Why the FBI Director Doesn't Bank Online 360
angry tapir writes "The head of the US Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt. FBI Director Robert Mueller said he recently came 'just a few clicks away from falling into a classic Internet phishing scam' after receiving an e-mail that appeared to be from his bank."
Baby with the bath water? (Score:3, Insightful)
I don't meant to deride the director of such an important agency, but seriously? He has more to worry about from targeted attacks than phishing attempts.
A little knowledge goes a long way.
Re:After reciving an e-mail that appeared... (Score:5, Insightful)
A novel concept... (Score:5, Insightful)
Unfortunately, this does seem like a novel concept: If you can't use it properly, and are unwilling to take the time to learn, don't use it at all!
Of course, it's a bit disturbing that the head of a major law enforcement agency can be scammed that easily. I know plenty of people (who aren't in any type of computer/tech field) who know very well that you never, under any circumstances, ever, go to a sensitive website from an email link, and you most certainly never enter any login details unless you've gone directly there. That's pretty common knowledge anymore, and this is a guy you'd expect to know better. Leads you to wonder what other simple concepts he can't get straight.
Wait wha...? (Score:5, Insightful)
The FBI Directors doesn't know to never click on a link from "his bank" in his email?
So i guess I can call him as his bank and ask him for his password too without him actually calling back to the real number?
No wonder security is broken ...
There's your problem. (Score:5, Insightful)
All emails from my "bank" get filtered right into the trash. It its important, they will call or send a letter.
In other news (Score:2, Insightful)
Chinese and Russian governments scramble to create look-alikes for the FBI's intranet.
EMail Robert Mueller pretending to be from tech support.
My bank does NOT know my email address (Score:5, Insightful)
I bank online about once a week. Everytime I connect, I check the HTTPS certificate. Also, my bank does not know my email address. If I get email from my bank, I KNOW it's a fake. period.
Car Accident (Score:2, Insightful)
Re:Baby with the bath water? (Score:5, Insightful)
He has more to worry about from targeted attacks than phishing attempts.
Unfortunately, this quote from him doesn't inspire confidence:
"Far too little attention has been paid to cyber threats and their consequences," Mueller said. "Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. "
It would seem that he is resigned to the situation rather than seeking a remedy for it...
Comment removed (Score:2, Insightful)
This is good (Score:5, Insightful)
While being an idiot he's obviously not so stupid that he doesn't realise that he's an idiot. Hence the self restriction. If more of the worlds idiots followed his example the internet would be a better place.
New anti phishing HTML tag (Score:1, Insightful)
1) the text displayed must equal the the link
for example www.yahoo.com points to www.yahoo.com
you cannot make links such as www.yahoo.com pointing to www.phish.com
2) the link can only consist of a-z, A-Z and .
So my genius idea solve this stupid phishing problem.
A few clicks away? (Score:4, Insightful)
It's like saying, I am a few steps away from a cash register at the supermarket...I came this close to be tempted to steal it. But I've solved the problem: I won't enter any supermarkets ever again. Or that everyone is just a few steps away from death by standing by the side of the road, so to avoid being hit by a car, I will never go near a road ever again.
Sure there are dangers everywhere, one just needs some education, like: never ever ever click on a link in an email claiming to be from your bank. Just like: you should always look both ways in crossing the street. Seriously, my 16 year old brother know both of those...
Not a surprise (Score:4, Insightful)
I am not surprised.
The director of any agency does not necessarily deal with all the scams and most likely not with IT. He runs the business/admin side of things, and he has people working under him to take care of things like security etc.
What seems to be missed is that phishers has the e-mail address of the director of the FBI. Either it is a personal e-mail address - and I am not even sure people in that position are allowed to have personal/web e-mails. OR it is his FBI address - and that is more worrying than that he almost fell for a scam.
Another thing that worries me is that he takes nothing away from this experience - almost got caught, so I won't bank online anymore. Heck I would expect someone of his stature to go - Almost got caught, yikes better make sure that does not happen again.
The direct effect of this is that the director of the FBI is now going to either bank by phone (and that is a security hole right there) or going to wait in the qeue at the bank - exposing him to other risks.
