Everything You Know About Password-Stealing Is Wrong

isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."

The hell it doesn't cost consumers!

When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss.

I had my identity stolen years ago by a guy who managed to run up a bunch of charges on my bank credit card (still don't know how he got the numbers). And, while the bank did reimburse me for the stolen money, they most certainly DIDN'T reimburse me for over $200 in bounced check charges that came after he cleaned out my account, or the hit that my credit rating took after a bunch of companies reported me as a deadbeat for passing bad checks and missing automated billing deadlines. Yeah, just TRY repairing your credit rating after something like that and tell me that consumers don't take a hit for identity theft.

Re:The hell it doesn't cost consumers!

[gl4ss]

I bet he ran it up way more than 200$.

now if you were a money mule you'd be hit with paying for 4950$ you transferred for some guy in ghana.

Re:The hell it doesn't cost consumers!

They also don't reimburse the cost retailers have to pay for each fraudulent transaction.

Re:The hell it doesn't cost consumers!

[Culture20]

Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.

Re:The hell it doesn't cost consumers!

[SilverJets]

Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.

THIS.

As well as increased insurance costs. The authors of the article are rather dense if they honestly think that the costs of reimbursement are not passed down to consumers.

Re:The hell it doesn't cost consumers!

Yes, you do have to fight those things, because among other reasons, the banks deliberately do choose to keep the bounced check charging people out of the fraud reporting loop, so you have to find somebody to knock the heads together and get the information shared. And even then, your liability is controlled by state law, so that limit is up to them anyway.

Your credit rating, however, you can repair, by disputing those false charges. And if the credit rating company mishandles that, you can get some serious money out of them.

Re:The hell it doesn't cost consumers!

From TFA: "This does not mean, however, that password-stealing is a minor problem. The indirect costs of cyber-crime almost certainly dwarf the direct losses by orders of magnitude. While password-stealing victims are spared direct losses, they may spend considerable time and energy resolving the mess."

Re:The hell it doesn't cost consumers!

That's exactly what TFA says. Banks like the fear of lost passwords, because they can use that fear to their (profitable) advantage:

"When perceived risk is greater than actual risk it can be protable to absorb the risk and charge for it. Rental car companies are not merely willing, but anxious to accept liability for any damage to the car for $35 a day; various companies aggressively market identity theft protection for $12 a month. Banks enjoy a huge information advantage over consumers: they know how much fraud costs them, while consumers merely hear horror stories of cyber-crime losses. Passing liability to consumers...would seem to be wasting a protable opportunity."

Re:The hell it doesn't cost consumers!

[blueg3]

That's addressed right in the summary. The banks generally manage to get their money back from one of the intermediates used to transfer the money out in the first place. It's those suckers that eat the majority of the loss.

Re:The hell it doesn't cost consumers!

[blueg3]

Either your bank sucks or you didn't browbeat them enough. They should reverse the bounced-check charges resulting from the stolen money.

You need to dispute the results of identity theft on your credit rating. If the rating agencies refuse to fix it, you can sue the pants off them.

Of course, this is a lot of trouble and it sucks pretty hard. TFA actually agrees with you on this.

Re:The hell it doesn't cost consumers!

[Intropy]

FTA:

"Thus, in the US, individual consumers are largely insulated from the direct financial consequences of credential theft..." (emphasis in original)

"While 'we all pay for cyber-crime' is true in a general sense, it is not the case that individual users face grave financial risk."

They're pretty clear that they are discussing risk of catastrophic loss to a single individual rather than increased shared costs.

Re:The hell it doesn't cost consumers!

[ragefan]

Clearly, you missed the 60 Minutes report this week about Credit Rating companies and their dispute process (source).

In a nutshell, your dispute is never sent to someone who will approve it, and you basically have to sue them to fix it. Its a multi-year case and you better be well documented.

Re:The hell it doesn't cost consumers!

[thePowerOfGrayskull]

I've disputed several inaccuracies on my credit report, and had most of them removed without further fight.

I'm not saying 60 minutes is full of shit, but ...

60 minutes is in the business of selling scare stories. A little bit of cherry picking goes a long way.

Re:The hell it doesn't cost consumers!

[S.O.B.]

That's exactly what TFA says. Banks like the fear of lost passwords, because they can use that fear to their (profitable) advantage:

"When perceived risk is greater than actual risk it can be protable to absorb the risk and charge for it. Rental car companies are not merely willing, but anxious to accept liability for any damage to the car for $35 a day; various companies aggressively market identity theft protection for $12 a month. Banks enjoy a huge information advantage over consumers: they know how much fraud costs them, while consumers merely hear horror stories of cyber-crime losses. Passing liability to consumers...would seem to be wasting a protable opportunity."

Protable? WTF is protable?

How can you possibly introduce a spelling mistake...TWICE...with a cut/paste?

Re:The hell it doesn't cost consumers!

Come now, it doesn't take much brain power to figre out that it's a typo of "profitable." You know, supposedly what separates us from animals and machines is this thng called intelligence which you can use to apply context to a situation and derive the correct meaning of a mistyped word.

What you might not know: he probably copied the quote from the PDF document where 2-letter sequences such as "fi" and "ti" are encoded differently (I believe it's called kerning but I could be wrong) and when you copy/paste the text that sequence is not recognised by the target program and gets dropped completely.

*All typos in first paragraph are intentional to make a point. Typos in rest up to you to figure out.

Re:The hell it doesn't cost consumers!

Yeah, just TRY repairing your credit rating after something like that and tell me that consumers don't take a hit for identity theft.

Good thing I use cash and don't give two hoots about the arbitrary number assigned to me by the global banking cartels to determine my worth to them. I only need one number to determine their worth to me: 0.

Re:The hell it doesn't cost consumers!

Except that he did correctly spell profitable in the first sentence of his post, but misspelled it twice after that.

Re:The hell it doesn't cost consumers!

Same here. This is one of those cases where the law favors the consumer, the Fair Credit Reporting Act <sp?> of 1970.

It really is a simple process, but tedious. It does take a little time to clear things up, but it does work.

Re:The hell it doesn't cost consumers!

60 minutes is in the business of selling scare stories.

Mybe you should actually click on the link and listen what "60 minutes" had to say before bashing them? It will not take any longer than 103 of your seconds.

Re:The hell it doesn't cost consumers!

(I believe it's called kerning but I could be wrong)

You are wrong. It's called ligature. Kerning refers to adapting the spacing of adjacent characters depending on their shape, e.g. moving the letters in "AV" closer together.

Re:The hell it doesn't cost consumers!

I think that you missed the point of the article. It clearly states that the paper only deals with bank transactions and that the overall impact certainly extends beyond the bank account being drained, but that it's in banks' interest to fully reimburse customers.

Re:The hell it doesn't cost consumers!

[HiThere]

That it's a misspelling of profitable is a reasonable hypothesis. But it's also reasonable to guess that it might be some "term of art" specific to the financial community. (I haven't checked.)

OK, now I've checked, and Google doesn't recognize it, so your hypothesis gains strength.

Re:The hell it doesn't cost consumers!

[PRMan]

Having worked in the mortgage industry for several years, most people were able to easily remove mistakes from their credit and get a loan. At most, it took an extra 30 days. While nothing that 60 Minutes said was untrue, it was certainly cherry-picking. I had mortgage agents that would tell their customers to get a lawyer to send a sternly-worded letter in the stubborn cases. That usually took care of it.

Re:The hell it doesn't cost consumers!

Special Note: Business are not counted as consumers and the banks to not have to reimburse them and often don't.

Re:The hell it doesn't cost consumers!

Or you could OPEN the linked PDF, SEARCH for a phrase near the mistyped word, and SEE that it is in fact supposed to be PROFITABLE.

Sorry I'm new here, is it a slashdot tradition to skip the entirely obvious and use the most convoluted way to answer a question?

Re:The hell it doesn't cost consumers!

The "fi" in the PDF is a ligature and doesn't paste when copied.

Re:The hell it doesn't cost consumers!

The PDF looks like it was created by LaTeX, which automatically inserts fancy "fi" ligatures. LaTeX is quite a bit older than Unicode so some of its niceties may not survive a cut and paste.

Re:The hell it doesn't cost consumers!

[s.petry]

There is a similar point in the article, but it's using a bit of fuzzy logic. (they use 9K, I'm using 10 since I like even numbers). Mule steals 10K from you, takes 1K and passes 9K to the "thief" and you are at -10K. Magically the transaction gets reversed, and the thief is at 0, mule is at 0, and you are at 0 instead of -10K. But what mule and thief keep the money in their accounts after snatching money? Many of these are cashed out frequently enough that they become hard to track and very hard to reverse. It also makes you at "-10K" until they feel the time is right to replace the funds in your account.

That last part seems to be what screws the consumers. I'm lucky, but know people that have waited nearly a year to get funds put back that were stolen. This means bills can't be paid at best, and if that was the rainy day fund and an emergency happens you are screwed.

I agree with the article in the fact that security gets overblown. I'm not sure they did a great job of representing that.

Re:The hell it doesn't cost consumers!

[able1234au]

Clearly you are new.

Re:The hell it doesn't cost consumers!

[chrismcb]

I think it said "consumers are reimbursed for stolen funds", which you say you were. It doesn't talk about being reimbursed for side affects. In addition this was mostly about passwords. Did they steal your credit cards because of weak passwords?
Sounds to me like you anecdote confirms the research.

