    1. Re:After reciving an e-mail that appeared... by dgarciam · · Score: 5, Insightful

      Makes you wonder. If the head of the FBI, the guy who knows all the secrets, that sees all the scams all the time almost falls for this, what can we expect from you average house folks? Scams are getting more and more elaborate this days. Not perfect, but getting there

    2. Re:After reciving an e-mail that appeared... by corbettw · · Score: 5, Funny

      My take away from it was that the head of the FBI knows surprisingly little about phishing. Let's hope someone on his staff briefs him on 419 scams before he sends his life's savings to the former finance minister for the deposed Crown Prince of Nigeria.

      --
      God invented whiskey so the Irish would not rule the world.
    3. Re:After reciving an e-mail that appeared... by Anonymous Coward · · Score: 2, Funny

      "FBI director too dumb to use the Internet"

      Hilarious. Great headline.

    4. Re:After reciving an e-mail that appeared... by turing_m · · Score: 4, Informative

      Even though he did stop just short of being taken in, it is apparent that some of his information was already compromised.

      It's not apparent. Dollars to donuts it's far cheaper to send an email targeting a specific bank to a very large number of harvested US email addresses than to somehow find out which email addresses relate to which bank's customers, and send them a targeted email. Emails cost virtually nothing to send.

      --
      If I have seen further it is by stealing the Intellectual Property of giants.
    5. Re:After reciving an e-mail that appeared... by Anonymous Coward · · Score: 2, Funny

      Photo ID, pffft.

      My bank will only allow access to my account when presented with my erect penis.

    6. Re:After reciving an e-mail that appeared... by Aladrin · · Score: 4, Insightful

      They didn't. They scattershot the email and hope some of the people that get the email use that bank. I've received phishing attempts for several banks that I've never used. They were all very large banks.

      They look very real and If I did use those banks, I would have been tempted to click... But being savvy, I'd have contacted my bank via phone or the website instead of clicking on anything in the email.

      How do I know? I've done it with other emails. They all turned out to be real, but when money is involved, it makes sense to be careful with email.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    7. Re:After reciving an e-mail that appeared... by v1 · · Score: 2, Funny

      but that's only for making deposits? and watch out for the penalty for early withdrawl....

      --
      I work for the Department of Redundancy Department.
    8. Re:After reciving an e-mail that appeared... by AvitarX · · Score: 2, Interesting

      I will admit to almost falling for one the other day.

      I marked the e-mail as phishing and it has since been deleted, but it came from "bank of america" and linked to a quite formal looking page asking for info.

      it came simoultenious to my having trouble with Bank of America online system (they took over my mortgage account and it has been a pain getting into the online payment since).

      I was looking at it, frustrated it was only a solution for credit card issues, and then realized the site was support.com not bank of america.

      Maybe I am particularly stupid, but I don't think so.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    9. Re:After reciving an e-mail that appeared... by Thansal · · Score: 4, Interesting

      I would suspect you are right. I don't really know what Robert Mueller's background is (quick look at wiki says marines and law), but I suspect that he wasn't directly involved in cybercrime of any sort. Sure, he gets to make the ultimate decisions, but with lots of advisers/what not who (hopefully) know their stuff.

      And hey, at least he didn't ACTUALLY fall for it.

      Random note:
      The emails you do get from various online institutions don't look all that more legit than the ones from the scamers. I have received 2 notices that an account of mine had been compromised, and I was prompted to login (via a link) and reset my password. One of these was my EBay account I hadn't touched in years. I nearly just binned the email with out even opening it, but curiosity got the better of me and I read through it, checked the links, etc etc, and everything seemed legit, despite looking like a classic phishing attempt.

      --
      Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
    10. Re:After reciving an e-mail that appeared... by Aceticon · · Score: 3, Informative

      419 scams and phishing are completely different sorts of scenarios:
      - The first is an appeal to a person's greed that happens to be done via e-mail
      - The second is a forged and somewhat alarmist e-mail providing a link to access what appears to be your bank's system to correct a problem.

