Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Fishing for Phishers 152

Posted by CmdrTaco from the stuff-to-think-about dept.
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
This discussion has been archived. No new comments can be posted.

Fishing for Phishers More

Fishing for Phishers

Comments Filter:

  • ways to prevent online fraud? (Score:5, Insightful)

    by Anonymous Coward on Sunday November 07, 2004 @11:40AM (#10746461)
    why not give consumers one time access (through pads)?
    This is done in Japan and works well there. Maybe consumers here would lose their card? The card isnt electronic its just card with pin numbers that you scratch off each time you use the PIN number.

    Banks should STRONGLY educate consumers to never expect emails from the bank that contain links.

  • The wrost ones are... (Score:5, Insightful)

    by ScooterBill ( 599835 ) * on Sunday November 07, 2004 @11:42AM (#10746470)
    The EBay request to verify account information. I've received this several times. Perhaps the financial institutions don't do much because a small country in Africa isn't going to let U.S. law enforcement take care of the problem. Too much corruption is usually the case.

    The maxim I always use is: The company that holds your account never needs to ask you for your password since they already have it.

    Something many probably don't know is that your local police dept. probably has a high tech crimes unit. They will investigate and prosecute illegal activites like snooping around your company network. They can be very helpful.

  • Enough Already. (Score:5, Insightful)

    by xanadu-xtroot.com ( 450073 ) <xanaduNO@SPAMinorbit.com> on Sunday November 07, 2004 @11:43AM (#10746471) Homepage Journal
    Enough already with this "a blog entry says" stuff. Can we please get some ACTUAL news on this site and not just someone's rantings on a BB? Is that too much to ask?

  • Re:Solution: You authorise the bank first (Score:5, Insightful)

    by legirons ( 809082 ) on Sunday November 07, 2004 @12:21PM (#10746614)
    "When you sign up, the bank asks you for your 'personalised code', and that will be displayed in every email you recieve from the bank. If you dont see that code in your email, or it's wrong, you know its fraudulent."

    And this code would be sent through which secure email-delivery system exactly? Plaintext SMTP on the internet, like all the other emails from your bank?

    Hell, banks don't even sign their emails. Many of them don't even know what PGP is. How many of us have had conversations with our banks along the lines of:?

    You: I just got an email purporting to be from you

    Bank: Yes, that's right

    You: So how do I know it's real without phoning you

    Bank: Because it's got our name in the From field

    You: Did you ever consider signing your emails

    Bank: OUR INTERNET IS SECURE, WE USE HTTPS WEBSITE!!!

  • How do you drain an account without a trace? (Score:2, Insightful)

    by npross ( 564046 ) on Sunday November 07, 2004 @12:29PM (#10746669)
    What monetary transaction can you make on an account that leaves no trace?

    In every case getting cash out of my account involves paying a bill (to an authorized agent like VISA), or emailing money or transferring money to a 3rd party acct. All of these leave a trail that banks can recognize and plug.

    I once changed my buying habits with my VISA card and had to confirm my identity before the transaction could be authorized. Since fradulent VISA transactions cost VISA, it appears that when it affects the bottom line, banks can and do put checks in to stop fraud, but there is no incentive for banks to stop fraudulent bahviour on behalf of their customers. (Of course we are no longer the banks customers, shareholders are the real customers)

    Pressure needs to be applied to the banking industry to minimize the average person's exposure to fraud! It is easy to do, for example I should be able to lock transactions from my online banking account to a specific set of recipients and require a face-face visit with a banking representative to change this... Would-be fraudsters that obtained access to my account might be able to overpay my utility bill but that would be about it.

  • countermeasures? (Score:2, Insightful)

    by doginthewoods ( 668559 ) on Sunday November 07, 2004 @12:29PM (#10746670)
    Just like spam, can we @ /. take any countermeasures? I'm not up on this stuff, so if I make a few silly suggestions, please give me a break. Pick a phisher /spammer and: /. them Send a reply with the name of a pop tune or movie in the title. Send a reply with a big attachment Send a reply with a virus attached If it's possible, think of all of on one day, sending an email with "White Houses" on the title, and a 4 Mb attachment to a spammer / phisher. A toasted server, maybe?

  • Re:How to annoy phishers (Score:2, Insightful)

    by sonicattack ( 554038 ) on Sunday November 07, 2004 @12:34PM (#10746711) Homepage
    Enter a well formed but bogus account / credit number,

    Today I got one of these fraudulent "the bank needs your information" E-mails. So, I thought, let's give them some noise to fill their log.

    But the credit card number I made up was detected as non-existent - or at least the fake website said so.

    Now, is there any way to:

    1) Generate fake credit card numbers that pass as "valid"
    2) Do this, and be certain that no-one actually owns that particular number, and if so, still not get into trouble?

  • Re:How is it possible to make money? (Score:3, Insightful)

    by stoborrobots ( 577882 ) on Sunday November 07, 2004 @12:43PM (#10746794)
    The only actions allowed are transferring money from one account to another

    Like from your account to mine...

  • Re:Solution: You authorise the bank first (Score:2, Insightful)

    by legirons ( 809082 ) on Sunday November 07, 2004 @12:51PM (#10746851)
    "What the hell has secure-email delivery got to do with it? Unless the phishers have somehow gotten hold of an email from your bank to you, they wont know your phrase, simple as that."

    Okay, and how do the spammers get somebody's email address to start with? Oh yes, a virus emails the contents of their inbox to a russian server"

    Along with your special code.

    And don't pretend that you can just secure your computer -- there have been 5 major windows viruses already this year, and as far as I can tell, nearly every windows user I know has been infected.

    As to secure delivery, have you noticed the number of people buying wireless networking kit? Most of those people are transmitting their POP and IMAP connections in cleartext to anyone within range. Dumpster-diving doesn't even require getting dirty any more.

    A code could work well, I admit. But it might need some small changes, such as sending a numbered list of codes in the mail, and writing something like "this is email #403 from us and code 403 is blah" in each email. But anything which relies on computers, inboxes, and emails being perfectly secure starts to sound like a bad idea when you mix it with banking.

  • Re:Here is a good rule of thumb: ignore them 100% (Score:4, Insightful)

    by gelfling ( 6534 ) on Sunday November 07, 2004 @01:37PM (#10747155) Homepage Journal
    Nonsense. Before there were computers there were credit card companies and banks. If they called you up asking you to verify information they're supposed to have you'd be an idiot to give them that info.

    There is little new under the sun. Just because we give it an incredibly lame 1337 name; "PHishing" doesn't mean it's not a hundred year old con game.

Slashdot Top Deals

"A car is just a big purse on wheels." -- Johanna Reynolds

Close