Fishing for Phishers 152
mleachpdx writes "This blog entry probes into the details of an online banking phishing scam and suggests some fraud deterrence and detection measures."
Thus spake the master programmer: "After three days without programming, life becomes meaningless." -- Geoffrey James, "The Tao of Programming"
Solution: You authorise the bank first (Score:5, Interesting)
If you dont see that code in your email, or it's wrong, you know its fraudulent.
Re:Nothing to see here... (Score:3, Interesting)
Customer details (Score:5, Interesting)
Well, I've received several of these mails, but I do not really think they go by any kinda cue -- I've received mails from various banks from around the US, so I think these guys randomly see where you are, make a wild guess at the likely bank and send you one.
For instance, several students at GTech (where I study) have their bank accounts in a certain bank (which we shall call W) -- and a lot of these scams are directed at GT students pretending to be from W.
However, that said -- I'd not be surprised if they acually did some dumpster diving and found out these kinda details. Spooky, man.
How to annoy phishers (Score:5, Interesting)
I reckon banks could do something similar too. Create some honeypot accounts, and track how the criminals attempt to access it. I'm sure they could play a few tricks with a seemingly big fat balance that could make the criminals reveal their hand.
Receiving too (Score:4, Interesting)
Probably that message is sent from hacked/owned/not patched windows machines that send the entered info to the real criminal. I suppose that for really knowimg who is him that "infected" machines should be hacked back or that the provider of that internet connection contacts/gives the address of the owner, and check the programs there.
Is it that simple? (Score:5, Interesting)
The bank I use gave me a little authentication device which combined with my bank card, my personal code and a random code provided by the bank site can generate digital signatures. In order to login and in order to make all transactions final I must provide the right code.
I've been using this system for about 10 years now, if those exploitable banks still use a normal password protection it's their fault they're exoploited this way and there's no way customers should be responsible for it.
Re:ways to prevent online fraud? (Score:2, Interesting)
The gist of it is a longer code that I arrange with them in person, and when I go online with them, they ask for random portions of that code.
I would have to be scammed multiple times before anyone had access to my banking.
The comment is here: http://slashdot.org/comments.pl?sid=128336&cid=10
Re:How to annoy phishers (Score:2, Interesting)
Password "QUICKGETEM"
Name "CALL SECURITY"
DOB "01/01/1337"
This would be cool to try.
But tbh, I recon they would just take the list and try those that look legit.
What we could do is simply forward any phishing scam mails to a central phishing clearing house.
The banks could fund a small team to handle collective online fraud.
The problem is much larger than just banks. (Score:5, Interesting)
It's not a major concern in the 3rd world so these guys have no reason to stop. We've seen scams like this based out of Russia, Brazil, China, and several African countries. It will be interesting to see how this all pans out.
Why is it so hard to catch these criminals? (Score:4, Interesting)
Cheers,
Re:How to annoy phishers (Score:3, Interesting)
The only way they have to separate the wheat from the chaff is to actually try them. If they're really stupid, they (or their underlings) may actually get caught when they attempt to withdraw cash or buy something. Now that would be funny.
Gmail vs. Phishers (Score:5, Interesting)
Has anyone else noticed that the folks at Gmail have added a "report phishing" feature? When you view a message, click "More Options" and you'll see it.
Then again, maybe it's been there for some time and I just haven't noticed (it definitely wasn't there when I first got my Gmail account though and it doesn't appear to be listed as a new feature).
Slashdot this (Score:5, Interesting)
The lad vampire [aa419.org] needs your help
Re:Solution: You authorise the bank first (Score:5, Interesting)
Re:How to annoy phishers (Score:2, Interesting)
If it's all done from the same computer, smart people could weed out the noise by IP address, so you'd have to account for that somehow, too.
Once you make enough noise in the system, scams like this do not remain economical, I would think.
---John Holmes...
Re:Solution: You authorise the bank first (Score:2, Interesting)
Your DNS, or the DNS for your area, is hijacked, and everybody who use that DNS is called up and told to log on to their bank in order to do something important?
Second solution is:
One-time passwords. I have a long list of login passwords and confirmation passwords, and a numerical customer ID known only to me. When they start running low, I can easily get a new one (mailed to me). So what if I happen to login to some fake site? The worst that can happen is that I waste some time and a little bandwidth, since they can't do anything with only one part out of three (the ID), and anything I do with the fake stuff won't happen anyway. Besides, I'd be mighty suspicious if the balance of the account(s) isn't correct, since that is what I see the moment I login.
Re:Solution: You authorise the bank first (Score:3, Interesting)
then to do any transactions, to open any accounts, to apply for a loan or just about anything other than just checking how much cash you have the system asks a number from a list of one-time passcodes they've sent to you through regular mail(basically "enter the number pair for the number 4323 on your number card").
the card with the one-time-use passcodes is a plastic credit card shaped one, too. easy to have in the wallet, but totally useless without the other codes needed to get into the site.
Re:Solution: You authorise the bank first (Score:2, Interesting)