      419 scams are just a common type of scam only done "via e-mail" and should be easily detectable to anybody knowledgeable in the ways of deceit (the appeal to one's greed makes it very obviously).

      Phishing involved a forged e-mail (which means one needs to be aware that e-mails can be forged) demanding nothing of value from the recipient (just some time to check and correct a "problem") and providing a helpful link to the relevant site (said link looking ok for a non-technical person). The helpful link to the site is a common feature in e-mails from many companies (for example MySpace) and thus an e-mail with a link fits one mental pattern of "how these things usually work" and triggers no mental alarms if you're not aware of how phishing works.

      Thus I'm not at all surprised that a non-technical member of the intelligence/law community could fall for a phishing e-mail.

    11. Re:After reciving an e-mail that appeared... by Zironic · · Score: 2, Interesting

      Personally I find the access to account history with the lower security level (just password) convenient and it massively cuts down on how often I need to use the security token since you usually want to check account balance/recent history much more often then you do transfers to outside accounts.

      Anyhow the option to turn off low security banking all together should exist for the paranoid, what good exactly is a low security login to a phisher if you assume the telephone banking isn't doing bad assumptions about what is and isn't secret?

    12. Re:After reciving an e-mail that appeared... by Albanach · · Score: 2

      Well, as I understand it, within the new Medical Care Reform legislation they're trying to pass, there are provisions to let the govt. have full access to your banking accounts (without warrant, etc).

      Can you point to any line from any of the proposed bills that suggests this? Or have you been reading too many blogs?

    13. Re:After reciving an e-mail that appeared... by ArsenneLupin · · Score: 5, Informative

      checked the links

      You don't check the links, you don't use them at all. Instead, you access the site through a bookmark, or via typing in the URL manually if you no longer have a bookmark. It's all too easy to confuse an l with an I or a 1. Or rn and m depending on what font you have. Or the attacker might play similar tricks using exotic characters that you do not even know to exist (How similar is a greek capital Rho to a capital P?).

    14. Re:After reciving an e-mail that appeared... by compass46 · · Score: 2, Interesting

      No he can't because the specific point does not exist. The text someone would mostly likely cite (a few page somewhere in the 50s IIRC the last time I checked one of the house bills) is about healthcare provider to insurance provider payment transactions.

    15. Re:After reciving an e-mail that appeared... by hmar · · Score: 2, Insightful

      And spoil us an epic laugh? Anr rob Slashdot of a 'haha see toldyouso' summary whose article doesn't even have to be read?

      Is there an article somewhere on slashdot that does have to be read?

    16. Re:After reciving an e-mail that appeared... by gnud · · Score: 2, Interesting
      I guess you mean Unicode characters that uses the same glyphs as an ASCII character. The equivalent of the ASCII characters in unicode, are the ascii charcaters. They even share code points.
      Code-pages are shockingly irrelevant in DNS lookups.

      Also, quouth the wiki:

      Internet Explorer 7 imposes restrictions on displaying non-ASCII domain names based on a user-defined list of allowed languages

    17. Re:After reciving an e-mail that appeared... by Ethanol-fueled · · Score: 2, Insightful

      Not it's not. They haven't done much worth a damn except spend their budget.

      They just troll for weak-minded "anti-Americans" who (to paraphrase another slashdotter) could be convinced to rob a hotdog stand, then undercover FBI agents and overpaid snitches* develop some big scheme** and then cram it down the target's throat until the target agrees***, then they bust the target as soon as he agrees and the media makes a big circus of it telling everybody that millions of lives were saved and another 9/11 was thwarted.

      * To the tune of $250,000 apiece. Think about that when you're eating ramen tonight.
      ** Which makes FBI better terror planners than the so-called "terrorists" themselves!
      *** Or otherwise utilize entrapment and other illegal techniques. But who cares? it's Terrorists we're talking about here!

    18. Re:After reciving an e-mail that appeared... by cetialphav · · Score: 4, Insightful

      The question is, why is someone that "non-technical" in charge of cybercrime for the FBI?