Re:The hell it doesn't cost consumers!

Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.

It actually depends on the economics of the market. In different markets, you have more flexibility to increase prices. I don't know about the banking market, but plain old checking accounts, by themselves, are commodities. There's not much to differentiate them, so I would guess that it's difficult to increase prices: If you do, people just go someplace else.

There's a fundamental assumption behind what you are saying, that businesses charge you 'cost-plus' -- their costs plus a reasonable profit -- and if their costs increase then so does your price. Really, smart businesses charge as much as they possibly can -- that's how supply and demand work.

Re:The hell it doesn't cost consumers!

[jonadab]

> it is not the case that individual users face grave financial risk.

Note the word "financial" there.

You as an individual do face a grave risk, albeit perhaps of a non-financial nature. If your financial identity is stolen and abused, the money may eventually be refunded to you, but the hours you have to spend getting the whole thing straightened out will NOT be refunded, and most victims find it to be a significantly unpleasant experience. In extreme cases you can end up spending hundreds of (sometimes very frustrating) hours restoring everything to the way it should be.

Banking passwords are overrated

[damn_registrars]

It puzzles me when I see that people work really hard to come up with difficult passwords for their bank accounts, but not for their personal accounts on their own computers. They really need to think about what value those passwords have to other people - in particular what could someone else do with those passwords if they had them?

I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts. I have seen some where you can set up bill payments, but that was a chore and would not be useful for trying to pull money out quickly. Most online banking systems intentionally do not even give full account or routing numbers to logged in users, and I've never seen one give out SSN or DOB either.

On the other hand, people keep a lot of personal information on their PCs. If you can get their personal user names and passwords you could get a lot more useful information on them. A lot of users likely have their SSN and DOB in their browser cache somewhere, and almost everyone has their address somewhere in there.

Re:Banking passwords are overrated

[way2trivial]

online banking- mine pulls up full images of check faces... which does include routing & account #'s

Re:Banking passwords are overrated

[interkin3tic]

It puzzles me when I see that people work really hard to come up with difficult passwords for their bank accounts

And do you see people coming up with such passwords often?

Most online banking systems intentionally do not even give full account or routing numbers to logged in users, and I've never seen one give out SSN or DOB either.

Hmm... you're familiar with most banking online systems?

You almost had me convinced to make a super easy bank password. Nice try, identity thief!

Re:Banking passwords are overrated

[SJHillman]

I have accounts with First Niagara (they acquired my HSBC account), ING Direct (recently acquired by CapitalOne) and Ally Banks. I frequently move money between them through the web interface - real easy to set up, you just need to be able to log in to both accounts you're transferring between. Furthermore, my girlfriend has an account with Keybank and we transfer money from her account to mine about once a month to cover living expenses (I pay for almost everything up front, she pays me her share monthly). All I needed from her to set it up was her password.

If I get your banking login info, I can probably get a good chunk of your money before you realize it. Fortunately, many banks offer email alerts for transfers over X amount or if another account has been added. However, if you target someone who doesn't check their balance or email more than once or twice a week, you can probably get away with it before they know it's happening.

Re:Banking passwords are overrated

[thue]

> Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts.

Huh? Just go to "transfer money", write the account number of the receiver and the amount, and off the money goes.

At least that is how it works here in Denmark. Very handy, too. Is the US still using personal paper checks?

Re:Banking passwords are overrated

[SJHillman]

Some banks, like ING Direct, even allow you to transfer money between two phones if you have their app installed. Steal someone's phone, find they have their passwords saved, install the app on your phone and transfer away.

Re:Banking passwords are overrated

[Lehk228]

Bank of america has the routing numbers available in online banking and bill pay can be set to send a check to an arbitrary name/address

Re:Banking passwords are overrated

I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts. I have seen some where you can set up bill payments, but that was a chore and would not be useful for trying to pull money out quickly.

I was curious, so I checked the services offered by Wells Fargo Bank, NA. Through their online banking system one can:

        Transfer Money & Make Payments
        Transfer to/from a non-Wells Fargo Account
        Add a non-Wells Fargo Account
        Send & Receive Money
        Transfer to Another Country
        Set Up Recurring Transfer
        Set Up Recurring Payment

I'm feeling a strong urge to go back to my credit union.

Re:Banking passwords are overrated

[Chrisq]

I have accounts with First Niagara (they acquired my HSBC account), ING Direct (recently acquired by CapitalOne) and Ally Banks. I frequently move money between them through the web interface - real easy to set up, you just need to be able to log in to both accounts you're transferring between. Furthermore, my girlfriend has an account with Keybank and we transfer money from her account to mine about once a month to cover living expenses (I pay for almost everything up front, she pays me her share monthly). All I needed from her to set it up was her password.

If I get your banking login info, I can probably get a good chunk of your money before you realize it. Fortunately, many banks offer email alerts for transfers over X amount or if another account has been added. However, if you target someone who doesn't check their balance or email more than once or twice a week, you can probably get away with it before they know it's happening.

Same here in the UK. With FasterPayments I can transfer money from a NationWide account to a Braclays or a Coop within minutes. My Brother in Law used this recently when his daughter didn't have enough money to buy a train ticket home from uni, she was in the station, called, he transferred the money and she withdrew it from the CashPoint (ATM) a minute later.

Re:Banking passwords are overrated

[Neil+Boekend]

With mine I can transfer money. However, it's protected way beyond a simple password. I need a "random reader": a simple device that accepts my debet card, requires my PIN and gives me back the one-time key to even see my details. When signing a transaction I need to give the PIN, a one-time key from the webpage and the amount of money before the comma (probably to prevent hijacking).
I feel quite safe with that.

Re:Banking passwords are overrated

[vlm]

and off the money goes.

off the money goes really Fing slowly. There is no technical reason why a credit card payment can't be posted as fast as a charge, for example, in minutes at most. I get an alert when I make a credit card charge and the alerts usually arrive in minutes at most. However, intentionally... probably... my bank's bill pay system takes an absolute minimum of one business day to process a bill pay (sometimes more) and they send email alerts to me both when its set up and on the morning of the actual day of the transfer (at least one day in the future) when it could still be reversed. So if someone broke in and tried to send my whole account to dice.com or whatever, I would have instant warning someone is screwing around and at least 24 hours to prevent the transfer.

I use the word "bank" but its actually a local credit union. Maybe some weird credit union reg paid for by banks that CUs must not do instant payments, who knows.

Re:Banking passwords are overrated

[balsy2001]

This is how it works in the US too. The poster just hasn't seen or noticed it (I would go with noticed it). But there is a difference between transferring funds and wiring funds. I can do as you describe and it will take a few days for the money to get from one account to the other. If you wire funds it is basically immediate and the money is gone.

Re:Banking passwords are overrated

[Lumpy]

We are safer here in the USA. our banks REFUSE to do that. Unless you pay them $50.00 as a fee to do it.

Re:Banking passwords are overrated

I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts.

My bank does. All I need is someone's check routing info and I can send them money. It can be very handy at times, even though it does increase the potential for fraud...

Re:Banking passwords are overrated

[SJHillman]

Most financial institutions do batch processing, not real-time processing. Your average bank will do all of the deposits first, around 3pm each business day, and then do all withdrawals. That's the main reason most transactions take a minimum of one business day.

Re:Banking passwords are overrated

Isn't this protected with a security device? Every bank I have or had an online account with sent me such a device. Insert bankcard, insert challenge number from webby, give card pin and than you get the number to unlock your account.
Every transaction you need to auth again.

If banks don't supply these I'd say it's their own responsibility if customer's accounts get plundered.

Re:Banking passwords are overrated

[operagost]

Yes we are, but we also have systems like you describe.

Re:Banking passwords are overrated

[pixelpusher220]

yeah, the guy stealing your money would totally balk at spending $50 bucks of your money to do that ;-)

Re:Banking passwords are overrated

yah, and all that is completely reversible. at worst, they'd know where the moneh went (assuming destination immediately took all the cash out).

Re:Banking passwords are overrated

[blueg3]

It puzzles me when I see that people work really hard to come up with difficult passwords for their bank accounts, but not for their personal accounts on their own computers. They really need to think about what value those passwords have to other people - in particular what could someone else do with those passwords if they had them?

The attack scenarios are very different. Most home PCs do not have any remote access service enabled. So your password is safeguarding your computer from someone who is physically present but has neither the time nor the technical skill to bypass it. That's often, but not always, a very rare occurrence. (If it's a laptop and you were prudent enough to use full-disk encryption, that password is actually being useful.) Your banking password is protecting you from anyone who is (a) on the Internet and (b) discovers that your (bank, username) pair is valid.

Re:Banking passwords are overrated

[SJHillman]

I just have to put in my username, password and some sort of online PIN or security question for each account. As far as I'm aware, only one of my banks even offers any sort of additional security like you describe.

Re:Banking passwords are overrated

A lot of users likely have their SSN and DOB in their browser cache somewhere, and almost everyone has their address somewhere in there.

If you already have physical access to their PC, presumably you know their address--you're there!

Re:Banking passwords are overrated

[s7uar7]

With NatWest I have to use a card reader and my PIN to set up a new payee online. Someone who broke into my account could pay my credit card bill or transfer money to my brother but would find it hard to actually gt their hands on my cash.

