Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security The Almighty Buck

Schneier: Make Banks Responsible for Phishers 429

abgillette writes "Writing for Wired News, security guru Bruce Schneier says that the only way to stop phishers and identity thieves is to make financial institutions solely responsible: "Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.""
This discussion has been archived. No new comments can be posted.

Schneier: Make Banks Responsible for Phishers

Comments Filter:
  • Hmmm... (Score:2, Insightful)

    by JordanL ( 886154 )
    I seriously doubt the innovation of criminals with technology will fail simply because banks require additional information.
    • Re:Hmmm... (Score:5, Insightful)

      by biryokumaru ( 822262 ) * <biryokumaru@gmail.com> on Thursday October 06, 2005 @05:54PM (#13734672)

      Actually, I don't believe adding additional protections to the websites is the idea. The idea is that the richest institutions in the world (banks) should be fighting phishers. They have the clout and the wearwithall to easily take scammers to court, and likely have branches in enough countries to try them locally, rather than sending futile "DMCA cease and desist"-like letters to non-US countries.

      This might turn out to be a good idea, or maybe the banks will realize that the scammers are just doing what banks (historically) do, which is ripoff the poor and uneducated. Anywho, being a well-informed and adept engineer of the internet age, I still do all my investing in person because I'm paranoid as heck =].

      • Re:Hmmm... (Score:5, Insightful)

        by Psmylie ( 169236 ) * on Thursday October 06, 2005 @05:57PM (#13734710) Homepage
        "Anywho, being a well-informed and adept engineer of the internet age, I still do all my investing in person because I'm paranoid as heck =]."

        Sadly, if one of these fraudsters gets enough info on you, you may find that "you" are doing business with a bank you've never heard of with a line of credit you've never asked for ;)

        • Re:Hmmm... (Score:5, Interesting)

          by ePhil_One ( 634771 ) on Thursday October 06, 2005 @08:38PM (#13735873) Journal
          "Anywho, being a well-informed and adept engineer of the internet age, I still do all my investing in person because I'm paranoid as heck =]."

          Sadly, if one of these fraudsters gets enough info on you, you may find that "you" are doing business with a bank you've never heard of with a line of credit you've never asked for ;)

          Personally, I like how he thinks doing his investments in "person" keep him safe from fraud. Does he have a seat on a Stock Exchange or trusting a guy in an office hundreds of miles from an exchange who claims to represent an investment firm (CLUE: Ponzi schemes pre-date the internet)? Perhasp he invests directly in local businesses, where he carefully audits the books, and works as an "internet guy" from the back office, watching the cameras while using his voice translation software? Does he deal only in cash, never uses an ATM or checks?

          I work in the anti-phishing industry, and suggestions like the article makes are pie in the sky "corporations have magic powers" crap. Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.

          • Re:Hmmm... (Score:5, Insightful)

            by hepwori ( 790907 ) on Thursday October 06, 2005 @11:12PM (#13736583)

            I work in the anti-phishing industry, and suggestions like the article makes are pie in the sky "corporations have magic powers" crap

            No, they're not. They're "give the problems to those with the money, sense and incentives to fix it" arguments. Makes excellent sense to me. My guess would be that you're either (a) too wrapped up in the "anti-phishing industry" to step back and wonder why we need such an industry; (b) invested too heavily in the "anti-phishing industry" to accept that it may not be needed; or (c) just not amenable to lateral thinking.

            Seriously. Look at credit-card fraud. Do banks pay for this? Hell, yeah. Is there a cottage industry? Perhaps, but banks are EXTREMELY motivated to fix the problem, since it's costing them daily. Where five years ago was that CVV code on the back of your credit card? Where was "Verified by Visa"? These are industry programs introduced by the industry to reduce fraud. Why? Because it costs them.

            Make phishing cost the industry, and you betcha they'll be right on it. And as far as I can tell, they wouldn't have to do much to top the efforts of the "anti-phishing industry" to date.

            • Re:Hmmm... (Score:3, Interesting)

              by scdeimos ( 632778 )

              None of the methods you have mentioned have actually fixed the problem of financial fraud. They've all been stop-gap patches-on-patches solutions.

