Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why the FBI Director Doesn't Bank Online

Posted by samzenpus on from the crime-almost-paid dept.

angry tapir writes "The head of the US Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt. FBI Director Robert Mueller said he recently came 'just a few clicks away from falling into a classic Internet phishing scam' after receiving an e-mail that appeared to be from his bank."

25 of 360 comments (clear)

  1. After reciving an e-mail that appeared... by fluch · · Score: 4, Interesting

    Why does he even consider any such e-mail worth reading?! That is the biggest fail in the chain of his doings....

    1. Re:After reciving an e-mail that appeared... by dgarciam · · Score: 5, Insightful

      Makes you wonder. If the head of the FBI, the guy who knows all the secrets, that sees all the scams all the time almost falls for this, what can we expect from you average house folks? Scams are getting more and more elaborate this days. Not perfect, but getting there

    2. Re:After reciving an e-mail that appeared... by corbettw · · Score: 5, Funny

      My take away from it was that the head of the FBI knows surprisingly little about phishing. Let's hope someone on his staff briefs him on 419 scams before he sends his life's savings to the former finance minister for the deposed Crown Prince of Nigeria.

      --
      God invented whiskey so the Irish would not rule the world.
    3. Re:After reciving an e-mail that appeared... by turing_m · · Score: 4, Informative

      Even though he did stop just short of being taken in, it is apparent that some of his information was already compromised.

      It's not apparent. Dollars to donuts it's far cheaper to send an email targeting a specific bank to a very large number of harvested US email addresses than to somehow find out which email addresses relate to which bank's customers, and send them a targeted email. Emails cost virtually nothing to send.

      --
      If I have seen further it is by stealing the Intellectual Property of giants.
    4. Re:After reciving an e-mail that appeared... by Aladrin · · Score: 4, Insightful

      They didn't. They scattershot the email and hope some of the people that get the email use that bank. I've received phishing attempts for several banks that I've never used. They were all very large banks.

      They look very real and If I did use those banks, I would have been tempted to click... But being savvy, I'd have contacted my bank via phone or the website instead of clicking on anything in the email.

      How do I know? I've done it with other emails. They all turned out to be real, but when money is involved, it makes sense to be careful with email.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    5. Re:After reciving an e-mail that appeared... by Thansal · · Score: 4, Interesting

      I would suspect you are right. I don't really know what Robert Mueller's background is (quick look at wiki says marines and law), but I suspect that he wasn't directly involved in cybercrime of any sort. Sure, he gets to make the ultimate decisions, but with lots of advisers/what not who (hopefully) know their stuff.

      And hey, at least he didn't ACTUALLY fall for it.

      Random note:
      The emails you do get from various online institutions don't look all that more legit than the ones from the scamers. I have received 2 notices that an account of mine had been compromised, and I was prompted to login (via a link) and reset my password. One of these was my EBay account I hadn't touched in years. I nearly just binned the email with out even opening it, but curiosity got the better of me and I read through it, checked the links, etc etc, and everything seemed legit, despite looking like a classic phishing attempt.

      --
      Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
    6. Re:After reciving an e-mail that appeared... by Aceticon · · Score: 3, Informative

      419 scams and phishing are completely different sorts of scenarios:
      - The first is an appeal to a person's greed that happens to be done via e-mail
      - The second is a forged and somewhat alarmist e-mail providing a link to access what appears to be your bank's system to correct a problem.

      419 scams are just a common type of scam only done "via e-mail" and should be easily detectable to anybody knowledgeable in the ways of deceit (the appeal to one's greed makes it very obviously).

      Phishing involved a forged e-mail (which means one needs to be aware that e-mails can be forged) demanding nothing of value from the recipient (just some time to check and correct a "problem") and providing a helpful link to the relevant site (said link looking ok for a non-technical person). The helpful link to the site is a common feature in e-mails from many companies (for example MySpace) and thus an e-mail with a link fits one mental pattern of "how these things usually work" and triggers no mental alarms if you're not aware of how phishing works.

      Thus I'm not at all surprised that a non-technical member of the intelligence/law community could fall for a phishing e-mail.

