Everything You Know About Password-Stealing Is Wrong 195
isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."
Re:The hell it doesn't cost consumers! (Score:4, Insightful)
I bet he ran it up way more than 200$.
now if you were a money mule you'd be hit with paying for 4950$ you transferred for some guy in ghana.
I think the article misses the point (Score:5, Insightful)
The gist of TFA is that since the transfer from the person with the compromised password to the mule is reversed it is the mule that loses out, so the password isn't the bottleneck. (evidently the bottleneck is mule-recruitment and back-end fraud detection). This rather misses the point that it is a potential stopping point. If the account cant transfer money to the mule then the mule can't be persuaded to take commission and send the rest on by Western Union.
Maybe I'm cynical, but it seems to me that this analysis is a big "not my problem" statement by Microsoft. The client-end OS and browser security, which Microsoft has a big share of are not the "real problem" - that lies at mule recruitment and backend fraud detection systems, both areas where Microsoft has little investment.
Re:Ummm.... (Score:4, Insightful)
because there was talk about moles I'm assuming it's usual that it's moved to some gullible idiots account, who takes a fee and forwards the money(nigeria scam sort of) via untraceable method.
so that guy ends up paying the damages.
Re:The hell it doesn't cost consumers! (Score:5, Insightful)
Re:The hell it doesn't cost consumers! (Score:5, Insightful)
Not only that, but your reimbursement had to come from somewhere, and it's not the CEO's pocket. It's everyone else's pockets in increased fees.
THIS.
As well as increased insurance costs. The authors of the article are rather dense if they honestly think that the costs of reimbursement are not passed down to consumers.
Re:I think the article misses the point (Score:5, Insightful)
Re:I think the article misses the point (Score:3, Insightful)
I think the article is spot-on. Their point is that anti-fraud resources could be better directed. There is so much hemming and hawing about how insecure passwords are and how they get lost and how they can be cracked when the PW is only the first hoop a would-be thief would have to jump through and a low one at that. The defense has to be the whole system. The article speaks to that briefly:
"If a large lake of credentials is drained by a narrow pipe of mules then reducing the inflow to the lake might have no effect on the net harm done. Enormous energy has been devoted to the task of replacing passwords with something more secure. Yet, there is no clear picture of how much harm this would eliminate."
Re:The hell it doesn't cost consumers! (Score:5, Insightful)
That's exactly what TFA says. Banks like the fear of lost passwords, because they can use that fear to their (profitable) advantage:
"When perceived risk is greater than actual risk it can be protable to absorb the risk and charge for it. Rental car companies are not merely willing, but anxious to accept liability for any damage to the car for $35 a day; various companies aggressively market identity theft protection for $12 a month. Banks enjoy a huge information advantage over consumers: they know how much fraud costs them, while consumers merely hear horror stories of cyber-crime losses. Passing liability to consumers...would seem to be wasting a protable opportunity."
Re:I think the article misses the point (Score:5, Insightful)
I think what they are getting at is that criminals have access to X passwords and Y mules, where Y is significantly less than X. Lets say they have 10,000 passwords for every mule that they have, and each mule will perform 10 transactions before they are caught out (or catch on, depending). That means you could reduce the number of leaked/grabbed/cracked passwords by 99% and still have the exact same amount of financial crime; and none of those numbers seem all that far outside of the realm of possibility to me.
But that is about overall crime and statistics. You can still lower your risk of being a victim by choosing strong passwords, keeping a clean pc, etc.
Re:The hell it doesn't cost consumers! (Score:5, Insightful)
I've disputed several inaccuracies on my credit report, and had most of them removed without further fight.
I'm not saying 60 minutes is full of shit, but ...
60 minutes is in the business of selling scare stories. A little bit of cherry picking goes a long way.
Re:Dump the Visa/MC-debit! (Score:5, Insightful)
There is another reason for these cards: to avoid the legally-mandated consumer protection that exists for credit cards.
Not worth it [Re:I dunno... how much is a good...] (Score:4, Insightful)
if you got my bank password... you could use online billpay to mail a check and cash it... if it was under a thousand, my bank wouldn't blink.
so scenario.. I get a good set of identity papers, even just a license together for a lady who works all day
Identity papers good enough to fool a bank cost money.
I have, 10 account passwords at different banks and use online billpay to mail out 10 checks for $900 + odd amount checks. I swipe them from the mailbox of the lady who works all day....
I cash them all on the same day- visiting 10 issuing banks...
burn the ID
yes, I see where that could fall apart in a few spots
It sure does. For a profit of $9000 (minus the cost of forged identity papers), you have left your image and paper trail in the security camera of the bank you used to transfer the money, plus ten other banks; plus stealing from the U.S. mail probably over four or five days and hoping that the nosy neighbors weren't watching. You're hoping that none of the ten got their bank statement and noticed the check payment in the three days it takes the check to be mailed. And once the first person complains, the warning about your forged identity is going to go out to all the other banks, and so when you cash check number n, you're hoping that the account holders of checks 1 through n-1 haven't been complained yet. And banks in the US have a three-day hold on availability of funds from checks; so you are going to have to wait and hope not one of ten people noticed the withdrawal.
Suppose it is a 5% probability of getting caught on any one transaction. On the average, you'll make $18,000 before being caught. That is so not worth it.
Or you could just use online bill pay to transfer money to a prepaid credit card.
Except that banks do know that trick and protect against it. It's not hard to put $50 on a prepaid credit card without leaving tracks. Try putting $9000 on a credit card, and they start keeping records of who you are.
Re:Banking passwords are overrated (Score:2, Insightful)
It's amazing how different financial infrastructure is between countries. SWIFT (wire transfers) and Visa/MC/Amex are probably the most universal funds transfer systems worldwide.
Interesting side note (I work in the credit card industry), the reasons cited for the U.S. being slow to move to Chip & PIN include: 1) U.S. merchants were on the mag-stripe bandwagon (or simply started accepting cards) sooner and hence have a much larger installed base to convert, 2) U.S. banks moved to 100% fraud protection so consumers were fairly insulated anyway, 3) the fraud rates in the U.S. are much lower (1-3% of overall spend volume) than the rest of the world.
There is a small percentage of international travelers that now demand chip & PIN for their U.S. issued cards, and they ARE available, but they are not without difficulty. Especially when it comes to changing PINs, since the U.S. doesn't have a big installed base of ATMs and card readers that accept a PIN and enable a user to update one. However Visa and MC HAVE published a change to their rules that will take effect in 2-3 years that will shift fraud liability OFF the merchant if they process a chip & PIN transaction, so there is definitely the incentive now to move that direction. Also, several banks are experimenting with NFC microSD cards or SIM chips that tie in to phone apps and the Visa/MC networks. Don't be surprised if U.S. moves to chip & PIN plus some combination of other solutions.