Forgot your password?
typodupeerror
Security IT

Why the FBI Director Doesn't Bank Online 360

Posted by samzenpus
from the crime-almost-paid dept.
angry tapir writes "The head of the US Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt. FBI Director Robert Mueller said he recently came 'just a few clicks away from falling into a classic Internet phishing scam' after receiving an e-mail that appeared to be from his bank."
This discussion has been archived. No new comments can be posted.

Why the FBI Director Doesn't Bank Online

Comments Filter:
  • by fluch (126140) on Thursday October 08, 2009 @07:59AM (#29679355)

    Why does he even consider any such e-mail worth reading?! That is the biggest fail in the chain of his doings....

    • by dgarciam (1291598) on Thursday October 08, 2009 @08:02AM (#29679393)
      Makes you wonder. If the head of the FBI, the guy who knows all the secrets, that sees all the scams all the time almost falls for this, what can we expect from you average house folks? Scams are getting more and more elaborate this days. Not perfect, but getting there
      • by corbettw (214229) <corbettw.yahoo@com> on Thursday October 08, 2009 @08:12AM (#29679469) Journal

        My take away from it was that the head of the FBI knows surprisingly little about phishing. Let's hope someone on his staff briefs him on 419 scams before he sends his life's savings to the former finance minister for the deposed Crown Prince of Nigeria.

        • by Thansal (999464) on Thursday October 08, 2009 @08:53AM (#29679849)

          I would suspect you are right. I don't really know what Robert Mueller's background is (quick look at wiki says marines and law), but I suspect that he wasn't directly involved in cybercrime of any sort. Sure, he gets to make the ultimate decisions, but with lots of advisers/what not who (hopefully) know their stuff.

          And hey, at least he didn't ACTUALLY fall for it.

          Random note:
          The emails you do get from various online institutions don't look all that more legit than the ones from the scamers. I have received 2 notices that an account of mine had been compromised, and I was prompted to login (via a link) and reset my password. One of these was my EBay account I hadn't touched in years. I nearly just binned the email with out even opening it, but curiosity got the better of me and I read through it, checked the links, etc etc, and everything seemed legit, despite looking like a classic phishing attempt.

          • by ArsenneLupin (766289) on Thursday October 08, 2009 @10:07AM (#29680637)

            checked the links

            You don't check the links, you don't use them at all. Instead, you access the site through a bookmark, or via typing in the URL manually if you no longer have a bookmark. It's all too easy to confuse an l with an I or a 1. Or rn and m depending on what font you have. Or the attacker might play similar tricks using exotic characters that you do not even know to exist (How similar is a greek capital Rho to a capital P?).

        • Re: (Score:2, Interesting)

          by BESTouff (531293)
          My take away from this is that it's just a press stunt to introduce new harsher behavior from the FBI agents, maybe backed by a new piece of legislation.
        • by Aceticon (140883) on Thursday October 08, 2009 @09:16AM (#29680059)

          419 scams and phishing are completely different sorts of scenarios:
          - The first is an appeal to a person's greed that happens to be done via e-mail
          - The second is a forged and somewhat alarmist e-mail providing a link to access what appears to be your bank's system to correct a problem.

          419 scams are just a common type of scam only done "via e-mail" and should be easily detectable to anybody knowledgeable in the ways of deceit (the appeal to one's greed makes it very obviously).

          Phishing involved a forged e-mail (which means one needs to be aware that e-mails can be forged) demanding nothing of value from the recipient (just some time to check and correct a "problem") and providing a helpful link to the relevant site (said link looking ok for a non-technical person). The helpful link to the site is a common feature in e-mails from many companies (for example MySpace) and thus an e-mail with a link fits one mental pattern of "how these things usually work" and triggers no mental alarms if you're not aware of how phishing works.

          Thus I'm not at all surprised that a non-technical member of the intelligence/law community could fall for a phishing e-mail.

      • This is why I've been pulling back from online banking and other online accounts. It makes no sense to leave half a million dollars sitting on the internet, with nothing to protect it except a password. I moved the money to a different account that can not be accessed unless I physically walk into the bank's building and display photo ID.

        • Re: (Score:2, Funny)

          by Anonymous Coward

          Photo ID, pffft.