    7. Re:After reciving an e-mail that appeared... by ArsenneLupin · · Score: 5, Informative

      checked the links

      You don't check the links, you don't use them at all. Instead, you access the site through a bookmark, or via typing in the URL manually if you no longer have a bookmark. It's all too easy to confuse an l with an I or a 1. Or rn and m depending on what font you have. Or the attacker might play similar tricks using exotic characters that you do not even know to exist (How similar is a greek capital Rho to a capital P?).

    8. Re:After reciving an e-mail that appeared... by cetialphav · · Score: 4, Insightful

      The question is, why is someone that "non-technical" in charge of cybercrime for the FBI?

      He is not in charge of cybercrime. He is the director of the entire FBI. I imagine that he has a huge amount of knowledge of things you and I know nothing about so I am willing to cut him some slack. We engineers have built a communication system that looks simple and secure to average folk and yet actually requires the detailed knowledge of how it all works to use it securely.

      Every time one of these stories comes up, I am troubled by the attitude that is taken in so many Slashdot comments that the victim (or near victim) must be a complete idiot. We make a system that makes it far too easy to deceive people and then ridicule the victim for being tricked. We will never be able to improve the situation with this attitude.

      It is right to be suspicious of any email claiming to be from your bank, but the fact is that my banks have sent me legitimate emails from them. Those emails have never been digitally signed so verifying their authenticity is tough. So the banks have some responsibility for using email in an unsafe way. But what if they did sign their emails? Well, it still wouldn't matter because Gmail and Yahoo and Hotmail have no provision for verifying digital signatures so the tools used by millions lack a fundamental security feature.

  2. A novel concept... by laughingcoyote · · Score: 4, Insightful

    Unfortunately, this does seem like a novel concept: If you can't use it properly, and are unwilling to take the time to learn, don't use it at all!

    Of course, it's a bit disturbing that the head of a major law enforcement agency can be scammed that easily. I know plenty of people (who aren't in any type of computer/tech field) who know very well that you never, under any circumstances, ever, go to a sensitive website from an email link, and you most certainly never enter any login details unless you've gone directly there. That's pretty common knowledge anymore, and this is a guy you'd expect to know better. Leads you to wonder what other simple concepts he can't get straight.

    --
    To fight the war on terror, stop being afraid.
    1. Re:A novel concept... by donaggie03 · · Score: 4, Insightful

      He wasn't scammed. He was almost scammed. Everyone who uses the internet has "almost" been scammed, for varying degrees of "almost."

      --
      Three days from now?? Thats tomorrow!! ~Peter Griffin
    2. Re:A novel concept... by kalirion · · Score: 3, Interesting

      At my university back in 2003, several professors in the Computer Science Department fell for those "Windows Security Patch" attachments sent by email from the "Microsoft Security Department."

      I'm ashamed to admit that I almost double-clicked the exe file myself before thinking better of it...

  3. Wait wha...? by alexandre · · Score: 4, Insightful

    The FBI Directors doesn't know to never click on a link from "his bank" in his email?
    So i guess I can call him as his bank and ask him for his password too without him actually calling back to the real number?

    No wonder security is broken ...

  4. There's your problem. by headhot · · Score: 4, Insightful

    All emails from my "bank" get filtered right into the trash. It its important, they will call or send a letter.

    1. Re:There's your problem. by D+Ninja · · Score: 4, Insightful

      ...except, they won't. Many people do everything through online banking. A number of banks have complete "opt-out-of-paper" programs, so you won't see another letter in your life (except maybe major documents that need signed). The real trick here is - when you get an e-mail, don't click on the links. If your bank says you need to take care of something, visit their site by manually typing in the address and then take care of whatever it is.

  5. Yes Dear! by muckracer · · Score: 4, Funny

    Fortunately his wife will continue to use online banking...

  6. My bank does NOT know my email address by Anonymous Coward · · Score: 5, Insightful

    I bank online about once a week. Everytime I connect, I check the HTTPS certificate. Also, my bank does not know my email address. If I get email from my bank, I KNOW it's a fake. period.