      He is not in charge of cybercrime. He is the director of the entire FBI. I imagine that he has a huge amount of knowledge of things you and I know nothing about so I am willing to cut him some slack. We engineers have built a communication system that looks simple and secure to average folk and yet actually requires the detailed knowledge of how it all works to use it securely.

      Every time one of these stories comes up, I am troubled by the attitude that is taken in so many Slashdot comments that the victim (or near victim) must be a complete idiot. We make a system that makes it far too easy to deceive people and then ridicule the victim for being tricked. We will never be able to improve the situation with this attitude.

      It is right to be suspicious of any email claiming to be from your bank, but the fact is that my banks have sent me legitimate emails from them. Those emails have never been digitally signed so verifying their authenticity is tough. So the banks have some responsibility for using email in an unsafe way. But what if they did sign their emails? Well, it still wouldn't matter because Gmail and Yahoo and Hotmail have no provision for verifying digital signatures so the tools used by millions lack a fundamental security feature.

    19. Re:After reciving an e-mail that appeared... by cetialphav · · Score: 2, Insightful

      Related, in that regular people may not realize what they're doing but why would you use Gmail, Hotmail, or Yahoo for financial communications?

      Why not? I don't see those as being any more or less secure than any ISP's normal email services. Email is fundamentally insecure anyway. Most people have one email address that they regularly use and so that is what will be provided to financial institutions.

      However my ISP allows users to use a whitelist [wikipedia.org], I have an online address book and only email from someone in it is send directly to my inbox.

      But that has nothing to do with security. Your "suspected" folder contains all messages that did not make it past the whitelist filter, but that does not mean that you can trust what the whitelist filter allows through. It is trivial to send an email that matches what you think a legit banking email will look like.

      I think the reason that most people don't realize that email can be trivially forged is because it is such a stupid idea to design a system like that. It can't possibly make sense for me to sit here in the comfort of my home and send an email to you that looks like it came from Bank of America and so non-experts assume that there must be some sort of mechanism to stop that. That is a very reasonable assumption, and we engineers are morons for not providing a communication abstraction that lives up to that.

  2. Baby with the bath water? by grasshoppa · · Score: 2, Insightful

    I don't meant to deride the director of such an important agency, but seriously? He has more to worry about from targeted attacks than phishing attempts.

    A little knowledge goes a long way.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Baby with the bath water? by MollyB · · Score: 4, Insightful

      He has more to worry about from targeted attacks than phishing attempts.

      Unfortunately, this quote from him doesn't inspire confidence:

      "Far too little attention has been paid to cyber threats and their consequences," Mueller said. "Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. "

      It would seem that he is resigned to the situation rather than seeking a remedy for it...

    2. Re:Baby with the bath water? by grasshoppa · · Score: 2, Insightful

      Well, and for you to enter your login information.

      Common sense dictates that you don't follow links from your email to anything financial; you either type it in yourself or you use a bookmark. I know my bank and credit cards don't send me links to click, but even if they did I wouldn't use them.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    3. Re:Baby with the bath water? by Anonymous Coward · · Score: 2, Insightful

      neatly sidestepping the fact that a lot of attention *has* been paid to it, but people like him have always chosen to ignore it.

    4. Re:Baby with the bath water? by DarthBart · · Score: 4, Insightful

      Bull. There's one simple way to avoid phishing scams. Open up the browser yourself and type in the address yourself.

      Anytime I access financial information, I enter the address manually. If you can't remember something simply like "paypal.com" or "chasebank.com", you don't need a computer.

      A former coworker of mine accessed his bank this way:

      1) Open IE
      2) Go up to the file menu, select "Open Location"
      3) Enter "http://www.google.com/" (The full URL, not just google.com)
      4) search for "Bank Of America"
      5) Click on the first result, which thankfully was the right BoA site.

    5. Re:Baby with the bath water? by donaggie03 · · Score: 2, Insightful

      I agree. The problem isn't getting emails from banks. The problem is clicking on a link from within an email from a bank.