Re:Banking passwords are overrated

[ZiakII]

Just to add to this I have Navy Federal (NavyFCU) and I can transfer money to accounts with no problem. In fact when ever I need to send a out of state friend money this is usually how I do it. As it beats PayPal as there are no transfer costs for me or for them.

Re:Banking passwords are overrated

[Chrisq]

With NatWest I have to use a card reader and my PIN to set up a new payee online. Someone who broke into my account could pay my credit card bill or transfer money to my brother but would find it hard to actually gt their hands on my cash.

Its same with Nationwide and Coop. YBS uses a confirmation by phone system, where a an automated call tells you a number that you need to enter on their site.

Re:Banking passwords are overrated

[ub3r+n3u7r4l1st]

It is a pseudo-random number generator devices. In the U.S. , I have seen two financial companies doing it: E*TRADE and Blizzard Entertainment.

Re:Banking passwords are overrated

[Gorobei]

This is how it works in the US too. The poster just hasn't seen or noticed it (I would go with noticed it). But there is a difference between transferring funds and wiring funds. I can do as you describe and it will take a few days for the money to get from one account to the other. If you wire funds it is basically immediate and the money is gone.

Note the there is a difference between "making funds available to an account," and "actually having money in an account." Checks vs wire transfers have different speeds at which funds become available, but the actual "having the money for sure" can take an open ended amount of time (60 days or more, worse case.) So even if $100K is wired into your account, you can spend it, and next week find you owe the bank $100K because the wire transfer was later rejected.

The "funds on hold" time period for checks is the result of two banks needing to agree money is to be transferred between them (I present check from bank A to bank B, bank B needs to assert bank A will honor the check.) This ensures the amount of bank deposits in the system reflects reality rather than people kiting checks for ever larger amounts to each other.

This is orthogonal to your ability to withdraw money from your account because it has a positive balance. That's a convenience your retail bank affords you. You're on the hook if the funds you relied on don't materialize on time.

Re:Banking passwords are overrated

[Geoffrey.landis]

Huh? Just go to "transfer money", write the account number of the receiver and the amount, and off the money goes.
At least that is how it works here in Denmark. Very handy, too. Is the US still using personal paper checks?

The article is talking about irreversible and untraceable money transfer. If the bank has been given "the account number of the receiver and the amount", it is neither irreversible nor untraceable. When the person defrauded complains to the bank, they reverse the transfer.

Thus, the thief needs a mule, a person with an account that can be used to accept the transferred money and turn it (somehow) into untraceable cash.

Some banks, like ING Direct, even allow you to transfer money between two phones if you have their app installed. Steal someone's phone, find they have their passwords saved, install the app on your phone and transfer away.

Transfer to whom? To steal money by such a transfer you need to make an irreversible transfer to an untraceable account. (If it's not irreversible, they just take the money back; if it's not untraceable, they come after you and put you in jail.) The whole point of the article is that this process, making a transfer that the bank can't reverse and sending the money to an account that the law can't trace, is much more difficult than the process of stealing passwords.

Re:Banking passwords are overrated

[krinderlin]

Are you in the US? Because I think we're talking Chip & Pin here, and we Americans decided that was just stupid. Mostly because Europe could never come up with something so innovative.</sarcasm>

Re:Banking passwords are overrated

[AvitarX]

Do some banks blue our cancelled checks?

mine hides the number in the html interface, but i can pull up checks.

Re:Banking passwords are overrated

[LQ]

With mine I can transfer money. However, it's protected way beyond a simple password. I need a "random reader": a simple device that accepts my debet card, requires my PIN and gives me back the one-time key to even see my details. When signing a transaction I need to give the PIN, a one-time key from the webpage and the amount of money before the comma (probably to prevent hijacking).
  I feel quite safe with that.

When setting up a new payee, my UK bank sends a one-time code to my mobile phone that I need to enter via the web. I sort of feel safe with that.

Re:Banking passwords are overrated

[SJHillman]

This would be Step 1 - getting control of the money. Once you have control of the money, then you can worry about moving it to an untraceable, irreversible account or withdrawing it as cash. Step 1 is merely the most difficult to do.

Re:Banking passwords are overrated

[balsy2001]

The non-transfers I was talking about are not checks, just electronic transfers between accounts at different banks (but I guess they may be treated that way and pass through the ACH, I am not a banker so Ill trust you if you say it is the same). I really thought when I wired funds they were gone. The last time I closed on a mortgage my bank asked my like 10 times if I was sure the account was correct and if I really wanted to wire 22K to them because it couldn't be reversed.

Re:Banking passwords are overrated

[SuperHighImpact]

If I understand the article correctly, banks are not worried about these transactions because it's traceable and can easily be reversed. If your girlfriend said the transfer was fraudulent, then the bank would simply take the money back from your account (yes, they can still do that even though it's with a different bank). If you had already withdrawn the money from your account, then you'd be looking at a negative balance and probably lots of fees and charges on top of that.

Now, if you could initiate a western union transfer from your girlfriend's account, then it would become a serious risk.

Re:Banking passwords are overrated

[Gorobei]

The non-transfers I was talking about are not checks, just electronic transfers between accounts at different banks (but I guess they may be treated that way and pass through the ACH, I am not a banker so Ill trust you if you say it is the same). I really thought when I wired funds they were gone. The last time I closed on a mortgage my bank asked my like 10 times if I was sure the account was correct and if I really wanted to wire 22K to them because it couldn't be reversed.

It can still be reversed, but typically not by you on a whim :) So, they want you to be really sure you are sending the right amount of money to the right counterparty: it makes their job a lot easier.

Thousands of wire transfers are reversed every day: software problems, miskeyed data, obsolete routing info, various post facto triggers (fraud alerts, money-laundering alerts, terrorist alerts, etc.)

Re:Banking passwords are overrated

[gorzek]

The encryption key fobs you describe are not generally used by consumers as part of their typical banking practices. I don't know if they are even available to most people for that purpose.

But yes, I've seen them used internally within firms that highly value the security of their data/money.

Re:Banking passwords are overrated

It's amazing how different financial infrastructure is between countries. SWIFT (wire transfers) and Visa/MC/Amex are probably the most universal funds transfer systems worldwide.

Interesting side note (I work in the credit card industry), the reasons cited for the U.S. being slow to move to Chip & PIN include: 1) U.S. merchants were on the mag-stripe bandwagon (or simply started accepting cards) sooner and hence have a much larger installed base to convert, 2) U.S. banks moved to 100% fraud protection so consumers were fairly insulated anyway, 3) the fraud rates in the U.S. are much lower (1-3% of overall spend volume) than the rest of the world.

There is a small percentage of international travelers that now demand chip & PIN for their U.S. issued cards, and they ARE available, but they are not without difficulty. Especially when it comes to changing PINs, since the U.S. doesn't have a big installed base of ATMs and card readers that accept a PIN and enable a user to update one. However Visa and MC HAVE published a change to their rules that will take effect in 2-3 years that will shift fraud liability OFF the merchant if they process a chip & PIN transaction, so there is definitely the incentive now to move that direction. Also, several banks are experimenting with NFC microSD cards or SIM chips that tie in to phone apps and the Visa/MC networks. Don't be surprised if U.S. moves to chip & PIN plus some combination of other solutions.

Re:Banking passwords are overrated

[Dan+East]

And when they batch process the withdrawals they are sorted from the largest transactions to the smallest, that way if you overdraw, there are many more individual transactions affected, and thus many more overdraft fees

Imagine if you have $500 in your account, and a $500 check for a car payment went through that day, and earlier in the day you used your debit card all over the place - a $1 drink from Sonic, got some gas, bought a few groceries, etc. If all the small transactions were processed first then only the car payment (you assumed wouldn't clear for another day or two) would have overdrawn, but instead, you get charged $35 for that $1 drink purchase, and your gas purchase, etc, etc.

Re:Banking passwords are overrated

[EvanED]

I have some kind of account with three different banks (a local credit union for checking & savings, an online "high yield" (not so much any more) savings, and a credit card); to my knowledge, none of the three offer those dongles.

I get the impression they're common in Europe, but I think they're pretty unheard of in the US.

Re:Banking passwords are overrated

Bank of America has this information blacked out in plain view. If you click show routing number or account numbers it just shows up. No passowrd needed.

I can also transfer out of the bank from their bill pay system. Used to do it all the time when ING Direct had such a great intrest rate on their savings accounts

Re:Banking passwords are overrated

It is a pseudo-random number generator devices. In the U.S. , I have seen two financial companies doing it: E*TRADE and Blizzard Entertainment.

Fidelity also offers it ... but only to "Institutional" investors. For us peon individual investors Fidelity has proudly announced that they're going to start asking you to confirm biographic data reports from Axciom and Lexis/Nexus instead. F that

Re:Banking passwords are overrated

[SJHillman]

What if I transferred it to my account and then withdrew it as cash or wired it as soon as it was under my control? I see bank-to-bank transfer as the first step of a chain where the thief first has control over the money.

Re:Banking passwords are overrated

[filthpickle]

I outsmarted myself when I was young and ran into this. Maybe the angriest I have ever been with another person. She thought so too, because the cops showed up very quickly to escort me out. I thought I heard something about a bank(s) getting into trouble over this a while back (several years)?

Re:Banking passwords are overrated

[rudy_wayne]

This would be Step 1 - getting control of the money. Once you have control of the money, then you can worry about moving it to an untraceable, irreversible account or withdrawing it as cash. Step 1 is merely the most difficult to do.