          My bank will only allow access to my account when presented with my erect penis.

          • Re: (Score:3, Funny)

            by v1 (525388)

            but that's only for making deposits? and watch out for the penalty for early withdrawl....

        • by Zironic (1112127)

          I thought all banks used security tokens for online banking.

          • by jimicus (737525)

            I am told this is the case in some countries.

            In many, however, it is the exception rather than the rule. My bank's just issued me a security token (yay!) but they, er, don't use it for the logon process. They only use it for transferring money out of the account.

            Which is well and good but the telephone banking system quite often relies on a question like "Can you name a recent transaction on your account please?".

            • by Zironic (1112127)

              Wouldn't that be a security issue with the telephone banking system rather then the internet one?

          • by cayenne8 (626475)
            "I thought all banks used security tokens for online banking."

            Nope, never heard of it before actually. I just log on with userid/password for my accounts.

            What is a bank security 'token'?

      • by 2.7182 (819680)
        What it makes me wonder is why someone who is so out of touch is the head of the FBI. Granted many people fall for such things, but for example, probably most readers here wouldn't. The head of the FBI should know better.
        • Re: (Score:2, Interesting)

          by AvitarX (172628)

          I will admit to almost falling for one the other day.

          I marked the e-mail as phishing and it has since been deleted, but it came from "bank of america" and linked to a quite formal looking page asking for info.

          it came simoultenious to my having trouble with Bank of America online system (they took over my mortgage account and it has been a pain getting into the online payment since).

          I was looking at it, frustrated it was only a solution for credit card issues, and then realized the site was support.com not b

          • Well, you are, but so is your bank for normally sending you unsigned email. And so is your email-client for not showing a Bank of America logo and randomart next to the e-mail address when it's signed. And so is everyone for there not being a standard way to verify authenticity of phone calls, etc, etc.

      • by cayenne8 (626475)
        "Makes you wonder. If the head of the FBI, the guy who knows all the secrets, that sees all the scams all the time almost falls for this, what can we expect from you average house folks? Scams are getting more and more elaborate this days. Not perfect, but getting there"

        Makes me think there are many more gullible idiots out there waiting to be fleeced.

        Hmm...I need to figure some way to make money off of them...hopefully just bit more legal though.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      "FBI director too dumb to use the Internet"

      Hilarious. Great headline.

    • by camperslo (704715)

      Even though he did stop just short of being taken in, it is apparent that some of his information was already compromised. How else would they know which of all the banks out there was one he was using?

      • by turing_m (1030530) on Thursday October 08, 2009 @08:30AM (#29679623)

        Even though he did stop just short of being taken in, it is apparent that some of his information was already compromised.

        It's not apparent. Dollars to donuts it's far cheaper to send an email targeting a specific bank to a very large number of harvested US email addresses than to somehow find out which email addresses relate to which bank's customers, and send them a targeted email. Emails cost virtually nothing to send.

      • by Aladrin (926209) on Thursday October 08, 2009 @08:31AM (#29679633)

        They didn't. They scattershot the email and hope some of the people that get the email use that bank. I've received phishing attempts for several banks that I've never used. They were all very large banks.

        They look very real and If I did use those banks, I would have been tempted to click... But being savvy, I'd have contacted my bank via phone or the website instead of clicking on anything in the email.

        How do I know? I've done it with other emails. They all turned out to be real, but when money is involved, it makes sense to be careful with email.

      • There's no real evidence that they did. I get phishing attempts all the time claiming to be about my account on banks I don't do business with. When you send out millions of phishing mails, you can just pick a bank at random. Some of your targets will have accounts with that bank.

    • I agree, ALL banks tell you they will not communicate with you through email to confirm anything, they will tell you to come down or call, so for you to get an email stating we need to verify something is a scam, PERIOD!
      The fact that this guy is even letting us know he came this close to screwing up is not something I would want our
      FBI director to be acknowledging! You will hopefully find a letter of resignation soon on someone's desk.