              I only wish we did live in Bruce Schneier's world where having law-makers push the problem onto banks to get the problem fixed would have any real effect. Unfortunately for us, in the world in which we live, banks' "fixes" for the problems are insufficient and they "defray the costs" by increasing loan interest rates and adding "administration charges" to their

            • Re:Hmmm... (Score:4, Interesting)

              by gbjbaanb ( 229885 ) on Friday October 07, 2005 @05:59AM (#13737987)
              Look at credit-card fraud. Do banks pay for this? Hell, yeah. Is there a cottage industry? Perhaps, but banks are EXTREMELY motivated to fix the problem, since it's costing them daily

              rubbish. Look at bank's current efforts to fix CC fraud.. CVV numbers that are relatively recent introduction for distance selling, and now chip and pin for cardholder-present frauds. Until very recently you didn't need to give the CVV number for authentication, and some of my cards *still* don't have chips on them.

              The point here is that the banks are very conservative. They will first add up how much fraud costs them, figure out how much it will cost them to fix (including all the hidden costs like consultants and management and new readers for stores etc), and if the cost is too great, won't do a thing.

          • Re:Hmmm... (Score:4, Interesting)

            by SanityInAnarchy ( 655584 ) <ninja@slaphack.com> on Thursday October 06, 2005 @11:57PM (#13736830) Journal
            Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.

            Yes, unfortunately. Until the banks pull their collective heads out of their asses and implement security measures which actually work.

            For instance, right now, all I need to withdraw money from my checking account is my ATM card (or the number from it) and a four digit PIN, which I didn't assign and can't change. I don't even need a name.

            There are solutions out there to make this astronomically more difficult. For instance, give the customers smart cards which use a public key authentication system. No one can do anything without that card physically on hand, and it could be made tamper-resistant enough that it couldn't be copied -- meaning that if the card is stolen, you get a new one, which can reasonably be *much* harder to do than it is now (since there's more risk for the bank) -- show up with a driver's license, birth certificate, sign something, mention some secret password, and check your thumbprint.

            Right now, we're nowhere near that. In fact, remember Diebold and the voting machines? They also make ATMs. A single vulnerability at the ATM or anywhere between it and the bank and someone can get the same access credentials you do -- whereas, which the scheme I mentioned, they actually have to steal your *physical* card.

            Of course, if the bank itself isn't trustworthy, you're still screwed. But the bank has an incentive to be trustworthy -- if you suspect you've been ripped off anywhere, by a phisher or by the bank itself, they have to prove that they made you read sufficient literature (always hold on to your card, if someone takes it off your person for a transaction instead of letting you swipe it yourself, they're stealing) and provide enough documentation (your public key that they've got on file, plus all the transactions you've signed with that private key, and all the verification they have that it was you who signed up for the account....)

            Because the burden of proof is now on the bank to prove that you weren't ripped off.

            Will people try to abuse that? Yes, but it won't get them anywhere. Any bank worth its mortar should easily repel enough frivelous cases to discourage that kind of scammer.

            Could we be more paranoid? Sure. Here's an example: make the card more universal, allow it to keep several identities (ATM, credit card, driver's license) which are all user-managed, and give it a built-in display and thumbprint reader. Basically, you jack the card (or dongle, or whatever) into their payment system, check the display ($1.25 to PepsiCo for Sierra Mist), then scan your thumb (in your own card) and it "signs" the sale. This also works online -- maybe the device is shaped like a USB keychain. It's still possible to be scammed on individual purchases, but you can't be scammed out of your entire identity -- if the most you ever spend on a single purchase is $50, no one scammer can steal more than $50 from you, unless you're amazingly stupid.

            If you want, I can explain the crypto behind that scenario, but suffice to say that AFAIK, the only way the vending machine example breaks is the same way it already does -- you deposit money, push a button, and it doesn't actually deliver the Coke (or whatever) -- it "eats" your money. But it can't eat more than you put in.

            So, this makes your banking almost as secure as cash. And cash is backed by the US government, so... uh oh....
          • ... 5 years ago!

            Here's a link to the article:

            http://www.sims.berkeley.edu/~hal/people/hal/NYTim es/2000-06-01.html [berkeley.edu]

            This example illustrates one of the fundamental principles of the economic analysis of liability: it should be assigned to the party that can do the best job of managing risk. For most risks associated with A.T.M.'s the banks are in better position to manage risks than are the users, so they should end up with most of the liability. But you wouldn't want the users to escape all liability

          • Re:Hmmm... (Score:3, Interesting)

            by Asprin ( 545477 )

            ....and suggestions like the article makes are pie in the sky "corporations have magic powers" crap. Make banks pay for phishing and you'll create a cottage industry of phishing victims, of the sort that plagues the insurance industry today.

            Bruce's point is that any data that can't be completely secured really shouldn't have been available online in the first place.

