Everything You Know About Password-Stealing Is Wrong 195
isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."
Banking passwords are overrated (Score:5, Interesting)
I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts. I have seen some where you can set up bill payments, but that was a chore and would not be useful for trying to pull money out quickly. Most online banking systems intentionally do not even give full account or routing numbers to logged in users, and I've never seen one give out SSN or DOB either.
On the other hand, people keep a lot of personal information on their PCs. If you can get their personal user names and passwords you could get a lot more useful information on them. A lot of users likely have their SSN and DOB in their browser cache somewhere, and almost everyone has their address somewhere in there.
Not password stealing. (Score:2, Interesting)
First of all, it's not theft if you still have your password. Secondly, if you leave your car unlocked with the engine running and go shopping, will the insurance company pay you back for your loss or call gross negligence? There's a difference between having a reasonable password for banking that's not the same one you use everywhere, and between using "hunter2" for every single place you have an account. And finally, I'm pretty sure banks don't reimburse money stolen from shops. Same goes on here. If someone breaks into the bank, you get your money anyway. If someone breaks into your home, the bank doesn't care.
Re:Banking passwords are overrated (Score:2, Interesting)
I have used a fair number of different banks over the past couple decades and seen a lot of different online banking systems. Not once have I seen one where you could actually use the online system to arbitrarily move money outside the account owner's accounts. I have seen some where you can set up bill payments, but that was a chore and would not be useful for trying to pull money out quickly.
I was curious, so I checked the services offered by Wells Fargo Bank, NA. Through their online banking system one can:
Transfer Money & Make Payments
Transfer to/from a non-Wells Fargo Account
Add a non-Wells Fargo Account
Send & Receive Money
Transfer to Another Country
Set Up Recurring Transfer
Set Up Recurring Payment
I'm feeling a strong urge to go back to my credit union.
It's really even worse than that (Score:5, Interesting)
About a year ago, I had my debit card stolen by a bartender, who used it to buy plane tickets for a vacation. Even though I *paid* for the tickets, the airline (*cough* Jet Blue *cough*) refused to give me the name of the passengers listed on the ticket. That in itself stunned me. Then it got worse.
I went through the bank, saying I could ID the person with 99% certainty (since the bartender was talking about not being able to pay for tickets at the bar that night). They of course referred me to the fraud department. The fraud department then of course referred me to File 13. Not one care was given to the matter. When I pushed on the issue, they asked why I cared, my account had been reimbursed. When I said it was the principle of the matter, they laughed and said the bank would simply write-off the loss and everybody wins.
It was then I realized the banks may actually *want* the fraud.
And I now trust my mattress more than any bank these days.
Re:Banking passwords are overrated (Score:4, Interesting)
I feel quite safe with that.
Re:Banking passwords are overrated (Score:4, Interesting)
Most financial institutions do batch processing, not real-time processing. Your average bank will do all of the deposits first, around 3pm each business day, and then do all withdrawals. That's the main reason most transactions take a minimum of one business day.
Re:The hell it doesn't cost consumers! (Score:4, Interesting)
That's addressed right in the summary. The banks generally manage to get their money back from one of the intermediates used to transfer the money out in the first place. It's those suckers that eat the majority of the loss.
Dump the Visa/MC-debit! (Score:4, Interesting)
It sounds like you had a Visa-branded debit card, not a credit card. Visa/MC Debit cards serve no use other than to enrich the bank, the merchant fees are much higher than PIN-debit. And, as you have learned, if a thief gets a hold of your number, your bank account is empty and your bills bouncing while you argue with the bank.
It's far better to get a credit card and simply pay off the bill every month. That way, if it gets emptied, you argue with the bank about THEIR money. (With a Visa/MC Debit, you argue with the bank about YOUR money. Guess which dispute gets more attention?
And yes, the bank should have paid up the bounced check fees... might as well dump this loser of a bank entirely and sign up with a Credit Union.
Re:too hard (Score:4, Interesting)
I so wish for mod points. Western Union/Moneygram are the "Banks" for people without the ability to now meet new Federal Standards for State Issued ID. The paperwork required today in many states just to get a new "Secure ID" are ridiculously bad if you've done anything other than be born in the last 60 or so years, gotten married, receive physical bills & bank statements, and had those items delivered to your physical address (which assumes you can receive mail at your physical address).
So it isn't just "illegal" immigrants using these services, anymore. It's a large segment of the lower end of society that is being forced to utilize these services so they can pay utility bills with cash, money orders, and move money about to relatives. You're actually causing severe harm getting rid of the cash-based services.
Off topic: Lucky me, I've bypassed the "chain of name changes" requirement by having a Passport. My adoption papers don't even exist anymore thanks to a house fire and an flooded court house basement. I'd be so screwed if it weren't for the fact my employer required me to get a passport 3 years ago.
Re:The hell it doesn't cost consumers! (Score:2, Interesting)
Come now, it doesn't take much brain power to figre out that it's a typo of "profitable." You know, supposedly what separates us from animals and machines is this thng called intelligence which you can use to apply context to a situation and derive the correct meaning of a mistyped word.
What you might not know: he probably copied the quote from the PDF document where 2-letter sequences such as "fi" and "ti" are encoded differently (I believe it's called kerning but I could be wrong) and when you copy/paste the text that sequence is not recognised by the target program and gets dropped completely.
*All typos in first paragraph are intentional to make a point. Typos in rest up to you to figure out.
Re:Ummm.... (Score:4, Interesting)
I had a friend who unwittingly served as a mule for dirty money to be laundered through his account. He was approached, asked if he'd be willing to deposit some checks, wait a few days, then transfer them (minus a small percentage for himself) to another account. He didn't see a problem with that, and hey, it was easy money! So he agreed.
When the feds came a-knockin', he was lucky all he had to do was pay the money back, rather than go to prison.