      This guy might have thought coming out about this would help tell people

      • My bank sends email confirmations to me all the time. If I add someone to the account, change the contact info, transfer money, etc, I will get an email. The emails say something like "This is to confirm that you changed your mailing address with us. Please do not reply to this email." The emails my bank sends never have links in them or ask me to input any information. The solution isn't necessarily to block or delete all email from all banks. You can simply choose not to input your bank account info
    • by hodet (620484)
      The only email a bank should send you is the one saying they will never send you another one. All messages should be sent to you in a Message Center within the website that you see after you login. Login to your banking account and get a notice saying "you have one unread message in the message center". My $0.02.
      • What's wrong with emails saying "Hey asshole, you have important information in the Message Center." As long as there isn't a link to the bank within the email, so I have to open a new window, and actually type the bank's address into the address bar, I don't see a problem with it. And that method has worked fine for me for the last few years.
  • by grasshoppa (657393) <skennedy@@@tpno-co...org> on Thursday October 08, 2009 @08:00AM (#29679371) Homepage

    I don't meant to deride the director of such an important agency, but seriously? He has more to worry about from targeted attacks than phishing attempts.

    A little knowledge goes a long way.

    • by MollyB (162595) on Thursday October 08, 2009 @08:13AM (#29679475) Journal

      He has more to worry about from targeted attacks than phishing attempts.

      Unfortunately, this quote from him doesn't inspire confidence:

      "Far too little attention has been paid to cyber threats and their consequences," Mueller said. "Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. "

      It would seem that he is resigned to the situation rather than seeking a remedy for it...

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        neatly sidestepping the fact that a lot of attention *has* been paid to it, but people like him have always chosen to ignore it.

      • by TheGratefulNet (143330) on Thursday October 08, 2009 @09:45AM (#29680401)

        Mueller said. "Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. "

        wait; who, again, are the bad guys?

        given their MO, I consider the feds and police to be 'bad guys' when it comes to their perceived right to 'sneek and peek' any damned place they want for any reason at all. attach a gps to your car? no problem. and on and on it goes.

        the government is THE WORST INTRUDER in our personal lives, these days.

        I worry much less about criminals. they have a lot less power over me and once they do their deed, they're gone from my life.

  • A novel concept... (Score:5, Insightful)

    by laughingcoyote (762272) <.moc.eticxe. .ta. .lwohtsehgrab.> on Thursday October 08, 2009 @08:03AM (#29679403) Journal

    Unfortunately, this does seem like a novel concept: If you can't use it properly, and are unwilling to take the time to learn, don't use it at all!

    Of course, it's a bit disturbing that the head of a major law enforcement agency can be scammed that easily. I know plenty of people (who aren't in any type of computer/tech field) who know very well that you never, under any circumstances, ever, go to a sensitive website from an email link, and you most certainly never enter any login details unless you've gone directly there. That's pretty common knowledge anymore, and this is a guy you'd expect to know better. Leads you to wonder what other simple concepts he can't get straight.

    • by mcgrew (92797) *

      Leads you to wonder what other simple concepts he can't get straight.

      Well, if you're tired enough it's easy to fuck up and do something stupid when you actually know better. The moral of the story is make sure you finish drinking your coffee before you check your email.

      I hope this guy finishes his coffee before he drives to work. You, too. I found this article [newscientist.com] interesting; it seems one can be both asleep and awake at the same time. It explains Mueller's near fuckup.

  • Wait wha...? (Score:5, Insightful)

    by alexandre (53) * on Thursday October 08, 2009 @08:03AM (#29679405) Homepage Journal

    The FBI Directors doesn't know to never click on a link from "his bank" in his email?
    So i guess I can call him as his bank and ask him for his password too without him actually calling back to the real number?

    No wonder security is broken ...

  • by headhot (137860) on Thursday October 08, 2009 @08:04AM (#29679417) Homepage

    All emails from my "bank" get filtered right into the trash. It its important, they will call or send a letter.

    • by D Ninja (825055) on Thursday October 08, 2009 @09:02AM (#29679931)

      ...except, they won't. Many people do everything through online banking. A number of banks have complete "opt-out-of-paper" programs, so you won't see another letter in your life (except maybe major documents that need signed). The real trick here is - when you get an e-mail, don't click on the links. If your bank says you need to take care of something, visit their site by manually typing in the address and then take care of whatever it is.