      --
      Three days from now?? Thats tomorrow!! ~Peter Griffin
    6. Re:Baby with the bath water? by wurp · · Score: 2, Informative

      Er, or you could type it in once and bookmark it?

    7. Re:Baby with the bath water? by TheGratefulNet · · Score: 5, Interesting

      Mueller said. "Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. "

      wait; who, again, are the bad guys?

      given their MO, I consider the feds and police to be 'bad guys' when it comes to their perceived right to 'sneek and peek' any damned place they want for any reason at all. attach a gps to your car? no problem. and on and on it goes.

      the government is THE WORST INTRUDER in our personal lives, these days.

      I worry much less about criminals. they have a lot less power over me and once they do their deed, they're gone from my life.

      --

      --
      "It is now safe to switch off your computer."
    8. Re:Baby with the bath water? by Zebedeu · · Score: 4, Insightful

      Of course, otherwise you risk one day mistyping bankofamerica.com and ending up in a phishing site which looks just like the real thing.

      If you can't trust your bookmarks, you can't trust your computer. If you can't trust your computer, you shouldn't be accessing your online bank on it in any case.

  3. A novel concept... by laughingcoyote · · Score: 4, Insightful

    Unfortunately, this does seem like a novel concept: If you can't use it properly, and are unwilling to take the time to learn, don't use it at all!

    Of course, it's a bit disturbing that the head of a major law enforcement agency can be scammed that easily. I know plenty of people (who aren't in any type of computer/tech field) who know very well that you never, under any circumstances, ever, go to a sensitive website from an email link, and you most certainly never enter any login details unless you've gone directly there. That's pretty common knowledge anymore, and this is a guy you'd expect to know better. Leads you to wonder what other simple concepts he can't get straight.

    --
    To fight the war on terror, stop being afraid.
    1. Re:A novel concept... by donaggie03 · · Score: 4, Insightful

      He wasn't scammed. He was almost scammed. Everyone who uses the internet has "almost" been scammed, for varying degrees of "almost."

      --
      Three days from now?? Thats tomorrow!! ~Peter Griffin
    2. Re:A novel concept... by kalirion · · Score: 3, Interesting

      At my university back in 2003, several professors in the Computer Science Department fell for those "Windows Security Patch" attachments sent by email from the "Microsoft Security Department."

      I'm ashamed to admit that I almost double-clicked the exe file myself before thinking better of it...

  4. Wait wha...? by alexandre · · Score: 4, Insightful

    The FBI Directors doesn't know to never click on a link from "his bank" in his email?
    So i guess I can call him as his bank and ask him for his password too without him actually calling back to the real number?

    No wonder security is broken ...

  5. There's your problem. by headhot · · Score: 4, Insightful

    All emails from my "bank" get filtered right into the trash. It its important, they will call or send a letter.

    1. Re:There's your problem. by D+Ninja · · Score: 4, Insightful

      ...except, they won't. Many people do everything through online banking. A number of banks have complete "opt-out-of-paper" programs, so you won't see another letter in your life (except maybe major documents that need signed). The real trick here is - when you get an e-mail, don't click on the links. If your bank says you need to take care of something, visit their site by manually typing in the address and then take care of whatever it is.

    2. Re:There's your problem. by The+Cisco+Kid · · Score: 2, Informative

      Some banks, instead of sending you the message outright in email, instead have a sort of message system within their online banking, and if they send you something there, they send you an email notice to go check your messages.

      Its a decent idea, as long as they 1. Dont include any links, and instead let you enter the bank site yourself and 2. Absolutely use it *ONLY* for directly personal information related to *your* account (eg no ads, promotions or newsletters)

      Oh, and it helps if you try to avoid using insecure software such as MSIE or Windows when doing your online banking, too, but of course no individual bank has the ability to prevent you from doing that. Sure, they could refuse to allow you to login, but the cattle would probably switch banks before switching software.

  6. Yes Dear! by muckracer · · Score: 4, Funny

    Fortunately his wife will continue to use online banking...

