Slashdot Mirror

← Back to Stories (view on slashdot.org)

Everything You Know About Password-Stealing Is Wrong

Posted by timothy on from the but-password-stealing-is-wrong dept.

isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."

23 of 195 comments (clear)

  1. The hell it doesn't cost consumers! by Anonymous Coward · · Score: 5, Informative

    When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss.

    I had my identity stolen years ago by a guy who managed to run up a bunch of charges on my bank credit card (still don't know how he got the numbers). And, while the bank did reimburse me for the stolen money, they most certainly DIDN'T reimburse me for over $200 in bounced check charges that came after he cleaned out my account, or the hit that my credit rating took after a bunch of companies reported me as a deadbeat for passing bad checks and missing automated billing deadlines. Yeah, just TRY repairing your credit rating after something like that and tell me that consumers don't take a hit for identity theft.

    1. Re:The hell it doesn't cost consumers! by Anonymous Coward · · Score: 5, Informative

      They also don't reimburse the cost retailers have to pay for each fraudulent transaction.

    2. Re:The hell it doesn't cost consumers! by Culture20 · · Score: 5, Insightful

      Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.

    3. Re:The hell it doesn't cost consumers! by SilverJets · · Score: 5, Insightful

      Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.

      THIS.

      As well as increased insurance costs. The authors of the article are rather dense if they honestly think that the costs of reimbursement are not passed down to consumers.

    4. Re:The hell it doesn't cost consumers! by Anonymous Coward · · Score: 5, Informative

      Yes, you do have to fight those things, because among other reasons, the banks deliberately do choose to keep the bounced check charging people out of the fraud reporting loop, so you have to find somebody to knock the heads together and get the information shared. And even then, your liability is controlled by state law, so that limit is up to them anyway.

      Your credit rating, however, you can repair, by disputing those false charges. And if the credit rating company mishandles that, you can get some serious money out of them.

    5. Re:The hell it doesn't cost consumers! by Anonymous Coward · · Score: 4, Informative

      From TFA: "This does not mean, however, that password-stealing is a minor problem. The indirect costs of cyber-crime almost certainly dwarf the direct losses by orders of magnitude. While password-stealing victims are spared direct losses, they may spend considerable time and energy resolving the mess."

    6. Re:The hell it doesn't cost consumers! by Anonymous Coward · · Score: 5, Insightful

      That's exactly what TFA says. Banks like the fear of lost passwords, because they can use that fear to their (profitable) advantage:

      "When perceived risk is greater than actual risk it can be protable to absorb the risk and charge for it. Rental car companies are not merely willing, but anxious to accept liability for any damage to the car for $35 a day; various companies aggressively market identity theft protection for $12 a month. Banks enjoy a huge information advantage over consumers: they know how much fraud costs them, while consumers merely hear horror stories of cyber-crime losses. Passing liability to consumers...would seem to be wasting a protable opportunity."

    7. Re:The hell it doesn't cost consumers! by blueg3 · · Score: 5, Informative

      Either your bank sucks or you didn't browbeat them enough. They should reverse the bounced-check charges resulting from the stolen money.

      You need to dispute the results of identity theft on your credit rating. If the rating agencies refuse to fix it, you can sue the pants off them.

      Of course, this is a lot of trouble and it sucks pretty hard. TFA actually agrees with you on this.

    8. Re:The hell it doesn't cost consumers! by Intropy · · Score: 5, Informative

      FTA:

      "Thus, in the US, individual consumers are largely insulated from the direct financial consequences of credential theft..." (emphasis in original)

      "While 'we all pay for cyber-crime' is true in a general sense, it is not the case that individual users face grave financial risk."

      They're pretty clear that they are discussing risk of catastrophic loss to a single individual rather than increased shared costs.

    9. Re:The hell it doesn't cost consumers! by ragefan · · Score: 5, Informative

      Clearly, you missed the 60 Minutes report this week about Credit Rating companies and their dispute process (source).

      In a nutshell, your dispute is never sent to someone who will approve it, and you basically have to sue them to fix it. Its a multi-year case and you better be well documented.

    10. Re:The hell it doesn't cost consumers! by thePowerOfGrayskull · · Score: 5, Insightful

      I've disputed several inaccuracies on my credit report, and had most of them removed without further fight.

      I'm not saying 60 minutes is full of shit, but ...

      60 minutes is in the business of selling scare stories. A little bit of cherry picking goes a long way.