No. you have got it exactly backwards. And that's the main point of the article. Getting control of the money is easy. You steal someone's password and you now have control of the money. Happens millions of times a year.

But then you have to transfer that money somewhere else in such a way that it is not reversable (the bank can't take the money back) and not traceable (they can't identify you and come arrest you). THAT is the hard part.

Re:Banking passwords are overrated

Fortunately, many banks offer email alerts for transfers over X amount or if another account has been added.

Yup, I've got email alerts on all transfers going straight through an SMS bridge. I know immediately if there's any activity on any accounts. There's no other way to go, really.

Re:Banking passwords are overrated

[davidshewitt]

Setting a good password on your PC to protect the personal information on it is useless unless you also have full disk encryption. Unless you've enabled some form of remote access, the password to your home PC is useless to a remote hacker. The best practice for securing the personal info on your PC is to keep it in a secure location (i.e. your house). If the PC leaves your house, encrypt it. If someone's physically broken in, you have bigger issues to worry about.

Re:Banking passwords are overrated

Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts.

USAA lets you set up external accounts to receive electronic transfers. As long as you have a routing number and account number, you can electronically move your money out of USAA and into one of these accounts. Good thing too. I like being able to pay my friend for gas by literally transferring money into his account from my cell phone while he's pumping gas.

Re:Banking passwords are overrated

It keeps amazing me that this is exceptional in the US. As far as I'm aware in the Netherlands only one of the major banks (ING) allows access without such a device, and many consider them to be backward.

Re:Banking passwords are overrated

[alexander_686]

Consumer Protection groups kicked up a fuss a few year ago but I don’t think it went anywhere.

FYI, the bank position is that the larger checks are more important – if you are going to bounce a check you would rather have the smaller check to the grocery store bounce rather then you large rent check.

And, they also call “Free Checking” “Fee checking” – because the way they make money is off the fees.

Re:Banking passwords are overrated

My online bank allows online transfers to any other account, including in another country. You do need a two-factor authentication, so just the password alone won't give that ability.

Re:Banking passwords are overrated

Um, what's so hard about making an account with an online bank under a fake name? Yeah, you need an address so they can send you your card, but that's easy to arrange- rent a place for a month or two (using a fake name, paying cash), apply for every online bank you can, have them send all your cards there, then stop renting.

Get peoples banking passwords, transfer to one of your accounts. Go to ATM, withdraw cash. After a while throw that card away and use the next account.

Lather, rinse, repeat.

Re:Banking passwords are overrated

[LO0G]

How do you do that transfer without leaving an audit trail? That's the whole point of the article - the transfer is only interesting if they can somehow break the audit trail between your bank account and their bank account.

The common method for this is to use a money mule - the money mule wires the money from your bank account to the mule's bank account. The mule then sends a money wire to the bad guy keeping 10% for themselves.
Fast forward a couple of days when you find the theft. You report it to the bank, they trace the transfer to the mule's account and remove the money from the mules account. Now the bank's reimbursed you for your money (which the federal government requires them to do), , the mule's out the money they stole and the bad guy's got the money. Effectively the bad guy has stolen from the mule, not from you.

Re:Banking passwords are overrated

[LO0G]

According to the article, at least in the US you're required to show up at a bank in-person to create the account, which means they have a picture of you from the security cameras creating the account. Oh and you need a bunch of forms of ID to create the account.

One of the key pieces of evidence they use is that banking passwords go for pennies - if it was as easy to get the money as you say it is, the account passwords would be worth more money.

Re:Banking passwords are overrated

[Lumpy]

My point is that US banks are ...

1 - ran by morons.
2 - about 60 years behind the rest of the world.
3 - really dont care about customers.

Being able to transfer funds like europeans have been able to do for over a decade is still impossible here. Mostly because our banks are deregulated and they refuse to do anything other than just raise fees.

Re:Banking passwords are overrated

[Randle_Revar]

I talked to a European once about that stuff. I didn't fully get all the details, but I do know the US has nothing like it.

Re:Banking passwords are overrated

[rocket+rancher]

> Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts.

Huh? Just go to "transfer money", write the account number of the receiver and the amount, and off the money goes.

At least that is how it works here in Denmark. Very handy, too. Is the US still using personal paper checks?

Out of curiosity, what is the fee structure? I have on- and off-shore US, Mexican, and Costa Rican accounts, and can do EFT from the bank's web interface to any financial institution that supports EFT from any of them. They just charge me an arm and a leg to do it, but the convenience definitely outweighs the expense for me. Btw, I've never done any business with an entity that didn't have access to EFT, so I'm skeptical of the GP's claim.

Re:Banking passwords are overrated

According to the article, at least in the US you're required to show up at a bank in-person to create the account,

Bullshit. I myself have an online bank account. I was 'supposed' to send in some notarized copies of my ID, but never did, and the account is still open.

Re:Banking passwords are overrated

[thue]

For transfers between Danish banks it is free. Don't know about international transfers.

Not password stealing.

First of all, it's not theft if you still have your password. Secondly, if you leave your car unlocked with the engine running and go shopping, will the insurance company pay you back for your loss or call gross negligence? There's a difference between having a reasonable password for banking that's not the same one you use everywhere, and between using "hunter2" for every single place you have an account. And finally, I'm pretty sure banks don't reimburse money stolen from shops. Same goes on here. If someone breaks into the bank, you get your money anyway. If someone breaks into your home, the bank doesn't care.

I dunno... how much is a good fake ID?

[way2trivial]

if you got my bank password... you could use online billpay to mail a check and cash it... if it was under a thousand, my bank wouldn't blink.

so scenario.. I get a good set of identity papers, even just a license together for a lady who works all day

I have, 10 account passwords at different banks and use online billpay to mail out 10 checks for $900 + odd amount checks.

I swipe them from the mailbox of the lady who works all day....
I cash them all on the same day- visiting 10 issuing banks...
burn the ID

yes, I see where that could fall apart in a few spots, but I'm not a professional grifter, a variation of it should be achievable.

Ummm....

[wisnoskij]

OK, so say someone steals money from your account.

the thief has made money.
If someone notices the theft I guess you get your money back, at least that is what the article claims.
I guess banks have insurance for this sort of thing, but even if they do they would pay more in insurance payments than they would in actual dollars lost over time; That is how insurance works. So they do lose money, unless they are allowed to make new money when some is stolen. This loss is passed onto you the customer.

Re:Ummm....

[gl4ss]

because there was talk about moles I'm assuming it's usual that it's moved to some gullible idiots account, who takes a fee and forwards the money(nigeria scam sort of) via untraceable method.

so that guy ends up paying the damages.

Re:Ummm....

You can see multiple jobs listed for "mules" on craigslist.

Re:Ummm....

[Eskarel]

Yes, the cost is passed on to you the customer. The whole point of the exercise is that the cost of actually doing something about it(which will also be passed onto the customer) is orders of magnitude higher than the cost of the fraud. They don't actually have insurance for this, it's just cheaper to write it off than it is to fix it.

Re:Ummm....

[gorzek]

I had a friend who unwittingly served as a mule for dirty money to be laundered through his account. He was approached, asked if he'd be willing to deposit some checks, wait a few days, then transfer them (minus a small percentage for himself) to another account. He didn't see a problem with that, and hey, it was easy money! So he agreed.

When the feds came a-knockin', he was lucky all he had to do was pay the money back, rather than go to prison.

I think the article misses the point

[Chrisq]

The gist of TFA is that since the transfer from the person with the compromised password to the mule is reversed it is the mule that loses out, so the password isn't the bottleneck. (evidently the bottleneck is mule-recruitment and back-end fraud detection). This rather misses the point that it is a potential stopping point. If the account cant transfer money to the mule then the mule can't be persuaded to take commission and send the rest on by Western Union.

Maybe I'm cynical, but it seems to me that this analysis is a big "not my problem" statement by Microsoft. The client-end OS and browser security, which Microsoft has a big share of are not the "real problem" - that lies at mule recruitment and backend fraud detection systems, both areas where Microsoft has little investment.

Re:I think the article misses the point

[Lehk228]

The bank reimburses the individual customers who lose money, (costs go up for everyone but the specific losses are socialized). The cost to improve the password security of every account would exceed the reduction in fraud costs, therefore it is in nobody's interest to spend money on that aspect of security.

Re:I think the article misses the point

I think the article is spot-on. Their point is that anti-fraud resources could be better directed. There is so much hemming and hawing about how insecure passwords are and how they get lost and how they can be cracked when the PW is only the first hoop a would-be thief would have to jump through and a low one at that. The defense has to be the whole system. The article speaks to that briefly:

"If a large lake of credentials is drained by a narrow pipe of mules then reducing the inflow to the lake might have no effect on the net harm done. Enormous energy has been devoted to the task of replacing passwords with something more secure. Yet, there is no clear picture of how much harm this would eliminate."

Re:I think the article misses the point

[MozeeToby]

I think what they are getting at is that criminals have access to X passwords and Y mules, where Y is significantly less than X. Lets say they have 10,000 passwords for every mule that they have, and each mule will perform 10 transactions before they are caught out (or catch on, depending). That means you could reduce the number of leaked/grabbed/cracked passwords by 99% and still have the exact same amount of financial crime; and none of those numbers seem all that far outside of the realm of possibility to me.

