Slashdot Mirror

← Back to Stories (view on slashdot.org)

Everything You Know About Password-Stealing Is Wrong

Posted by timothy on from the but-password-stealing-is-wrong dept.

isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."

2 of 195 comments (clear)

  1. Banking passwords are overrated by damn_registrars · · Score: 4, Interesting

    It puzzles me when I see that people work really hard to come up with difficult passwords for their bank accounts, but not for their personal accounts on their own computers. They really need to think about what value those passwords have to other people - in particular what could someone else do with those passwords if they had them?

    I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts. I have seen some where you can set up bill payments, but that was a chore and would not be useful for trying to pull money out quickly. Most online banking systems intentionally do not even give full account or routing numbers to logged in users, and I've never seen one give out SSN or DOB either.

    On the other hand, people keep a lot of personal information on their PCs. If you can get their personal user names and passwords you could get a lot more useful information on them. A lot of users likely have their SSN and DOB in their browser cache somewhere, and almost everyone has their address somewhere in there.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  2. It's really even worse than that by Anonymous Coward · · Score: 5, Interesting

    About a year ago, I had my debit card stolen by a bartender, who used it to buy plane tickets for a vacation. Even though I *paid* for the tickets, the airline (*cough* Jet Blue *cough*) refused to give me the name of the passengers listed on the ticket. That in itself stunned me. Then it got worse.

    I went through the bank, saying I could ID the person with 99% certainty (since the bartender was talking about not being able to pay for tickets at the bar that night). They of course referred me to the fraud department. The fraud department then of course referred me to File 13. Not one care was given to the matter. When I pushed on the issue, they asked why I cared, my account had been reimbursed. When I said it was the principle of the matter, they laughed and said the bank would simply write-off the loss and everybody wins.

    It was then I realized the banks may actually *want* the fraud.

    And I now trust my mattress more than any bank these days.