  2. Banking passwords are overrated by damn_registrars · · Score: 4, Interesting

    It puzzles me when I see that people work really hard to come up with difficult passwords for their bank accounts, but not for their personal accounts on their own computers. They really need to think about what value those passwords have to other people - in particular what could someone else do with those passwords if they had them?

    I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts. I have seen some where you can set up bill payments, but that was a chore and would not be useful for trying to pull money out quickly. Most online banking systems intentionally do not even give full account or routing numbers to logged in users, and I've never seen one give out SSN or DOB either.

    On the other hand, people keep a lot of personal information on their PCs. If you can get their personal user names and passwords you could get a lot more useful information on them. A lot of users likely have their SSN and DOB in their browser cache somewhere, and almost everyone has their address somewhere in there.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Banking passwords are overrated by way2trivial · · Score: 5, Informative

      online banking- mine pulls up full images of check faces... which does include routing & account #'s

      --
      every day http://en.wikipedia.org/wiki/Special:Random
    2. Re:Banking passwords are overrated by SJHillman · · Score: 5, Informative

      I have accounts with First Niagara (they acquired my HSBC account), ING Direct (recently acquired by CapitalOne) and Ally Banks. I frequently move money between them through the web interface - real easy to set up, you just need to be able to log in to both accounts you're transferring between. Furthermore, my girlfriend has an account with Keybank and we transfer money from her account to mine about once a month to cover living expenses (I pay for almost everything up front, she pays me her share monthly). All I needed from her to set it up was her password.

      If I get your banking login info, I can probably get a good chunk of your money before you realize it. Fortunately, many banks offer email alerts for transfers over X amount or if another account has been added. However, if you target someone who doesn't check their balance or email more than once or twice a week, you can probably get away with it before they know it's happening.

    3. Re:Banking passwords are overrated by Chrisq · · Score: 4, Informative

      I have accounts with First Niagara (they acquired my HSBC account), ING Direct (recently acquired by CapitalOne) and Ally Banks. I frequently move money between them through the web interface - real easy to set up, you just need to be able to log in to both accounts you're transferring between. Furthermore, my girlfriend has an account with Keybank and we transfer money from her account to mine about once a month to cover living expenses (I pay for almost everything up front, she pays me her share monthly). All I needed from her to set it up was her password.

      If I get your banking login info, I can probably get a good chunk of your money before you realize it. Fortunately, many banks offer email alerts for transfers over X amount or if another account has been added. However, if you target someone who doesn't check their balance or email more than once or twice a week, you can probably get away with it before they know it's happening.

      Same here in the UK. With FasterPayments I can transfer money from a NationWide account to a Braclays or a Coop within minutes. My Brother in Law used this recently when his daughter didn't have enough money to buy a train ticket home from uni, she was in the station, called, he transferred the money and she withdrew it from the CashPoint (ATM) a minute later.

    4. Re:Banking passwords are overrated by Geoffrey.landis · · Score: 5, Informative

      Huh? Just go to "transfer money", write the account number of the receiver and the amount, and off the money goes.
      At least that is how it works here in Denmark. Very handy, too. Is the US still using personal paper checks?

      The article is talking about irreversible and untraceable money transfer. If the bank has been given "the account number of the receiver and the amount", it is neither irreversible nor untraceable. When the person defrauded complains to the bank, they reverse the transfer.

      Thus, the thief needs a mule, a person with an account that can be used to accept the transferred money and turn it (somehow) into untraceable cash.

      Some banks, like ING Direct, even allow you to transfer money between two phones if you have their app installed. Steal someone's phone, find they have their passwords saved, install the app on your phone and transfer away.

      Transfer to whom? To steal money by such a transfer you need to make an irreversible transfer to an untraceable account. (If it's not irreversible, they just take the money back; if it's not untraceable, they come after you and put you in jail.) The whole point of the article is that this process, making a transfer that the bank can't reverse and sending the money to an account that the law can't trace, is much more difficult than the process of stealing passwords.

      --
      http://www.geoffreylandis.com
  3. I think the article misses the point by Chrisq · · Score: 4, Insightful

    The gist of TFA is that since the transfer from the person with the compromised password to the mule is reversed it is the mule that loses out, so the password isn't the bottleneck. (evidently the bottleneck is mule-recruitment and back-end fraud detection). This rather misses the point that it is a potential stopping point. If the account cant transfer money to the mule then the mule can't be persuaded to take commission and send the rest on by Western Union.