But that is about overall crime and statistics. You can still lower your risk of being a victim by choosing strong passwords, keeping a clean pc, etc.

Men and women are the same sex?

[Ol+Biscuitbarrel]

Remember: there's a seeker born every minute!

Avoid eye contact. If there are no eyes, avoid all contact.

No it's not....

[mseeger]

Another headline that may misslead people. Password stealing is not just a banking problem. Attackers may do a lot of damage to a person without needing to extract the money directly.

The most important lessons for passwords are:

1. One password, one service. Do not re-use passwords.

2. Prefer long to complex passwords.

Using a sentence that is important to you and modfy it per service.

E.g. "may the face be with you" for Facebook or "may the search be with you" for Google.

If the service allows such, you are beyond any rainbow table and those passwords are easy to remember and customize per service.

Re:No it's not....

[Bigby]

When most people use more than 2 passwords across all sites, they need to write them down. I know there are tools out there, like hashing for specific sites, but is my 65 yr old mother going to use it? Or are they going to put it in Excel, print it out, and put it in their top drawer?

Re:No it's not....

[mseeger]

When the question is wether to use a single password on multiple sites or writing all the passwords down, i vote for the second option.

Usually such things can be avoided, if the person is taught a password generating algorithm which modifies the password per site.

But writing them down (the safer with tools the better) is a lot better than re-using passwords all the time.

Re:No it's not....

[s0nicfreak]

Using a sentence that is important to you and modfy it per service. E.g. "may the face be with you" for Facebook or "may the search be with you" for Google.

But then someone only has to get maybe 2 passwords to figure out your system. Then they have access to EVERYTHING.

Re:No it's not....

[s0nicfreak]

If someone looking to steal from her has access to her top drawer, she's already screwed.

Re:No it's not....

[mseeger]

There are two typical cases:

1. The attacker got your password at a hacked site.

2. The attacker got your password by being on your PC:

In case 1 he has one password, in case 2 he has all passwords. In both cases the weakness you mentioned is not relevant.

It is a weakness, but a rather small one compared to re-using the same password everywhere.

Also it makes it hard for an attacker to decrypt your stored password. To succeed he has to hack two sites which both store the password in plain text. I think we can ignore that probability ;-).

Re:No it's not....

E.g. "may the face be with you" for Facebook or "may the search be with you" for Google.

"Why are you wearing that stupid human suit?" was my wifi password for a couple of years.

I figured if it was ever somehow cracked they would leave it alone out of respect or fear.

Re:No it's not....

Passwords need security levels. Many sites want strong passwords which do not matter. 1 password for everything unimportant, 1 password for things that impact your reputation, 1 password for finance. Forgotten password button for any site which has some stupid restrictive password policy that forces you to diverge from your commonly used ones.

Re:No it's not....

Completely agree.

The safety returns to time invested has probably the best point where you use one password but modify it for different sites.

As you say, if they have a keylogger, it doesn't matter how many you have. Hacking multiple sites and correlating the passwords is a manual operation. These people don't do "manual", they do bulk. Unless you are rolling in cash and should probably do something more.

Re:No it's not....

[CCarrot]

When the question is wether to use a single password on multiple sites or writing all the passwords down, i vote for the second option.

Usually such things can be avoided, if the person is taught a password generating algorithm which modifies the password per site.

But writing them down (the safer with tools the better) is a lot better than re-using passwords all the time.

This is where password manager programs like Keepass are useful. Remember one password => access to rest of passwords.

For wider usability, you can 'dual' encrypt the database (so it requires both a passfile and a password) then store it on the cloud service provider of your choice...

Re:No it's not....

[s0nicfreak]

Except there's another typical case

3. The attacker trades/buys passwords from several hacked sites of the same genre, or several sites of the same genre have had their passwords compromised and posted on thepiratebay, given out willy-nilly through irc, etc., and you use the same screen name on those sites.

Though okay, I don't know how typical this is with other sites, but it's typical with video game related sites and services.

Re:No it's not....

[mseeger]

Of course:

- Memorize passwords >> Stored passwords
- Cryptographic Storage >> Written down passwords
- Written down passwords >> Same passwords on multiples sites

With ">>" as "better as".

Re:No it's not....

[mseeger]

Less than 1:1000

That assumes that you actually change your passwords once a site tells it has been compromised. But even in worst case scenarios the chances are 1:100 compared to single/all passwords stolen.

Overall i would summarize:

- Memorizes passwords >> Stored passwords
- Cryptographic Storage >> Written down passwords
- Written down passwords >> Identical passwords
- Individual passwords >> Generic passwords
- Generic passwords >> Identical passwords

With ">>" as "better as". Special cases always applies, but i think those are good rules of thumb.

Re:No it's not....

Ahem. If you believe that evildoers only run or hack one site, then your picture should appear in the dictionary by the word gullible.

Re:No it's not....

[CrimsonAvenger]

1. One password, one service. Do not re-use passwords.

2. Prefer long to complex passwords.

Using a sentence that is important to you and modfy it per service.

Better yet, get PasswordSafe, come up with one good password (for your password safe), let PasswordSafe generate all the rest of your passwords for you.

Microsofties?

[slackware+3.6]

Really?

Re:Microsofties?

or vagina.

Pretentious titles

[Synarus]

Pretentious titles like this are ridiculous. This story did not prove any of my notions wrong.

Web security is no substitute for Crypto-Auth

[dw]

So the argument is someone steals my password, steals my money, gives it to a money mule... then I get my money back from the bank, and someone that doesn't cost me in the end? Even disregarding the fact that those costs are going to get passed on to me somehow... The inconvenience of having to deal with identity theft is not always minor (and there's probably collateral damage here as well).

My biggest beef with banking is that I don't, but should, have the ability to send money with end-to-end authorization, by way public key crypto. If, say, Amazon could verify that I authorized a purchase using my public key, then network security, and banking security, is irrelevant. Bitcoins have offered a very secure example of how this could work, assuming that you have good local security (your private keys are safe).

Re:Web security is no substitute for Crypto-Auth

[balsy2001]

A lot of this is a US problem because the banks refuse to update their systems. I live in china and they have an interesting system set up for online purchases (in store is not as rigorous). When you get your card they give you a token (appears kind of like an RSA token, but I don't know the security behind it). To buy something online with that card you have to use your pin, token number, and enter a separate code that they text to your phone at the time of checkout. If set up right this form of on-line purchasing would put a serious dent in fraudulent purchases. Even if they have my card number and access to my account to change the phone number for the text, they don't have the token, unless they also broke into my house. Another example where the US misses the boat is the credit cards with chip and pins. In the states if you have the card you can basically max it out. At least with chip and pin you have to have the pin number for the card to work. The banks just don't care because they pass the losses back to the customers and merchants.

Re:Web security is no substitute for Crypto-Auth

[Sique]

You overlook one of the most important aspects of TFA:
Many transactions can be reversed, and it's especially simple to reverse easy to repudiate transfers.
So yes, all customers of the bank will pay their share for the increased security, fraud detection and the cost associated with reversing repudiated transaction, but the money actually retransferred does not come from the bank or the bank's customers.
Thus, what an account password thief has to do to empty a bank account is to initiate an untraceable and thus non-reversable transfer. One often used way is the use of a money-mule: An easily repudiatable transfer comes from the original victim's account, the money-mule withdraws the money (minus the "commission") and then initiates a second, non-repudiatable and non-reversable money transfer, e.g. via Money Transfer or handing the physical money bills to someone else.
If the original victim notices the theft, the first transfer is repudiated, and the money is retransferred from the money-mule's account, while the money-mule has no chance to reverse the second transaction, because this one is non-repudiatable. Thus the money-mule bears the actual cost of the fraudulent money transfer, the original victim gets the money back.
Fraudulent money transfers with stolen passwords don't actually steal from the person whose password was stolen (except this person for some reason doesn't reverse the transfer), they steal from the persons who are hired to play money-mules. And they are the actual bottle necks here. There is no point in having the passwords to accounts amounting several million dollars, if you have only a single money-mule, and this one will transfer less than $10,000 at once. It probably won't transfer the money a second time because of being already bankrupted by the first transfer going bad.

Re:Web security is no substitute for Crypto-Auth

[BasilBrush]

Who are these "mules"?

They're either criminals or objectivists. Criminal if they believe the money originates from a crime. Objectivists if they believe the origin of the money is merely immoral, but not criminal.

Either way, I'm not losing any sleep over their losses.

Re:Web security is no substitute for Crypto-Auth

[Sique]

Those are the people who fall for "work from home, no education required" scams. They are the real victims of this fraud. From an objective point of view, stealing passwords is just a way to trick those people into withdrawing large sums from their account and give it to the perpetrator without a chance to get it back, just by temporarily placing a large sum in their account. Password stealing is thus akin to getting hold of a carrot you can later place in front of the victim's nose.

It's really even worse than that

About a year ago, I had my debit card stolen by a bartender, who used it to buy plane tickets for a vacation. Even though I *paid* for the tickets, the airline (*cough* Jet Blue *cough*) refused to give me the name of the passengers listed on the ticket. That in itself stunned me. Then it got worse.

I went through the bank, saying I could ID the person with 99% certainty (since the bartender was talking about not being able to pay for tickets at the bar that night). They of course referred me to the fraud department. The fraud department then of course referred me to File 13. Not one care was given to the matter. When I pushed on the issue, they asked why I cared, my account had been reimbursed. When I said it was the principle of the matter, they laughed and said the bank would simply write-off the loss and everybody wins.