      • Re: (Score:3, Informative)

        by The Cisco Kid (31490)

        Some banks, instead of sending you the message outright in email, instead have a sort of message system within their online banking, and if they send you something there, they send you an email notice to go check your messages.

        Its a decent idea, as long as they 1. Dont include any links, and instead let you enter the bank site yourself and 2. Absolutely use it *ONLY* for directly personal information related to *your* account (eg no ads, promotions or newsletters)

        Oh, and it helps if you try to avoid using i

  • Yes Dear! (Score:5, Funny)

    by muckracer (1204794) on Thursday October 08, 2009 @08:04AM (#29679421)

    Fortunately his wife will continue to use online banking...

  • In other news (Score:2, Insightful)

    by Viper23 (172755)

    Chinese and Russian governments scramble to create look-alikes for the FBI's intranet.

    EMail Robert Mueller pretending to be from tech support.

    • Hmmmm. Now I'm curious whether we could slashdot the FBI's website. They'd probably investigate us like we were 4chan, LMAO

  • by Anonymous Coward on Thursday October 08, 2009 @08:06AM (#29679427)

    I bank online about once a week. Everytime I connect, I check the HTTPS certificate. Also, my bank does not know my email address. If I get email from my bank, I KNOW it's a fake. period.

    • I have a separate email address for everyone with whom I have email contact, including my bank. The email address I use for the bank is known only to me and the bank. If I get banking email on any other address, then I immediately know it's a fake. Nothing is foolproof, but there are easy ways to greatly lower your risk.

    • Re: (Score:3, Funny)

      by cerberusss (660701)

      I bank online about once a week. Everytime I connect, I check the HTTPS certificate. Also, my bank does not know my email address. If I get email from my bank, I KNOW it's a fake. period.

      Not giving the bank your e-mail address means major hassles for them. Printing a letter, licking a stamp, then licking the envelope, et cetera.

      So in order to save them money, the bank has my e-mail address. However, it's a special e-mail address that routes over a ToA network connection (TCP-over-Avian). Thus when I see the pigeon arrive, I know for a fact that -- yes -- it's my bank that's sending me an e-mail.

      You just have to outsmart the scammers. I guess I have that talent.

  • It was a pain to setup because their refusal to send anything important by email, but I guess it's for the best. The only email I receive from my bank is offers for more credit. Anything related to my account is done with registered mail and a phone call.
  • Car Accident (Score:2, Insightful)

    by Crock23A (1124275)
    I almost got into a car accident when someone cut me off on the way to work this morning. By the logic suggested by TFS, I should stop using the public roadways.
    • I almost got into a car accident when someone cut me off on the way to work this morning. By the logic suggested by TFS, I should stop using the public roadways.

      I wish people where I live would apply that logic, my drive to work would be a lot safer.

      Although I think we could probably make a positive change in the situation by actually making the driver license test difficult. However the state makes more revenue from the people who drive than those who do not...

    • Someone cutting you off isn't your fault. This is more like you almost getting into an accident because you had a narcoleptic episode. In which case, you shouldn't drive.

      You could say that the FBI director could be cured with knowledge, but knowledge doesn't cure gullibility, only ignorance. It is rare that people recover from gullibility.

    • by PinkyDead (862370)

      If 50% of the roads were mined, would you still use them?

    • by Nikker (749551)
      It would be more like seeing some idiot swerving between lanes and you descide to tail gate him as he goes. The kicker is your a driving instructor. At the end of the day you write to everyone how you almost threw your car off a bridge because of this.
    • by mcgrew (92797) *

      More like "I almost got in an accident this morning because I wasn't paying attention. Maybe I should stop driving."

  • I am wondering, what's so hard about fixing this issue once and for all. We've had e-mail signing for a couple decades now available to everybody. Since most folks will happily stick any "Installation CD" they get into their machines, why can't, for example, one be given out to each new bank customer which then adds a certificate or public key etc. to his e-mail. Hell, they could even install their own e-mail and browser app for exclusive use with their online services. If I had a bank I'd be ashamed for ma

    • by Arlet (29997)

      Once you get infected with a trojan (which happens to a lot of people), it is trivial to put some fake public keys on your machine, or to insert a fake e-mail straight into your inbox.