I would've thought that higher up officials such as him had access to alternative more secure methods of doing things like bankin - how does the President of the USA do it, for instance?
Re:A novel concept... (Score:1, Insightful)
I would put it a bit differently: It's a bit disturbing that a person that can be scammed so easily is the head of a major law enforcement agency.
Re:After reciving an e-mail that appeared... (Score:5, Insightful)
They didn't. They scattershot the email and hope some of the people that get the email use that bank. I've received phishing attempts for several banks that I've never used. They were all very large banks.
They look very real and If I did use those banks, I would have been tempted to click... But being savvy, I'd have contacted my bank via phone or the website instead of clicking on anything in the email.
How do I know? I've done it with other emails. They all turned out to be real, but when money is involved, it makes sense to be careful with email.
Re:Baby with the bath water? (Score:3, Insightful)
Well, and for you to enter your login information.
Common sense dictates that you don't follow links from your email to anything financial; you either type it in yourself or you use a bookmark. I know my bank and credit cards don't send me links to click, but even if they did I wouldn't use them.
Re:Baby with the bath water? (Score:2, Insightful)
neatly sidestepping the fact that a lot of attention *has* been paid to it, but people like him have always chosen to ignore it.
Re:Baby with the bath water? (Score:5, Insightful)
Bull. There's one simple way to avoid phishing scams. Open up the browser yourself and type in the address yourself.
Anytime I access financial information, I enter the address manually. If you can't remember something simply like "paypal.com" or "chasebank.com", you don't need a computer.
A former coworker of mine accessed his bank this way:
1) Open IE
2) Go up to the file menu, select "Open Location"
3) Enter "http://www.google.com/" (The full URL, not just google.com)
4) search for "Bank Of America"
5) Click on the first result, which thankfully was the right BoA site.
pussy whipped (Score:1, Insightful)
FTFA:
"After changing our passwords, I tried to pass the incident off to my wife ... as a teachable moment," he said. "To which she deftly replied, 'Well, it is not my teachable moment. However, it is our money. No more Internet banking for you."
ATMs and mugging? (Score:3, Insightful)
So he's not using online banking because some phisher sent him an e-mail and he almost fell for it? If he took some money out of an ATM and then someone tried to mug him, would he refuse to use ATMs from then on? If he saw a report of a bank robber killing someone during a robbery attempt, would he not go into a bank's branch to do his banking? Just because the phishing attempt occurred doesn't necessarily mean that his bank's online banking system is insecure.
Re:This is good (Score:3, Insightful)
That might be the most insightful post yet. We ALL do stupid shit - no matter HOW SMART we are. A freaking genius rocket scientist might be to spastic to drive safely. That's cool, as long as the genius realizes that he's a spaz, and can't drive. If he doesn't figure it out - well, there's a fine line between genius and idiocy. The idiot will kill himself, or someone else.
Everyone on slashdot who has NEVER done anything stupid, not once in their lives, should sign in below. Ever searched for you glasses, just to find them on your face? Searched for your car keys, just to find them in your pocket, or in the ignition? BRAIN FART!! We're all prone to have them, some more often than others.
Re:There's your problem. (Score:5, Insightful)
...except, they won't. Many people do everything through online banking. A number of banks have complete "opt-out-of-paper" programs, so you won't see another letter in your life (except maybe major documents that need signed). The real trick here is - when you get an e-mail, don't click on the links. If your bank says you need to take care of something, visit their site by manually typing in the address and then take care of whatever it is.
From the wikipedia entry on Mueller (Score:1, Insightful)
According to the wiki, Robert Mueller is a lawyer. He received his law degree in 1973, and spent a good chunk of his career as a federal prosecutor. Prosecutors in general are vicious people who use their power to extort guilty pleas from defendants. ('plead guilty and take the deal for 3 years, or I'll ask for a life sentence')
The man has no direct investigative experience, nor any training or work experience with computers. I would suspect he barely knows how to turn one on and to open up powerpoint, word, or outlook.
He specifically is one of the key men who CARRIED OUT the warrantless wiretapping, while declining to tell the public that he had broken his Oath to the Constitution of the United States.