It was then I realized the banks may actually *want* the fraud.

And I now trust my mattress more than any bank these days.

Re:It's really even worse than that

[Eskarel]

They don't want the fraud. It's simply more expensive to fix it than it is to lose the money and given that it's only money being lost for the most part(identity theft is a very different sort of issue with much broader consequences), no one gives a flying fuck. Sure there's a principle involved, but in the end is it righteous to spend tens of thousands of dollars chasing down a guy who stole a few hundred? Especially when you had dick all when it came to evidence. You hearing the guy whinging about not being able to afford a plane ticket shouldn't even be enough to get a warrant let alone an arrest and proving that the guy the tickets were bought for is the guy who bought the tickets isn't really all that cut and dry either.

Re:It's really even worse than that

[mlts]

Mattresses seem to be the banking instrument of the future:

1: No overdraft fees.
2: No fees on withdrawals.
3: No fees due to having a balance under x amount.
4: Accessible 24/7, not just "banker's hours".
5: No need to worry about a username/password.
6: No ID theft can slurp your balance dry.
7: Assets can only be frozen if your heater fails.
8: Interest rate is about the same as most CDs.
9: Computer glitches won't make the balance disappear.
10: No need to give all your personal info when starting a new account.

Re:It's really even worse than that

[ub3r+n3u7r4l1st]

11. No protection against physical burglary
12. No protection against devaluation
13. No protection against overnight invalidation of your currency (which can happen under martial law)
14. Paper burns
15. Family replace mattresses without you knowing it, throwing everything
16. Family inside job / theft

Re:It's really even worse than that

[PPH]

11. You can have multiple mattresses in various countries and keep the IRS from sniffing around in them.

Re:It's really even worse than that

Fes hundred dollars in loss for the bank.
Compare this to having to spend x hours of their employees time tracking it down. gathering all the dates, times, numbers, having to coordinate with police, etc Also, it is a loss, which can be deducted from their profits to lower their taxes. Which is easier and/or more cost effective?

Re:It's really even worse than that

... You can have multiple mattresses ...

Once you've paid the overhead of multiple mistresses, I doubt you have gained anything over a single account and taxes.

Re:It's really even worse than that

[T-Bucket]

The police definitely would have been interested. I've had (on at least three separate occasions) flights that I was flying held at the gate at departure time so the cops could board and remove people who purchased their tickets with stolen credit cards.

That's got to be one of the DUMBEST things to buy dishonestly. I mean, purchasing something that guarantees you will be at a certain place at a certain time? Duh?

Re:It's really even worse than that

Jet Blue probably had ironclad evidence.
And yes, going after bad people may cost money and/or effort. But I think you've got to at least try to do what's right, not just what's profitable.

Re:It's really even worse than that

[Cro+Magnon]

11. No protection against physical burglary
12. No protection against devaluation
13. No protection against overnight invalidation of your currency (which can happen under martial law)
14. Paper burns
15. Family replace mattresses without you knowing it, throwing everything
16. Family inside job / theft

12. An interest rate of 00000.7 percent isn't much more protection than my mattress, and maybe better, with the lack of fees.
13. Can't that happen with bank funds too?
16. My brother has a decent chance of getting into my bank account too. After all, he knows my mom's maiden name, my favorite color, and my first pet.

Everything you know is wrong

[Meneth]

http://www.youtube.com/watch?v=KThlYHfIVa8

r00t

Thanks for the info...

too hard

[nten]

Using their numbers, we would have to introduce security measures that made passwords 1000000% more difficult to obtain, than they currently are, in order to put credentials on par with mules in terms of value. Having N mules available and N+1 passwords available, the amount of crime would be no less than if we had N*10^6 passwords available. They do not mention why we cannot remove the ability for a money owner (mule) to initiate large unrepudiable transactions. They indicated this was usually via western union or moneygram. What harm would we do society by removing those methods? Security is very hard. I don't believe we can make credentials even close to 1000000% more secure, and if we do not, we will only drive up the price of those credentials by an insignificant amount.

Re:too hard

[Eskarel]

Well essentially every libertarian on Slashdot and a whole mess of criminals would complain that you've made it very difficult to move untraceable cash around(which is sort of the point). To be honest I'm not sure this is a particularly big deal since you can still drive around with a big old briefcase full of cash.

Fundamentally though you'd make life harder for people who don't have access to computers and the modern world. In particular you'd make it difficult for immigrants to send money back to their families in whatever third world shit hole they came from. You can make the judgement about whether this is actually a tremendously bad thing(transferring cash from the US economy to somewhere else isn't necessarily great for the US economy, but it's pretty great for the people receiving the money and the people sending it), but the impact would be pretty massive. Not quite as massive as the impact of banning third party check cashing(apparently there are people who are sufficiently poor that having a bank account is a waste of money), but the old school economy is a pretty big thing(isn't it interesting that with all this crying about electronic banking and stolen passwords, most fraud works through mechanisms which have been in place for centuries(western union is basically a telegraphic letter of credit).

Re:too hard

[krinderlin]

I so wish for mod points. Western Union/Moneygram are the "Banks" for people without the ability to now meet new Federal Standards for State Issued ID. The paperwork required today in many states just to get a new "Secure ID" are ridiculously bad if you've done anything other than be born in the last 60 or so years, gotten married, receive physical bills & bank statements, and had those items delivered to your physical address (which assumes you can receive mail at your physical address).

So it isn't just "illegal" immigrants using these services, anymore. It's a large segment of the lower end of society that is being forced to utilize these services so they can pay utility bills with cash, money orders, and move money about to relatives. You're actually causing severe harm getting rid of the cash-based services.

Off topic: Lucky me, I've bypassed the "chain of name changes" requirement by having a Passport. My adoption papers don't even exist anymore thanks to a house fire and an flooded court house basement. I'd be so screwed if it weren't for the fact my employer required me to get a passport 3 years ago.

Re:too hard

[pnutjam]

These well off member of society who have never dealt with real adversity who are commenting on slashdot, are the some ones proposing laws and voting.

Thank you for attempting to educate.

Re: too hard

[Eskarel]

Your case should actually be solved by dealing with the stupid id laws, realistically no one living in the us should actually need these services unless they are sending money overseas, but this is how such systems go.

Online security for banks is a joke.

[140Mandak262Jamuna]

I have made many posts asking for two level access. First level password is good for looking at balances and bills etc. And you need the second level password to actually move money or cash it out. But each financial institution does it its own way. The final decision seems to be made by some old coot who gets mortally afraid of computers, who has a bevy of secretaries who print their emails and put them in folders, whose on line skills match that of Donald "I save classified docs in my unsecured personal laptop" Rumsfeld or David "gee I will exchange mail using drafts folder, no one will think of it ha ha ha" Petraeus.

Fidelity. Made me choose all numeric password because alphabets would confuse their old retirees who use phone based transactions. I was shocked and wanted to disable phone based transactions on my account immediately. Was told to take a hike. They can't disable it without disabling on-line access as well. Was forced to continue the account because our company 401K is with these morons. Have not checked recently if it has changed.

ETrade They used to be good. They had the concept of a "trading password" on top of a regular password. Exactly what I wanted. You need to provide the trading password to actually do trade or cash out money or transfer funds. They took it away! I called to complain. They gave me a free RSA dongle. These jokers imagine their customers having an RSA key fob for each account. Cant ditch them. Our company stock purchase plan is with them.

Schwab would give a RSA fob if I asked. But don't know how it works with Quicken. Will upgrade to latest quicken and see if it is supported. Even then I don't fancy dangling around with key fobs.

PNC Bank if you setup an all numeric username it would also serve as your phone banking user id. But you need all numeric password to use it with phones. Thank you PNC! I set up an all numeric username and a alphanumeric password. So phone transactions are not possible. With VOIP and caller-id spoofing phone banking is as vulnerable as on line banking. At least let me cut down one attack surface.

Why cant they give me two level passwords? Why cant they implement a two factor authentication like google does with cell phones? Why cant they send a text message on every transaction so that I would be alerted by any fraudulent activity?

Re:Online security for banks is a joke.

My bank calls/texts me with a one-time use password if I want to log in from an unverified computer. Customer Bank. It always struck me as overkill.

Re:Online security for banks is a joke.

[Chriscypher]

ETrade They used to be good. They had the concept of a "trading password" on top of a regular password. Exactly what I wanted. You need to provide the trading password to actually do trade or cash out money or transfer funds. They took it away! I called to complain. They gave me a free RSA dongle. These jokers imagine their customers having an RSA key fob for each account. Cant ditch them. Our company stock purchase plan is with them.

So what's the problem with Etrade having a RSA dongle? Seems to me it's way more secure to prevent credential capture, as the account login password is 'new' every minute and they timeout active logins fairly quickly.

Re:Online security for banks is a joke.

[firewrought]

Even then I don't fancy dangling around with key fobs.

Hunh? Really? I wish all of my online institutions supported key fobs, but none of them do. Or rather, none of them have volunteered the option to me... I guess I really should start asking, because this "just a password" thing seems very, very silly. Heck, I'd probably setup a dedicated PC for banking in my house, but that one would be hard to get past my spouse. :O

Re:Online security for banks is a joke.