      My bank uses a better solution: they send me regular mail. They don't even have my e-mail address, so I can ignore any mail that claims to be from them.

  • by MikeRT (947531)

    Be calling for legislation that makes banks responsible for identity theft and any subsequent damage to consumer credit ratings. That would make the FBI's job much easier since the banks would never send emails, among other things, to make sure that they are diligent about identity theft.

  • This is good (Score:5, Insightful)

    by hairykrishna (740240) on Thursday October 08, 2009 @08:14AM (#29679485)

    While being an idiot he's obviously not so stupid that he doesn't realise that he's an idiot. Hence the self restriction. If more of the worlds idiots followed his example the internet would be a better place.

    • Re: (Score:3, Insightful)

      by Runaway1956 (1322357) *

      That might be the most insightful post yet. We ALL do stupid shit - no matter HOW SMART we are. A freaking genius rocket scientist might be to spastic to drive safely. That's cool, as long as the genius realizes that he's a spaz, and can't drive. If he doesn't figure it out - well, there's a fine line between genius and idiocy. The idiot will kill himself, or someone else.

      Everyone on slashdot who has NEVER done anything stupid, not once in their lives, should sign in below. Ever searched for you glasse

  • Beyond throwing the baby out with the bathwater, this is deeply ironic -- the head of the FBI, arguably the US top policeman, giving into fear of criminals rather than fighting them.

    Viewed on a negative basis, police deter lawbreaking by catching offenders so they can be punished downstream in the judicial system. From a positive basis, police create a climate where the people do not need to fear crime and so can be less stressful and more productive. Rather important.

    The one thing police should never d

  • A few clicks away? (Score:4, Insightful)

    by njen (859685) on Thursday October 08, 2009 @08:19AM (#29679523)
    Everyone is always just a few clicks away from being caught in a phishing scam. In fact, wouldn't it be closer to say that everyone is just one click away (the link from their email)?

    It's like saying, I am a few steps away from a cash register at the supermarket...I came this close to be tempted to steal it. But I've solved the problem: I won't enter any supermarkets ever again. Or that everyone is just a few steps away from death by standing by the side of the road, so to avoid being hit by a car, I will never go near a road ever again.

    Sure there are dangers everywhere, one just needs some education, like: never ever ever click on a link in an email claiming to be from your bank. Just like: you should always look both ways in crossing the street. Seriously, my 16 year old brother know both of those...
    • I bet he actually typed some information into a web form, but did not click the submit button. Little does he know that some javascript already sent what he typed in anyway.

  • by Viper23 (172755)

    Robert Mueller,

    There has been a technical issue we need to resolve with your account at counter-intel.fbi.gov [fsb.gov.ru].

    Please click on the above link and fill in your details. Follow the on screen instructions and the error will be corrected.

    Thank you and have a good day,

    FBI Technical Support

  • Woah... (Score:2, Funny)

    by Azuaron (1480137)
    Robert Mueller's the guy I keep getting emails from asking me to accept some money from Nigeria. He's always claimed to be the head of the FBI, but I never believed him. Man, all this time I've been risking arrest and denying myself several hundred thousand US dollars just because I thought it was a scam! I guess you shouldn't be skeptical of everything you get in your inbox.
  • Not a surprise (Score:4, Insightful)

    by AndGodSed (968378) on Thursday October 08, 2009 @08:25AM (#29679585) Homepage Journal

    I am not surprised.

    The director of any agency does not necessarily deal with all the scams and most likely not with IT. He runs the business/admin side of things, and he has people working under him to take care of things like security etc.

    What seems to be missed is that phishers has the e-mail address of the director of the FBI. Either it is a personal e-mail address - and I am not even sure people in that position are allowed to have personal/web e-mails. OR it is his FBI address - and that is more worrying than that he almost fell for a scam.

    Another thing that worries me is that he takes nothing away from this experience - almost got caught, so I won't bank online anymore. Heck I would expect someone of his stature to go - Almost got caught, yikes better make sure that does not happen again.

    The direct effect of this is that the director of the FBI is now going to either bank by phone (and that is a security hole right there) or going to wait in the qeue at the bank - exposing him to other risks.

