Slashdot Mirror
Everything You Know About Password-Stealing Is Wrong
isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."
When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss.
I had my identity stolen years ago by a guy who managed to run up a bunch of charges on my bank credit card (still don't know how he got the numbers). And, while the bank did reimburse me for the stolen money, they most certainly DIDN'T reimburse me for over $200 in bounced check charges that came after he cleaned out my account, or the hit that my credit rating took after a bunch of companies reported me as a deadbeat for passing bad checks and missing automated billing deadlines. Yeah, just TRY repairing your credit rating after something like that and tell me that consumers don't take a hit for identity theft.
It puzzles me when I see that people work really hard to come up with difficult passwords for their bank accounts, but not for their personal accounts on their own computers. They really need to think about what value those passwords have to other people - in particular what could someone else do with those passwords if they had them?
I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts. I have seen some where you can set up bill payments, but that was a chore and would not be useful for trying to pull money out quickly. Most online banking systems intentionally do not even give full account or routing numbers to logged in users, and I've never seen one give out SSN or DOB either.
On the other hand, people keep a lot of personal information on their PCs. If you can get their personal user names and passwords you could get a lot more useful information on them. A lot of users likely have their SSN and DOB in their browser cache somewhere, and almost everyone has their address somewhere in there.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The gist of TFA is that since the transfer from the person with the compromised password to the mule is reversed it is the mule that loses out, so the password isn't the bottleneck. (evidently the bottleneck is mule-recruitment and back-end fraud detection). This rather misses the point that it is a potential stopping point. If the account cant transfer money to the mule then the mule can't be persuaded to take commission and send the rest on by Western Union.
Maybe I'm cynical, but it seems to me that this analysis is a big "not my problem" statement by Microsoft. The client-end OS and browser security, which Microsoft has a big share of are not the "real problem" - that lies at mule recruitment and backend fraud detection systems, both areas where Microsoft has little investment.
because there was talk about moles I'm assuming it's usual that it's moved to some gullible idiots account, who takes a fee and forwards the money(nigeria scam sort of) via untraceable method.
so that guy ends up paying the damages.
world was created 5 seconds before this post as it is.
About a year ago, I had my debit card stolen by a bartender, who used it to buy plane tickets for a vacation. Even though I *paid* for the tickets, the airline (*cough* Jet Blue *cough*) refused to give me the name of the passengers listed on the ticket. That in itself stunned me. Then it got worse.
I went through the bank, saying I could ID the person with 99% certainty (since the bartender was talking about not being able to pay for tickets at the bar that night). They of course referred me to the fraud department. The fraud department then of course referred me to File 13. Not one care was given to the matter. When I pushed on the issue, they asked why I cared, my account had been reimbursed. When I said it was the principle of the matter, they laughed and said the bank would simply write-off the loss and everybody wins.
It was then I realized the banks may actually *want* the fraud.
And I now trust my mattress more than any bank these days.
Fidelity. Made me choose all numeric password because alphabets would confuse their old retirees who use phone based transactions. I was shocked and wanted to disable phone based transactions on my account immediately. Was told to take a hike. They can't disable it without disabling on-line access as well. Was forced to continue the account because our company 401K is with these morons. Have not checked recently if it has changed.
ETrade They used to be good. They had the concept of a "trading password" on top of a regular password. Exactly what I wanted. You need to provide the trading password to actually do trade or cash out money or transfer funds. They took it away! I called to complain. They gave me a free RSA dongle. These jokers imagine their customers having an RSA key fob for each account. Cant ditch them. Our company stock purchase plan is with them.
Schwab would give a RSA fob if I asked. But don't know how it works with Quicken. Will upgrade to latest quicken and see if it is supported. Even then I don't fancy dangling around with key fobs.
PNC Bank if you setup an all numeric username it would also serve as your phone banking user id. But you need all numeric password to use it with phones. Thank you PNC! I set up an all numeric username and a alphanumeric password. So phone transactions are not possible. With VOIP and caller-id spoofing phone banking is as vulnerable as on line banking. At least let me cut down one attack surface.
Why cant they give me two level passwords? Why cant they implement a two factor authentication like google does with cell phones? Why cant they send a text message on every transaction so that I would be alerted by any fraudulent activity?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
That's wrong terminology! Passwords are not Stolen!
