Fishing for Phishers 152
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
"A car is just a big purse on wheels." -- Johanna Reynolds
ways to prevent online fraud? (Score:5, Insightful)
This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.
Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.
The wrost ones are... (Score:5, Insightful)
The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.
Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.
Enough Already. (Score:5, Insightful)
Re:Solution: You authorise the bank first (Score:5, Insightful)
And this code would be sent through which secure email-delivery system exactly? Plaintext SMTP on the internet, like all the other emails from your bank?
Hell, banks don't even sign their emails. Many of them don't even know what PGP is. How many of us have had conversations with our banks along the lines of:?
You: I just got an email purporting to be from you
Bank: Yes, that's right
You: So how do I know it's real without phoning you
Bank: Because it's got our name in the From field
You: Did you ever consider signing your emails
Bank: OUR INTERNET IS SECURE, WE USE HTTPS WEBSITE!!!
How do you drain an account without a trace? (Score:2, Insightful)
In every case getting cash out of my account involves paying a bill (to an authorized agent like VISA), or emailing money or transferring money to a 3rd party acct. All of these leave a trail that banks can recognize and plug.
I once changed my buying habits with my VISA card and had to confirm my identity before the transaction could be authorized. Since fradulent VISA transactions cost VISA, it appears that when it affects the bottom line, banks can and do put checks in to stop fraud, but there is no incentive for banks to stop fraudulent bahviour on behalf of their customers. (Of course we are no longer the banks customers, shareholders are the real customers)
Pressure needs to be applied to the banking industry to minimize the average person's exposure to fraud! It is easy to do, for example I should be able to lock transactions from my online banking account to a specific set of recipients and require a face-face visit with a banking representative to change this... Would-be fraudsters that obtained access to my account might be able to overpay my utility bill but that would be about it.
countermeasures? (Score:2, Insightful)
Re:How to annoy phishers (Score:2, Insightful)
Today I got one of these fraudulent "the bank needs your information" E-mails. So, I thought, let's give them some noise to fill their log.
But the credit card number I made up was detected as non-existent - or at least the fake website said so.
Now, is there any way to:
1) Generate fake credit card numbers that pass as "valid"
2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?
Re:How is it possible to make money? (Score:3, Insightful)
Like from your account to mine...
Re:Solution: You authorise the bank first (Score:2, Insightful)
Okay, and how do the spammers get somebody's email address to start with? Oh yes, a virus emails the contents of their inbox to a russian server"
Along with your special code.
And don't pretend that you can just secure your computer -- there have been 5 major windows viruses already this year, and as far as I can tell, nearly every windows user I know has been infected.
As to secure delivery, have you noticed the number of people buying wireless networking kit? Most of those people are transmitting their POP and IMAP connections in cleartext to anyone within range. Dumpster-diving doesn't even require getting dirty any more.
A code could work well, I admit. But it might need some small changes, such as sending a numbered list of codes in the mail, and writing something like "this is email #403 from us and code 403 is blah" in each email. But anything which relies on computers, inboxes, and emails being perfectly secure starts to sound like a bad idea when you mix it with banking.
Re:Here is a good rule of thumb: ignore them 100% (Score:4, Insightful)
There is little new under the sun. Just because we give it an incredibly lame 1337 name; "PHishing" doesn't mean it's not a hundred year old con game.