Slashdot Mirror

← Back to Stories (view on slashdot.org)

Everything You Know About Password-Stealing Is Wrong

Posted by timothy on from the but-password-stealing-is-wrong dept.

isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."

8 of 195 comments (clear)

  1. I think the article misses the point by Chrisq · · Score: 4, Insightful

    The gist of TFA is that since the transfer from the person with the compromised password to the mule is reversed it is the mule that loses out, so the password isn't the bottleneck. (evidently the bottleneck is mule-recruitment and back-end fraud detection). This rather misses the point that it is a potential stopping point. If the account cant transfer money to the mule then the mule can't be persuaded to take commission and send the rest on by Western Union.

    Maybe I'm cynical, but it seems to me that this analysis is a big "not my problem" statement by Microsoft. The client-end OS and browser security, which Microsoft has a big share of are not the "real problem" - that lies at mule recruitment and backend fraud detection systems, both areas where Microsoft has little investment.

    1. Re:I think the article misses the point by Lehk228 · · Score: 4, Insightful

      The bank reimburses the individual customers who lose money, (costs go up for everyone but the specific losses are socialized). The cost to improve the password security of every account would exceed the reduction in fraud costs, therefore it is in nobody's interest to spend money on that aspect of security.

      --
      Snowden and Manning are heroes.
    2. Re:I think the article misses the point by MozeeToby · · Score: 5, Insightful

      I think what they are getting at is that criminals have access to X passwords and Y mules, where Y is significantly less than X. Lets say they have 10,000 passwords for every mule that they have, and each mule will perform 10 transactions before they are caught out (or catch on, depending). That means you could reduce the number of leaked/grabbed/cracked passwords by 99% and still have the exact same amount of financial crime; and none of those numbers seem all that far outside of the realm of possibility to me.

      But that is about overall crime and statistics. You can still lower your risk of being a victim by choosing strong passwords, keeping a clean pc, etc.

  2. Re:The hell it doesn't cost consumers! by Culture20 · · Score: 5, Insightful

    Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.

  3. Re:The hell it doesn't cost consumers! by SilverJets · · Score: 5, Insightful

    Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.

    THIS.

    As well as increased insurance costs. The authors of the article are rather dense if they honestly think that the costs of reimbursement are not passed down to consumers.

  4. Re:The hell it doesn't cost consumers! by Anonymous Coward · · Score: 5, Insightful

    That's exactly what TFA says. Banks like the fear of lost passwords, because they can use that fear to their (profitable) advantage:

    "When perceived risk is greater than actual risk it can be protable to absorb the risk and charge for it. Rental car companies are not merely willing, but anxious to accept liability for any damage to the car for $35 a day; various companies aggressively market identity theft protection for $12 a month. Banks enjoy a huge information advantage over consumers: they know how much fraud costs them, while consumers merely hear horror stories of cyber-crime losses. Passing liability to consumers...would seem to be wasting a protable opportunity."

  5. Re:The hell it doesn't cost consumers! by thePowerOfGrayskull · · Score: 5, Insightful

    I've disputed several inaccuracies on my credit report, and had most of them removed without further fight.

    I'm not saying 60 minutes is full of shit, but ...

    60 minutes is in the business of selling scare stories. A little bit of cherry picking goes a long way.

  6. Re:Dump the Visa/MC-debit! by whoever57 · · Score: 4, Insightful

    Visa/MC Debit cards serve no use other than to enrich the bank

    There is another reason for these cards: to avoid the legally-mandated consumer protection that exists for credit cards.

    --
    The real "Libtards" are the Libertarians!