  7. In other news by Viper23 · · Score: 2, Insightful

    Chinese and Russian governments scramble to create look-alikes for the FBI's intranet.

    EMail Robert Mueller pretending to be from tech support.

  8. My bank does NOT know my email address by Anonymous Coward · · Score: 5, Insightful

    I bank online about once a week. Everytime I connect, I check the HTTPS certificate. Also, my bank does not know my email address. If I get email from my bank, I KNOW it's a fake. period.

    1. Re:My bank does NOT know my email address by cerberusss · · Score: 2, Funny

      I bank online about once a week. Everytime I connect, I check the HTTPS certificate. Also, my bank does not know my email address. If I get email from my bank, I KNOW it's a fake. period.

      Not giving the bank your e-mail address means major hassles for them. Printing a letter, licking a stamp, then licking the envelope, et cetera.

      So in order to save them money, the bank has my e-mail address. However, it's a special e-mail address that routes over a ToA network connection (TCP-over-Avian). Thus when I see the pigeon arrive, I know for a fact that -- yes -- it's my bank that's sending me an e-mail.

      You just have to outsmart the scammers. I guess I have that talent.

      --
      8 of 13 people found this answer helpful. Did you?
  9. Car Accident by Crock23A · · Score: 2, Insightful

    I almost got into a car accident when someone cut me off on the way to work this morning. By the logic suggested by TFS, I should stop using the public roadways.

  10. Instead he should... by MikeRT · · Score: 2, Insightful

    Be calling for legislation that makes banks responsible for identity theft and any subsequent damage to consumer credit ratings. That would make the FBI's job much easier since the banks would never send emails, among other things, to make sure that they are diligent about identity theft.

    1. Re:Instead he should... by L4t3r4lu5 · · Score: 2, Funny

      Identity Theft - Mitchell and Webb

      Insightful or funny... I think both.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
  11. This is good by hairykrishna · · Score: 4, Insightful

    While being an idiot he's obviously not so stupid that he doesn't realise that he's an idiot. Hence the self restriction. If more of the worlds idiots followed his example the internet would be a better place.

    --
    "Physics is to math as sex is to masturbation." -R. Feynman
    1. Re:This is good by Runaway1956 · · Score: 2, Insightful

      That might be the most insightful post yet. We ALL do stupid shit - no matter HOW SMART we are. A freaking genius rocket scientist might be to spastic to drive safely. That's cool, as long as the genius realizes that he's a spaz, and can't drive. If he doesn't figure it out - well, there's a fine line between genius and idiocy. The idiot will kill himself, or someone else.

      Everyone on slashdot who has NEVER done anything stupid, not once in their lives, should sign in below. Ever searched for you glasses, just to find them on your face? Searched for your car keys, just to find them in your pocket, or in the ignition? BRAIN FART!! We're all prone to have them, some more often than others.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  12. A few clicks away? by njen · · Score: 4, Insightful

    Everyone is always just a few clicks away from being caught in a phishing scam. In fact, wouldn't it be closer to say that everyone is just one click away (the link from their email)?

    It's like saying, I am a few steps away from a cash register at the supermarket...I came this close to be tempted to steal it. But I've solved the problem: I won't enter any supermarkets ever again. Or that everyone is just a few steps away from death by standing by the side of the road, so to avoid being hit by a car, I will never go near a road ever again.

    Sure there are dangers everywhere, one just needs some education, like: never ever ever click on a link in an email claiming to be from your bank. Just like: you should always look both ways in crossing the street. Seriously, my 16 year old brother know both of those...

  13. Technical Issue by Viper23 · · Score: 2, Funny

    Robert Mueller,

    There has been a technical issue we need to resolve with your account at counter-intel.fbi.gov.

    Please click on the above link and fill in your details. Follow the on screen instructions and the error will be corrected.