Look, if you have a car and I steal that car then you don't have a car anymore.
If you have a password, and I get a copy of it, then you still have your password! We can both use the password, IT'S NOT STEALING.
It sounds like you had a Visa-branded debit card, not a credit card. Visa/MC Debit cards serve no use other than to enrich the bank, the merchant fees are much higher than PIN-debit. And, as you have learned, if a thief gets a hold of your number, your bank account is empty and your bills bouncing while you argue with the bank.
It's far better to get a credit card and simply pay off the bill every month. That way, if it gets emptied, you argue with the bank about THEIR money. (With a Visa/MC Debit, you argue with the bank about YOUR money. Guess which dispute gets more attention?
And yes, the bank should have paid up the bounced check fees... might as well dump this loser of a bank entirely and sign up with a Credit Union.
yes, I see where that could fall apart in a few spots, but I'm not a professional grifter, a variation of it should be achievable.
My brother-in-law IS a professional grifter, and he has spent more of his adult life in prison than as a free man. I assure you that the scheme you described will not last for very long at all (in the US).
TFA described exactly why you need some idiot "mule" to act as your middleman, and described exactly why that idiot "mule" is the one that ends up losing all the money (the original victim is always made whole). And TFA described why the real bottleneck in financial fraud is in recruiting idiot "mules" and not stealing passwords.
It stands to reason that making it harder to recruit idiot "mules" would have a far greater benefit than making it hard to compromise banking passwords.
I so wish for mod points. Western Union/Moneygram are the "Banks" for people without the ability to now meet new Federal Standards for State Issued ID. The paperwork required today in many states just to get a new "Secure ID" are ridiculously bad if you've done anything other than be born in the last 60 or so years, gotten married, receive physical bills & bank statements, and had those items delivered to your physical address (which assumes you can receive mail at your physical address).
So it isn't just "illegal" immigrants using these services, anymore. It's a large segment of the lower end of society that is being forced to utilize these services so they can pay utility bills with cash, money orders, and move money about to relatives. You're actually causing severe harm getting rid of the cash-based services.
Off topic: Lucky me, I've bypassed the "chain of name changes" requirement by having a Passport. My adoption papers don't even exist anymore thanks to a house fire and an flooded court house basement. I'd be so screwed if it weren't for the fact my employer required me to get a passport 3 years ago.
if you got my bank password... you could use online billpay to mail a check and cash it... if it was under a thousand, my bank wouldn't blink.
so scenario.. I get a good set of identity papers, even just a license together for a lady who works all day
Identity papers good enough to fool a bank cost money.
I have, 10 account passwords at different banks and use online billpay to mail out 10 checks for $900 + odd amount checks. I swipe them from the mailbox of the lady who works all day....
I cash them all on the same day- visiting 10 issuing banks...
burn the ID
yes, I see where that could fall apart in a few spots
It sure does. For a profit of $9000 (minus the cost of forged identity papers), you have left your image and paper trail in the security camera of the bank you used to transfer the money, plus ten other banks; plus stealing from the U.S. mail probably over four or five days and hoping that the nosy neighbors weren't watching. You're hoping that none of the ten got their bank statement and noticed the check payment in the three days it takes the check to be mailed. And once the first person complains, the warning about your forged identity is going to go out to all the other banks, and so when you cash check number n, you're hoping that the account holders of checks 1 through n-1 haven't been complained yet. And banks in the US have a three-day hold on availability of funds from checks; so you are going to have to wait and hope not one of ten people noticed the withdrawal.
Suppose it is a 5% probability of getting caught on any one transaction. On the average, you'll make $18,000 before being caught. That is so not worth it.
Or you could just use online bill pay to transfer money to a prepaid credit card.
Except that banks do know that trick and protect against it. It's not hard to put $50 on a prepaid credit card without leaving tracks. Try putting $9000 on a credit card, and they start keeping records of who you are.
http://www.geoffreylandis.com
I had a friend who unwittingly served as a mule for dirty money to be laundered through his account. He was approached, asked if he'd be willing to deposit some checks, wait a few days, then transfer them (minus a small percentage for himself) to another account. He didn't see a problem with that, and hey, it was easy money! So he agreed.
When the feds came a-knockin', he was lucky all he had to do was pay the money back, rather than go to prison.
Check out my world simulator thingy.