    I would've thought that higher up officials such as him had access to alternative more secure methods of doing things like bankin - how does the President of the USA do it, for instance?

  • He couldn't use the telephone to do 2 minutes of investigation before biting? He runs an agency with "investigation" in their name yet accepts email at face value? Let me guess, all their phones have been disconnected because they're a security risk.

    Besides, if he was checking on his accounts regularly, he'd know if there was any unusual activity.

    This says a lot about the head of the FBI, none of it particularly flattering. He accepts whatever comes across his desk at face value, doesn't do any actu

  • While I admire his honesty, I must say that someone who is chock full of this much stupid should not be in any position of authority.

    This is a prime example of why we need laws to weed out the ignorant.
    • Nobody not chock full of that much stupid would get themselves into that kind of position of authority.

    • by _Sprocket_ (42527)

      While I admire his honesty, I must say that someone who is chock full of this much stupid should not be in any position of authority.

      What if he's not honest? What if he's not really that stupid? What if this "confession" is part of an agenda; identifying with the public.

  • The head of the FBI isn't a superman, or an expert on every form of crime. It's entirely possible the man spent his investigative entire career focusing on a particular type of crime, before working his way up through management. Furthermore, the computers the FBI uses are probably quite similar to the ones used in a bank or comparable corporate activity. One would hope that their records security is at least as good as a bank. Unlike a bank, the FBI is mostly not subject to liability if they screw up, n

  • by Idaho (12907) on Thursday October 08, 2009 @08:35AM (#29679677)

    ..because he does not understand simple concepts about human nature and, resulting from this, the way in which modern banks conduct their business (e.g. never sending out mails about internet banking/passwords), and is apparently oblivious to the concept of such scams even though it has been reported in the mainstream press over and over again.

    Somehow, it worries me that such a person would be the head of the FBI. Good thing I don't live in the States then, although I have reason to expect [youtube.com] things aren't much different where I live.

    That link is in Dutch, but you can still gather the idea from watching the movie. What you see is the prime minister (at the time) of the Netherlands who clearly has no clue whatsoever what a computer mouse is for and how it should be used (he attempts to use it like a TV remote). A six year old (!!) girl (!) then helps him out in sending an e-mail. This happened about 10 years ago, but mice had been 100% mainstream for at least a decade then (since Windows 3.11 at least - I mean, if six year old girls know, you can be pretty sure it was well out of nerd-territory by then).

    The scary thing is that *these* are also the kind of persons in positions to come up with laws and regulations regarding the internet, filesharing, etc.

  • by Tom (822)

    And you'd think the head of the friggin FBI knows a little more than that. Maybe he should go and talk with his friends at the NSA?

    There's a straightforward solution to this so simple that it hurts. Don't mix media. I have a bookmark for my online banking. If I ever receive a mail from my bank with some "important information about my account", I will click on that bookmark, never on the link in the e-mail, and if the info is real, it'll be there in my online banking message box.

    Same with PayPal, Amazon, eb

  • ATMs and mugging? (Score:3, Insightful)

    by Jason Levine (196982) on Thursday October 08, 2009 @08:55AM (#29679865)

    So he's not using online banking because some phisher sent him an e-mail and he almost fell for it? If he took some money out of an ATM and then someone tried to mug him, would he refuse to use ATMs from then on? If he saw a report of a bank robber killing someone during a robbery attempt, would he not go into a bank's branch to do his banking? Just because the phishing attempt occurred doesn't necessarily mean that his bank's online banking system is insecure.

  • just type the url or your bank into the address bar?

    www.mybank.com <- wow typing that nearly gave me rsi..
  • Why the FBI Director Doesn't Bank Online

    Based on their past problems [washingtonpost.com] replacing their IT systems, my guess is that it's because he can't find his computer's "on" switch.

  • The article quotes him as saying online banking is "very safe." Well, if it's so safe, why doesn't he use it? Either he is glaringly, abysmally stupid, or he is a fucking hypocrite who is too much of a pussy to call out the banking and computing (read: Microsoft) industries for perpetuating an inherently insecure system. And then you've got companies like PayPal that try to silence people who dare proclaim that the Emperor Has No Clothes.

    But forgive me for being but a lowly member of the hoi polloi, for

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...