Fidelity. Made me choose all numeric password because alphabets would confuse their old retirees who use phone based transactions. I was shocked and wanted to disable phone based transactions on my account immediately. Was told to take a hike. They can't disable it without disabling on-line access as well. Was forced to continue the account because our company 401K is with these morons. Have not checked recently if it has changed.

From the Fidelity website:
Password Standards
- Use 6 to 12 letters and/or numbers
- Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e.g., Jane212Smith)
- Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g., 12345 or 11111)
- Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)

Re:Online security for banks is a joke.

I've had some questions about eTrade too.
Forgot my password, called their hotline (clearly in India), gave my name, account number and company name; that was basically all!
They just reset the password and gave it to me on the phone ?!
I would have expected at least a system where they generate a password and send it your registered e-mail address. Not just a plain: your password is now 'bunny5', have a nice day!
I was happy about the quick service (and being able to log into my account again), but really, I had some serious questions about social engineering risks here.

Re:Online security for banks is a joke.

[140Mandak262Jamuna]

How many key fobs should I be carrying around? Both E-Trade and Schwab give away rsa key fobs for account holders with a certain minimum. 401k, IRA, everything counts to the balance, even the market value of the unexercised stock options count towards balance. So if you dont mind jingling around a whole bunch of key fobs, I suppose you could find institutions.

Re:Online security for banks is a joke.

[140Mandak262Jamuna]

That is regular Fidelity. Mine was netbenefits, the 401K arm of fidelity. For some reason their authentication server seems to be different and uses a different protocol. But it starts with a PIN number assigned by the employer to even start an on line access user id.

Re:Online security for banks is a joke.

[ruir]

Easy answer. Plausible deniability. They dont want the system to be too perfect, so when it fails, they can blame someone or something else.

Re:Online security for banks is a joke.

[Zymophideth]

I have fidelity and it's strictly alphanumeric for the password and if I call I use the keypad to input my password. So yeah, they took my lame alphanumeric only password and then created an even simpler numeric only password for phone authentication. I'm pretty sure anyone that knows my social and DOB could reset my password anyways as well. So basically, where I have all my savings (employee 401k) I have the least amount of security compared to any other website I use.

No, STEALING, is wrong.

[VortexCortex]

That's wrong terminology! Passwords are not Stolen!

Look, if you have a car and I steal that car then you don't have a car anymore.
If you have a password, and I get a copy of it, then you still have your password! We can both use the password, IT'S NOT STEALING.

Re:No, STEALING, is wrong.

[canadiannomad]

If you have a password, and I get a copy of it, then you still have your password! We can both use the password, IT'S NOT STEALING.

Haha, I love it!

So I suppose copying passwords should be legal... Just transferring funds and identity theft need to be covered...

Re:No, STEALING, is wrong.

[Luyseyal]

So long as it's less than 6 seconds of password, right? :)

Thanks for posting. I LOL'd.
-l

Re:No, STEALING, is wrong.

[hicksw]

The answer is obvious -- COPYRIGHT your password.
--
It was a dark and drunken night. Four shots called out -- drink me.

Summary:

[140Mandak262Jamuna]

Cashing out using stolen passwords is very difficult. If it was easy, customers themselves would transfer money in an untraceable manner and falsely claim fraud. The thief steals from the money mule, not the bank customer. Customers do not suffer direct harm, the indirect costs are not noticed.

Re:Summary:

Cashing out using compromised passwords.

1) Open an account on a Bitcoin trading platform.
2) Send money from the compromised account to said platform.
3) Buy bitcoins.
4) Withdraw bitcoins.

Re:Summary:

[OneAhead]

You're violating the format, buddy:
5) ???
6) Profit!

Re:I dunno... how much is a good fake ID?

[s0nicfreak]

Or you could just use online bill pay to transfer money to a prepaid credit card.

Banks always benefit from CC fraud

[ub3r+n3u7r4l1st]

Each fraudulent charge comes with a chargeback fee against the merchant when it is discovered, no matter the amount, and that's profit for the bank and the processing network.

Fake Mules Make Passwords Important

The article presumes that mules are recruited instead of created and thereby shoulder the risk. However, if the mules' accounts are fabricated through a fraudulent account creation (using stolen SSANs, identity theft, etc.), then the mule and the thief can be one in the same.

When the thief is the mule, then the risk is foisted back on the bank(s) and passwords absolutely matter.

Horseshit

"The article concludes that banks have no interest in shifting liability to consumers"

Chip-and-pin was supposed to be a security upgrade that they could use to justify shifting liability. Someone needs to provide more than an MS paper conclusion to convince me that this isn't the case.

Real problem is lack of notice

[gurps_npc]

The real problem with password stealing is that they don't tell you when it happens - and they CAN. Just list the last 3 times you logged in, with IP addresses. You can even add in the word (new) to an IP address that has not showed up before.

Dump the Visa/MC-debit!

[sirwired]

It sounds like you had a Visa-branded debit card, not a credit card. Visa/MC Debit cards serve no use other than to enrich the bank, the merchant fees are much higher than PIN-debit. And, as you have learned, if a thief gets a hold of your number, your bank account is empty and your bills bouncing while you argue with the bank.

It's far better to get a credit card and simply pay off the bill every month. That way, if it gets emptied, you argue with the bank about THEIR money. (With a Visa/MC Debit, you argue with the bank about YOUR money. Guess which dispute gets more attention?

And yes, the bank should have paid up the bounced check fees... might as well dump this loser of a bank entirely and sign up with a Credit Union.

Re:Dump the Visa/MC-debit!

[whoever57]

Visa/MC Debit cards serve no use other than to enrich the bank

There is another reason for these cards: to avoid the legally-mandated consumer protection that exists for credit cards.

Re: Dump the Visa/MC-debit!

[Octorian]

This is a big reason why I outright refuse to carry a debit card, even to the point of insisting to the bank that they give me a plain old ATM card for my account.

I just feel more comfortable having a buffer between my transactions and my actual accounts, where I have to take active action for so much as a dime to go from one to the other.

And as said above, the fraud argument happens with their money, not mine.

Re:Dump the Visa/MC-debit!

Absolutely correct, that is their only purpose.

What the man said about having a CC and paying it off every month - best advice ever.

Re:Dump the Visa/MC-debit!

[PRMan]

This is exactly why I disagree with Dave Ramsey's otherwise great financial advice. You simply don't want to use a Visa/MC debit card, especially for online purchases.

Re: Dump the Visa/MC-debit!

[Pope]

I always find this a funny part about talking to Americans about these separate debit cards: in Canada, your ATM card is a debit card & has been for years.

Re:Dump the Visa/MC-debit!

[AlphaWolf_HK]

Visa and mastercard give all kinds of consumer protection benefits just for using the card, though I don't know whether they apply to both debit and credit. For example, my card includes a free extra year of warranty on anything I buy, free insurance on rental cars, guaranteed 30 day money back on anything I buy as well as accidental damage.

I use a credit card though, supposedly their top tier (they call it world mastercard). I quality for it in spite of paying zero interest (and so many people keep insisting that I should never pay the bill in full every month because it doesn't help my credit - they're as wrong as wrong can be.)

Re:Dump the Visa/MC-debit!

[mjwx]

It sounds like you had a Visa-branded debit card, not a credit card. Visa/MC Debit cards serve no use other than to enrich the bank, the merchant fees are much higher than PIN-debit. And, as you have learned, if a thief gets a hold of your number, your bank account is empty and your bills bouncing while you argue with the bank.

Merchant service fees are based on the service the customer chooses to pay with.

In Australia you have Savings, Cheque or Credit. Choosing Savings or Cheque (mainly redundant these days as checking accounts have gone the way of the dodo or common sense) the merchant pays the lower fee even if using a Visa/MC branded card. With Credit, even when paying with your own money the merchant pays the higher fee.

It's far better to get a credit card and simply pay off the bill every month

If you're looking to cut down on fees, this is the stupidest bit of advice you could possibly give.

Merchant service fees for paying via credit are higher than paying via debit.

If you want to reduce merchant service fees, pay cash.

Re: Dump the Visa/MC-debit!

[Octorian]

It is the same card in the US too, at least by default. But if you're like me, you can explicitly request that it just be a normal ATM card with no debit card capabilities.

Re:I dunno... how much is a good fake ID?

[frinkster]

yes, I see where that could fall apart in a few spots, but I'm not a professional grifter, a variation of it should be achievable.

My brother-in-law IS a professional grifter, and he has spent more of his adult life in prison than as a free man. I assure you that the scheme you described will not last for very long at all (in the US).

TFA described exactly why you need some idiot "mule" to act as your middleman, and described exactly why that idiot "mule" is the one that ends up losing all the money (the original victim is always made whole). And TFA described why the real bottleneck in financial fraud is in recruiting idiot "mules" and not stealing passwords.

It stands to reason that making it harder to recruit idiot "mules" would have a far greater benefit than making it hard to compromise banking passwords.

Assertion is wrong.

"article concludes that banks have no interest in shifting liability to consumers"

Article is completely wrong.

Chip and Pin is entirely to make it the customer's fault.

They have no interest in making THEMSELVES liable.

Cyber gangs and banking passwords?

[dgharmon]

A more relevent subject for discussion is how the thieves got hold of your 'banking passwords` in the first place.

