Slashdot Mirror
Everything You Know About Password-Stealing Is Wrong
isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."
I bet he ran it up way more than 200$.
now if you were a money mule you'd be hit with paying for 4950$ you transferred for some guy in ghana.
world was created 5 seconds before this post as it is.
The gist of TFA is that since the transfer from the person with the compromised password to the mule is reversed it is the mule that loses out, so the password isn't the bottleneck. (evidently the bottleneck is mule-recruitment and back-end fraud detection). This rather misses the point that it is a potential stopping point. If the account cant transfer money to the mule then the mule can't be persuaded to take commission and send the rest on by Western Union.
Maybe I'm cynical, but it seems to me that this analysis is a big "not my problem" statement by Microsoft. The client-end OS and browser security, which Microsoft has a big share of are not the "real problem" - that lies at mule recruitment and backend fraud detection systems, both areas where Microsoft has little investment.
because there was talk about moles I'm assuming it's usual that it's moved to some gullible idiots account, who takes a fee and forwards the money(nigeria scam sort of) via untraceable method.
so that guy ends up paying the damages.
world was created 5 seconds before this post as it is.
Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.
Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.
THIS.
As well as increased insurance costs. The authors of the article are rather dense if they honestly think that the costs of reimbursement are not passed down to consumers.
That's exactly what TFA says. Banks like the fear of lost passwords, because they can use that fear to their (profitable) advantage:
"When perceived risk is greater than actual risk it can be protable to absorb the risk and charge for it. Rental car companies are not merely willing, but anxious to accept liability for any damage to the car for $35 a day; various companies aggressively market identity theft protection for $12 a month. Banks enjoy a huge information advantage over consumers: they know how much fraud costs them, while consumers merely hear horror stories of cyber-crime losses. Passing liability to consumers...would seem to be wasting a protable opportunity."
I've disputed several inaccuracies on my credit report, and had most of them removed without further fight.
I'm not saying 60 minutes is full of shit, but ...
60 minutes is in the business of selling scare stories. A little bit of cherry picking goes a long way.
There is another reason for these cards: to avoid the legally-mandated consumer protection that exists for credit cards.
The real "Libtards" are the Libertarians!
if you got my bank password... you could use online billpay to mail a check and cash it... if it was under a thousand, my bank wouldn't blink.
so scenario.. I get a good set of identity papers, even just a license together for a lady who works all day
Identity papers good enough to fool a bank cost money.
I have, 10 account passwords at different banks and use online billpay to mail out 10 checks for $900 + odd amount checks. I swipe them from the mailbox of the lady who works all day....
I cash them all on the same day- visiting 10 issuing banks...
burn the ID
yes, I see where that could fall apart in a few spots
It sure does. For a profit of $9000 (minus the cost of forged identity papers), you have left your image and paper trail in the security camera of the bank you used to transfer the money, plus ten other banks; plus stealing from the U.S. mail probably over four or five days and hoping that the nosy neighbors weren't watching. You're hoping that none of the ten got their bank statement and noticed the check payment in the three days it takes the check to be mailed. And once the first person complains, the warning about your forged identity is going to go out to all the other banks, and so when you cash check number n, you're hoping that the account holders of checks 1 through n-1 haven't been complained yet. And banks in the US have a three-day hold on availability of funds from checks; so you are going to have to wait and hope not one of ten people noticed the withdrawal.
Suppose it is a 5% probability of getting caught on any one transaction. On the average, you'll make $18,000 before being caught. That is so not worth it.
Or you could just use online bill pay to transfer money to a prepaid credit card.
Except that banks do know that trick and protect against it. It's not hard to put $50 on a prepaid credit card without leaving tracks. Try putting $9000 on a credit card, and they start keeping records of who you are.
http://www.geoffreylandis.com
It's amazing how different financial infrastructure is between countries. SWIFT (wire transfers) and Visa/MC/Amex are probably the most universal funds transfer systems worldwide.
Interesting side note (I work in the credit card industry), the reasons cited for the U.S. being slow to move to Chip & PIN include: 1) U.S. merchants were on the mag-stripe bandwagon (or simply started accepting cards) sooner and hence have a much larger installed base to convert, 2) U.S. banks moved to 100% fraud protection so consumers were fairly insulated anyway, 3) the fraud rates in the U.S. are much lower (1-3% of overall spend volume) than the rest of the world.
There is a small percentage of international travelers that now demand chip & PIN for their U.S. issued cards, and they ARE available, but they are not without difficulty. Especially when it comes to changing PINs, since the U.S. doesn't have a big installed base of ATMs and card readers that accept a PIN and enable a user to update one. However Visa and MC HAVE published a change to their rules that will take effect in 2-3 years that will shift fraud liability OFF the merchant if they process a chip & PIN transaction, so there is definitely the incentive now to move that direction. Also, several banks are experimenting with NFC microSD cards or SIM chips that tie in to phone apps and the Visa/MC networks. Don't be surprised if U.S. moves to chip & PIN plus some combination of other solutions.