    Thank you and have a good day,

    FBI Technical Support

  14. Woah... by Azuaron · · Score: 2, Funny

    Robert Mueller's the guy I keep getting emails from asking me to accept some money from Nigeria. He's always claimed to be the head of the FBI, but I never believed him. Man, all this time I've been risking arrest and denying myself several hundred thousand US dollars just because I thought it was a scam! I guess you shouldn't be skeptical of everything you get in your inbox.

    --
    I'm a psychologist (amongst other things).
  15. Not a surprise by AndGodSed · · Score: 3, Insightful

    I am not surprised.

    The director of any agency does not necessarily deal with all the scams and most likely not with IT. He runs the business/admin side of things, and he has people working under him to take care of things like security etc.

    What seems to be missed is that phishers has the e-mail address of the director of the FBI. Either it is a personal e-mail address - and I am not even sure people in that position are allowed to have personal/web e-mails. OR it is his FBI address - and that is more worrying than that he almost fell for a scam.

    Another thing that worries me is that he takes nothing away from this experience - almost got caught, so I won't bank online anymore. Heck I would expect someone of his stature to go - Almost got caught, yikes better make sure that does not happen again.

    The direct effect of this is that the director of the FBI is now going to either bank by phone (and that is a security hole right there) or going to wait in the qeue at the bank - exposing him to other risks.

    I would've thought that higher up officials such as him had access to alternative more secure methods of doing things like bankin - how does the President of the USA do it, for instance?

    --

    Seven Days with Ubuntu Unity

  16. OK, so he doesn't bank online.. by Idaho · · Score: 2, Interesting

    ..because he does not understand simple concepts about human nature and, resulting from this, the way in which modern banks conduct their business (e.g. never sending out mails about internet banking/passwords), and is apparently oblivious to the concept of such scams even though it has been reported in the mainstream press over and over again.

    Somehow, it worries me that such a person would be the head of the FBI. Good thing I don't live in the States then, although I have reason to expect things aren't much different where I live.

    That link is in Dutch, but you can still gather the idea from watching the movie. What you see is the prime minister (at the time) of the Netherlands who clearly has no clue whatsoever what a computer mouse is for and how it should be used (he attempts to use it like a TV remote). A six year old (!!) girl (!) then helps him out in sending an e-mail. This happened about 10 years ago, but mice had been 100% mainstream for at least a decade then (since Windows 3.11 at least - I mean, if six year old girls know, you can be pretty sure it was well out of nerd-territory by then).

    The scary thing is that *these* are also the kind of persons in positions to come up with laws and regulations regarding the internet, filesharing, etc.

    --
    Every expression is true, for a given value of 'true'
  17. ATMs and mugging? by Jason+Levine · · Score: 2, Insightful

    So he's not using online banking because some phisher sent him an e-mail and he almost fell for it? If he took some money out of an ATM and then someone tried to mug him, would he refuse to use ATMs from then on? If he saw a report of a bank robber killing someone during a robbery attempt, would he not go into a bank's branch to do his banking? Just because the phishing attempt occurred doesn't necessarily mean that his bank's online banking system is insecure.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  18. Re:Disease: Gullibility - Cure: None Known by D+Ninja · · Score: 3, Funny

    It is rare that people recover from gullibility.

    I don't believe you.

  19. Re:From the wikipedia entry on Mueller by PhreakinPenguin · · Score: 2, Informative

    No the main reason Scottish courts released him is because the British PM "recommended" it in order to secure a HUGE drilling contract in Libya that was awarded shortly after his release.

    --


    My sig of choice is Marlboro
  20. Robert Mueller by falconwolf · · Score: 2, Informative

    He's someone good at playing the politics neccessairy to get and hold the position. I would be shocked if he had any experience at all in criminal investigation, much less cybercrime, at anything other than a manager-of-investigators (or higher) level.

    Robert Mueller served in the Marine Corp then earned his Juris Doctor (J.D.) degree. "He then served for 12 years in United States Attorney offices." He was chief of the criminal division for the Northern District of California before moving to Boston. There "he investigated and prosecuted major financial fraud, terrorism and public corruption cases, as well as narcotics conspiracies and international money launderers."

    Falcon

    --
    Should there be a Law?