Passwords are only one part of security

[Drewdad]

Relying on just a password is not secure, IMO. Just as my house has a door lock AND a security system, my bank account has a password AND monitoring. I get alerts for transactions over a certain amount, and I get daily balance updates so that I can catch any unusual activity. Sure, set up a good password. But then monitor your account, and possibly your credit rating.

Not worth it [Re:I dunno... how much is a good...]

[Geoffrey.landis]

if you got my bank password... you could use online billpay to mail a check and cash it... if it was under a thousand, my bank wouldn't blink.
so scenario.. I get a good set of identity papers, even just a license together for a lady who works all day

Identity papers good enough to fool a bank cost money.

I have, 10 account passwords at different banks and use online billpay to mail out 10 checks for $900 + odd amount checks. I swipe them from the mailbox of the lady who works all day....
I cash them all on the same day- visiting 10 issuing banks...
burn the ID

yes, I see where that could fall apart in a few spots

It sure does. For a profit of $9000 (minus the cost of forged identity papers), you have left your image and paper trail in the security camera of the bank you used to transfer the money, plus ten other banks; plus stealing from the U.S. mail probably over four or five days and hoping that the nosy neighbors weren't watching. You're hoping that none of the ten got their bank statement and noticed the check payment in the three days it takes the check to be mailed. And once the first person complains, the warning about your forged identity is going to go out to all the other banks, and so when you cash check number n, you're hoping that the account holders of checks 1 through n-1 haven't been complained yet. And banks in the US have a three-day hold on availability of funds from checks; so you are going to have to wait and hope not one of ten people noticed the withdrawal.

Suppose it is a 5% probability of getting caught on any one transaction. On the average, you'll make $18,000 before being caught. That is so not worth it.

Or you could just use online bill pay to transfer money to a prepaid credit card.

Except that banks do know that trick and protect against it. It's not hard to put $50 on a prepaid credit card without leaving tracks. Try putting $9000 on a credit card, and they start keeping records of who you are.

Rate limiting factor [Re:Web security is no su...]

[Geoffrey.landis]

So the argument is someone steals my password, steals my money, gives it to a money mule... then I get my money back from the bank, and someone that doesn't cost me in the end?

No.

The argument is that convincing everybody in the U.S. to make their passwords harder to crack won't reduce the number of thefts from bank accounts using stolen passwords, because the rate at which passwords are stolen isn't the factor that controls how many accounts are stolen from.

Transaction Records

[jd.schmidt]

For a while I have thought that with all the data and transaction records, simply stealing money by transfering ought to be very hard.

Sadly many of these so called "mules" are small businessmen who ship goods thinking they got real money. Still a verification system might be able to help even them.

Lucky US: We have to use smartcards

In Sweden we're forced to use smartcards to validate every single frickin' banking transaction. Yes, cryptographically signing every money transfer and bill payment with a physical device. Of course this eliminates a lot of fraud in Sweden, but the banks still accept unauthenticated transactions from outside of Sweden, so what's the point?

Banking passwords suck!

[phorm]

Unfortunately, I've found that most banking sites have horrible password policies, basically requiring an 8-character alphanumeric password (no special characters, spaces, or anything more than 8 chars).

My Mastercard provider allows (and requires) that I use special characters in my password. The last several banks I've used... don't even allow them.

Re:Banking passwords suck!

[mseeger]

100% agreement. 60+% of all password policies (of those i see) are bad.

Re:Banking passwords suck!

[lgw]

That's not random. Most banks expect you to be able to enter the same password over the phone, so only alphanumeric * and #. Keeping it too short is just silly though.

Honeypot

[Msdose]

So the crackers are being hoodwinked into wasting their talents trying to beat a system with defenses in depth so they won't destroy the communist political correctness eugenic machine governing their country. Bazinga!

hard to read multi page format

[Skapare]

You'd think those guys should know at least something about usability design. But nooooo.

Good article if it did not come from Microsoft

[Shompol]

This would be a good and interesting article if only it did not come from Microsoft, a company who's only business is to make sure passwords are not stolen in the first place. To illustrate:

• Microsoft: we cannot secure our system, but don't you worry, Banks will take care of password theft and clean up our mess.
• Railroad maintainer: sometimes I make mistakes, but don't worry -- should a train derail the nearest hospital will take good care of you.

Not quite everything...

Apparently, everything I know about passwords is limited to online banking, because TFA doesn't seem to address anything else.

Re:Not worth it [Re:I dunno... how much is a good.

[s0nicfreak]

This could be simple if you just get a few druggies to help you out.

Have the checks put in the name of 5 - 10 druggies, using their real names. Make it seem like you have a bunch of freelancers renovating a house or something. Mail it to a neighborhood where the neighbors don't give a fuck.

Have the druggies cash the checks, at places away from their homes/areas they hang out in (i.e. where the bank tellers don't know them). They won't care if their ID and picture is seen in the bank, because they're getting drugs out of the deal.

Cost = a couple hundred dollars on drugs and maybe using a van, profit = $8000+?

Something similar actually happened to my parents - just with 1 person and less money - with the only thing stopping the person from cashing the check being that the bank teller knew my parents. The crook was dumb enough to go to their local bank (though he was smart enough to not use his own name - he used the name & ID of his cousin who looked similar enough for him to pass), and had made things out like my parents were paying him for roof repairs, but the teller knew my parents get their roof repairs done my my cousin, and that they had just gotten it totally replaced a couple of years before that and would not need such a pricey repair that soon. If not for that coincidence (if he had, for example, gotten a different teller) it could have worked out; my parents' neighbors don't give a fuck about strangers poking around. My parents don't use email and etc. (so no notifications that a check was cashed, no online balance etc.); if the teller hadn't known them and therefore refused to cash the checks, he could have been long gone before my parents noticed their account was empty.

New plan... not so good [Re:Not worth it ]

[Geoffrey.landis]

This could be simple if you just get a few druggies to help you out.
Have the checks put in the name of 5 - 10 druggies, using their real names. Make it seem like you have a bunch of freelancers renovating a house or something. Mail it to a neighborhood where the neighbors don't give a fuck.
  Have the druggies cash the checks, at places away from their homes/areas they hang out in (i.e. where the bank tellers don't know them). They won't care if their ID and picture is seen in the bank, because they're getting drugs out of the deal.

So, let's see, the druggies cash the checks, and promptly snort the money up their noses ("see, like, we was planning on giving you a cut a the money and everything, uh, cause you was helping us out and all, you know, but my dealer was there and I already owed him ten grand, and plus I really really needed a fix..."), and you get nothing.

Then, when they get picked up (because they did use their own names...), all 5 - 10 of them finger you as part of the plea bargain.

So, your profit is zero, and you have five to ten witnesses testifying against you, so you go to jail for wire fraud, bank fraud, utterance, and conspiracy. Not such a great plan.

Re:New plan... not so good [Re:Not worth it ]

[s0nicfreak]

I've found that druggies are generally a loyal bunch, unless/until you stand between them and their drugs.

You don't give them an opportunity to snort the money up their noses, because you've taken them to an area where people don't know them, and therefore they either don't know who to buy drugs from, or the seller is too paranoid to sell to them. But you're waiting close by in that borrowed van, to give them their drugs and a ride back to an area they're familiar with. Then they are unlikely to be picked up, because you've used people that are off the radar for the most part (so the cops know their name, don't really know where they are once they leave the bank). And if they ARE caught? Well, you never told them YOUR name nor any traceable information. They may be able to describe you, but unless you're unique looking enough for it to be an issue (Personally, if I remove my piercings and cover my tattoos, all they've got to describe me is "asian woman in a van, black hair, brown eyes"), and/or unless you show your own face doing something similar, odds you will get caught are pretty low.

Really your greatest risk is that you put too many of the druggies in the van at once, one of them decides to beat you up, others join in and they overpower you, and take all the drugs and money.

I'll call bulls**t on this

[aklinux]

A friend of mine, now retired, used to be one of the 'webmasters' for a local credit union.

They took a very lax attitude for passwords and site security in general, their attitude being that it simply wasn't worth the time and trouble to worry about security...That's what the Insurance Company was for.

People like to think the insurance companies as fair game, but when they take a hit, they pass the costs back to their customers in the form of higher rates. The financial institutions pass those higher rates on to these customers.

It's no different than when stores take a hit from shoplifters. The costs pass back to the customers in the form of higher prices.

Don't tell me we don't pay for this!

Wait. What?

> The article concludes that banks have no interest in shifting liability to consumers,
Banks can't shift liability to consumers because it's ILLEGAL. They would do it in a heartbeat, as the huge scandals surrounding the financial crisis proved.

Are the Microsoftie's clueless?

Page 6 of their PDF includes this little gem on email passwords, definitely outside the scope of the paper:

Those who have had an email password stolen to send spam know what a miserable experience that is, and it is little consolation to hear that the hacker probably earned very little.

Anyone who knows anything about email knows that you don't need someone's password to falsify mail from them (e.g.: SPAM or UCE). A number of failed initiatives like SPF try to address this, but will never succeed because not enough companies/domains/people implement them CORRECTLY. At the end of the day SMTP is a great solution to deliver mail but is fundamentally broken from a security point of view.

No interest?

Banks have every interest in shifting the liability. In fact here in Holland banks have started to deny reimbursements to customers, including those who don't properly cover the keypad when they enter their pin.

Banks would murder customer who were no longer depositing money if they could get away with it