  7. Re:Baby with the bath water? by MollyB · · Score: 4, Insightful

    He has more to worry about from targeted attacks than phishing attempts.

    Unfortunately, this quote from him doesn't inspire confidence:

    "Far too little attention has been paid to cyber threats and their consequences," Mueller said. "Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. "

    It would seem that he is resigned to the situation rather than seeking a remedy for it...

  8. This is good by hairykrishna · · Score: 4, Insightful

    While being an idiot he's obviously not so stupid that he doesn't realise that he's an idiot. Hence the self restriction. If more of the worlds idiots followed his example the internet would be a better place.

    --
    "Physics is to math as sex is to masturbation." -R. Feynman
  9. A few clicks away? by njen · · Score: 4, Insightful

    Everyone is always just a few clicks away from being caught in a phishing scam. In fact, wouldn't it be closer to say that everyone is just one click away (the link from their email)?

    It's like saying, I am a few steps away from a cash register at the supermarket...I came this close to be tempted to steal it. But I've solved the problem: I won't enter any supermarkets ever again. Or that everyone is just a few steps away from death by standing by the side of the road, so to avoid being hit by a car, I will never go near a road ever again.

    Sure there are dangers everywhere, one just needs some education, like: never ever ever click on a link in an email claiming to be from your bank. Just like: you should always look both ways in crossing the street. Seriously, my 16 year old brother know both of those...

  10. Not a surprise by AndGodSed · · Score: 3, Insightful

    I am not surprised.

    The director of any agency does not necessarily deal with all the scams and most likely not with IT. He runs the business/admin side of things, and he has people working under him to take care of things like security etc.

    What seems to be missed is that phishers has the e-mail address of the director of the FBI. Either it is a personal e-mail address - and I am not even sure people in that position are allowed to have personal/web e-mails. OR it is his FBI address - and that is more worrying than that he almost fell for a scam.

    Another thing that worries me is that he takes nothing away from this experience - almost got caught, so I won't bank online anymore. Heck I would expect someone of his stature to go - Almost got caught, yikes better make sure that does not happen again.

    The direct effect of this is that the director of the FBI is now going to either bank by phone (and that is a security hole right there) or going to wait in the qeue at the bank - exposing him to other risks.

    I would've thought that higher up officials such as him had access to alternative more secure methods of doing things like bankin - how does the President of the USA do it, for instance?

    --

    Seven Days with Ubuntu Unity

  11. Re:Baby with the bath water? by DarthBart · · Score: 4, Insightful

    Bull. There's one simple way to avoid phishing scams. Open up the browser yourself and type in the address yourself.

    Anytime I access financial information, I enter the address manually. If you can't remember something simply like "paypal.com" or "chasebank.com", you don't need a computer.

    A former coworker of mine accessed his bank this way:

    1) Open IE
    2) Go up to the file menu, select "Open Location"
    3) Enter "http://www.google.com/" (The full URL, not just google.com)
    4) search for "Bank Of America"
    5) Click on the first result, which thankfully was the right BoA site.

  12. Re:Disease: Gullibility - Cure: None Known by D+Ninja · · Score: 3, Funny

    It is rare that people recover from gullibility.

    I don't believe you.

  13. Re:Baby with the bath water? by TheGratefulNet · · Score: 5, Interesting

    Mueller said. "Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. "

    wait; who, again, are the bad guys?

    given their MO, I consider the feds and police to be 'bad guys' when it comes to their perceived right to 'sneek and peek' any damned place they want for any reason at all. attach a gps to your car? no problem. and on and on it goes.

    the government is THE WORST INTRUDER in our personal lives, these days.

    I worry much less about criminals. they have a lot less power over me and once they do their deed, they're gone from my life.

    --

    --
    "It is now safe to switch off your computer."
  14. Re:Baby with the bath water? by Zebedeu · · Score: 4, Insightful

    Of course, otherwise you risk one day mistyping bankofamerica.com and ending up in a phishing site which looks just like the real thing.

    If you can't trust your bookmarks, you can't trust your computer. If you can't trust your computer, you shouldn't be accessing your online bank on it in any case.