Furthermore, he was the lead prosecutor on the Lockerbie bombing case. That's the one that sent Abdelbaset Ali Mohmed Al Megrahi to prison for life, under evidence SO WEAK that the Scottish courts released this alleged mass murderer from prison under compassionate release. (the main reason this man was convicted came from the 'testimony' of a man paid 2 million dollars to give it, and of course Mueller had to have been right in the middle of this)
Re:Baby with the bath water? (Score:3, Insightful)
Re:A novel concept... (Score:5, Insightful)
Re:Baby with the bath water? (Score:5, Insightful)
Of course, otherwise you risk one day mistyping bankofamerica.com and ending up in a phishing site which looks just like the real thing.
If you can't trust your bookmarks, you can't trust your computer. If you can't trust your computer, you shouldn't be accessing your online bank on it in any case.
Re:After reciving an e-mail that appeared... (Score:2, Insightful)
And spoil us an epic laugh? Anr rob Slashdot of a 'haha see toldyouso' summary whose article doesn't even have to be read?
Is there an article somewhere on slashdot that does have to be read?
Re:After reciving an e-mail that appeared... (Score:2, Insightful)
They just troll for weak-minded "anti-Americans" who (to paraphrase another slashdotter) could be convinced to rob a hotdog stand, then undercover FBI agents and overpaid snitches* develop some big scheme** and then cram it down the target's throat until the target agrees***, then they bust the target as soon as he agrees and the media makes a big circus of it telling everybody that millions of lives were saved and another 9/11 was thwarted.
* To the tune of $250,000 [google.com] apiece. Think about that when you're eating ramen tonight.
** Which makes FBI better terror planners than the so-called "terrorists" themselves!
*** Or otherwise utilize entrapment and other illegal techniques [fresnobee.com]. But who cares? it's Terrorists we're talking about here!
Re:After reciving an e-mail that appeared... (Score:5, Insightful)
The question is, why is someone that "non-technical" in charge of cybercrime for the FBI?
He is not in charge of cybercrime. He is the director of the entire FBI. I imagine that he has a huge amount of knowledge of things you and I know nothing about so I am willing to cut him some slack. We engineers have built a communication system that looks simple and secure to average folk and yet actually requires the detailed knowledge of how it all works to use it securely.
Every time one of these stories comes up, I am troubled by the attitude that is taken in so many Slashdot comments that the victim (or near victim) must be a complete idiot. We make a system that makes it far too easy to deceive people and then ridicule the victim for being tricked. We will never be able to improve the situation with this attitude.
It is right to be suspicious of any email claiming to be from your bank, but the fact is that my banks have sent me legitimate emails from them. Those emails have never been digitally signed so verifying their authenticity is tough. So the banks have some responsibility for using email in an unsafe way. But what if they did sign their emails? Well, it still wouldn't matter because Gmail and Yahoo and Hotmail have no provision for verifying digital signatures so the tools used by millions lack a fundamental security feature.
Re:After reciving an e-mail that appeared... (Score:3, Insightful)
Related, in that regular people may not realize what they're doing but why would you use Gmail, Hotmail, or Yahoo for financial communications?
Why not? I don't see those as being any more or less secure than any ISP's normal email services. Email is fundamentally insecure anyway. Most people have one email address that they regularly use and so that is what will be provided to financial institutions.
However my ISP allows users to use a whitelist [wikipedia.org], I have an online address book and only email from someone in it is send directly to my inbox.
But that has nothing to do with security. Your "suspected" folder contains all messages that did not make it past the whitelist filter, but that does not mean that you can trust what the whitelist filter allows through. It is trivial to send an email that matches what you think a legit banking email will look like.
I think the reason that most people don't realize that email can be trivially forged is because it is such a stupid idea to design a system like that. It can't possibly make sense for me to sit here in the comfort of my home and send an email to you that looks like it came from Bank of America and so non-experts assume that there must be some sort of mechanism to stop that. That is a very reasonable assumption, and we engineers are morons for not providing a communication abstraction that lives up to that.