    Maybe I'm cynical, but it seems to me that this analysis is a big "not my problem" statement by Microsoft. The client-end OS and browser security, which Microsoft has a big share of are not the "real problem" - that lies at mule recruitment and backend fraud detection systems, both areas where Microsoft has little investment.

    1. Re:I think the article misses the point by Lehk228 · · Score: 4, Insightful

      The bank reimburses the individual customers who lose money, (costs go up for everyone but the specific losses are socialized). The cost to improve the password security of every account would exceed the reduction in fraud costs, therefore it is in nobody's interest to spend money on that aspect of security.

      --
      Snowden and Manning are heroes.
    2. Re:I think the article misses the point by MozeeToby · · Score: 5, Insightful

      I think what they are getting at is that criminals have access to X passwords and Y mules, where Y is significantly less than X. Lets say they have 10,000 passwords for every mule that they have, and each mule will perform 10 transactions before they are caught out (or catch on, depending). That means you could reduce the number of leaked/grabbed/cracked passwords by 99% and still have the exact same amount of financial crime; and none of those numbers seem all that far outside of the realm of possibility to me.

      But that is about overall crime and statistics. You can still lower your risk of being a victim by choosing strong passwords, keeping a clean pc, etc.

  4. It's really even worse than that by Anonymous Coward · · Score: 5, Interesting

    About a year ago, I had my debit card stolen by a bartender, who used it to buy plane tickets for a vacation. Even though I *paid* for the tickets, the airline (*cough* Jet Blue *cough*) refused to give me the name of the passengers listed on the ticket. That in itself stunned me. Then it got worse.

    I went through the bank, saying I could ID the person with 99% certainty (since the bartender was talking about not being able to pay for tickets at the bar that night). They of course referred me to the fraud department. The fraud department then of course referred me to File 13. Not one care was given to the matter. When I pushed on the issue, they asked why I cared, my account had been reimbursed. When I said it was the principle of the matter, they laughed and said the bank would simply write-off the loss and everybody wins.

    It was then I realized the banks may actually *want* the fraud.

    And I now trust my mattress more than any bank these days.

  5. Online security for banks is a joke. by 140Mandak262Jamuna · · Score: 5, Informative
    I have made many posts asking for two level access. First level password is good for looking at balances and bills etc. And you need the second level password to actually move money or cash it out. But each financial institution does it its own way. The final decision seems to be made by some old coot who gets mortally afraid of computers, who has a bevy of secretaries who print their emails and put them in folders, whose on line skills match that of Donald "I save classified docs in my unsecured personal laptop" Rumsfeld or David "gee I will exchange mail using drafts folder, no one will think of it ha ha ha" Petraeus.

    Fidelity. Made me choose all numeric password because alphabets would confuse their old retirees who use phone based transactions. I was shocked and wanted to disable phone based transactions on my account immediately. Was told to take a hike. They can't disable it without disabling on-line access as well. Was forced to continue the account because our company 401K is with these morons. Have not checked recently if it has changed.

    ETrade They used to be good. They had the concept of a "trading password" on top of a regular password. Exactly what I wanted. You need to provide the trading password to actually do trade or cash out money or transfer funds. They took it away! I called to complain. They gave me a free RSA dongle. These jokers imagine their customers having an RSA key fob for each account. Cant ditch them. Our company stock purchase plan is with them.

    Schwab would give a RSA fob if I asked. But don't know how it works with Quicken. Will upgrade to latest quicken and see if it is supported. Even then I don't fancy dangling around with key fobs.

    PNC Bank if you setup an all numeric username it would also serve as your phone banking user id. But you need all numeric password to use it with phones. Thank you PNC! I set up an all numeric username and a alphanumeric password. So phone transactions are not possible. With VOIP and caller-id spoofing phone banking is as vulnerable as on line banking. At least let me cut down one attack surface.

    Why cant they give me two level passwords? Why cant they implement a two factor authentication like google does with cell phones? Why cant they send a text message on every transaction so that I would be alerted by any fraudulent activity?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. No, STEALING, is wrong. by VortexCortex · · Score: 5, Funny

    That's wrong terminology! Passwords are not Stolen!

    Look, if you have a car and I steal that car then you don't have a car anymore.
    If you have a password, and I get a copy of it, then you still have your password! We can both use the password, IT'S NOT STEALING.

  7. Re:Dump the Visa/MC-debit! by whoever57 · · Score: 4, Insightful

    Visa/MC Debit cards serve no use other than to enrich the bank

    There is another reason for these cards: to avoid the legally-mandated consumer protection that exists for credit cards.

    --
    The real "Libtards" are the Libertarians!