            The reason phishing works is because banks put sensitive information online where it can be accessed remotely once the phishing part of
      • Re:Hmmm... (Score:3, Insightful)

        by s20451 ( 410424 )
        I would prefer to see technical solutions over legal ones. How about:

        - Free with every account, you get a credit-card sized, battery powered random number generator. In addition to your password, you have to enter the number displayed on the generator, which changes every thirty seconds. (These exist.)

        - The bank only lets you access your account from a computer you designate. This could be done through the MAC adress of your NIC, or through a hash function based on your hardware configuration. Authoriz
        • Re:Hmmm... (Score:5, Insightful)

          by biryokumaru ( 822262 ) * <biryokumaru@gmail.com> on Thursday October 06, 2005 @06:22PM (#13734950)

          Mac addresses can be faked and credit cards (and random number generators!) can be stolen. And whatever technical solution you can possibly find, it cannot interface with an insecure OS (such as Windows or many *nixs, prolly Macs too, but I'm not too savvy there) and remain secure. And as long as the vast majority of people use insecure OSes, a secure technical solution is unfeasible.

          Thus, I disagree whole-heartedly. Law is the best safe-gaurd against criminals. Providing and advocating a legal recourse against online fraud will provide an avenue for banks to fight back. And it would be completely transparent for the end-user. They keep getting scammed while the banks go around pressing charges on the scammers until they're gone. I know it's fighting the symptom, not the cause, but sometimes that's better.

          We all want to code like Torvalds and redesign the entire system from the bottom up whenever theres the teensiest bug, but we also all know that's unrealistic. Look at law as a CPU-intensive bug-fix for society. It'll provide it quick and easy stop-gap to the problems created by shifting to the e-commerce. We can worry about properly rebuilding the infrastructure in the next update =].

          • Re:Hmmm... (Score:3, Insightful)

            by mmeister ( 862972 )
            I think you missed the point.

            Right now, there is no real incentive for Banks to fight phishing. If your identity is stolen, YOU have to fight to clear it up. Make the banks 100% responsible and they will be on your side (because it is in their best interest).

            I also think that if a company exposes private information (especially financial, SSN), they need to be held responsible for more than just "letting you know". They should be required to pay for 2 years of credit reports every six months and if fraudule
          • Re:Hmmm... (Score:4, Insightful)

            by nolife ( 233813 ) on Thursday October 06, 2005 @08:09PM (#13735706) Homepage Journal
            Mac addresses can be faked and credit cards (and random number generators!) can be stolen.

            Security in layers.. Spyware and keyloggers on my computer installed at random by a hole in IE is completely different from having that same spyware AND someone getting into my house and stealing my key generator (random number generator). I have incoming SSH allowed from outside, but only from 2 source ip addresses. I also force the use of existing authorized keys and passphrase only. Each of these is not fool proof but combined, it is magnatudes harder to hack into then running plain old telnet or SSH with no restrictions. Yes, if I was singled out and someone specifically wanted to hack into my specific computer, chances are they would find a way. Phishing attempts are exactly the opposite though, broadcasting out looking for the people that will bite the hook, not elaborate targetting of specific people. I am guessing here but I'd say bank account phishing successes would be 99.99% less with nothing more then a key fob number generator used as part of the password. I think the MAC would be useless for security as that can be taken from the same computer that the keylogger or phishing attempt originated from.

            Thus, I disagree whole-heartedly. Law is the best safe-gaurd against criminals.
            What world do you live in? Do you leave the keys in your car? Put the windows up? Leave the porch light on? Have an alarm in the car? Use a club? Shove your cds or cell phone under the seat? That is the same thing, security in layers. It is already illegal for someone to steal your car and the police already have the laws and power to catch criminals.

               
        • Re:Hmmm... (Score:3, Insightful)

          - The bank only lets you access your account from a computer you designate. This could be done through the MAC adress of your NIC, or through a hash function based on your hardware configuration. Authorizing a new computer requires a phone call to the bank from a phone number that you designate. (This phone call could be handled by an automated operator.)

          The only problem I see with this is that one of the major reasons for online banking is the convenience of being able to do it anywere. Limiting it to o

    • Re:Hmmm... (Score:5, Insightful)

      by jcr ( 53032 ) <jcr.mac@com> on Thursday October 06, 2005 @06:00PM (#13734748) Journal
      You can pick a Medeco lock, too, but that's not a reason to just use rubber bands to hold your front door closed. Right now, it's trivial to commit fraud, and it should be difficult.

      -jcr
    • Once you start holding companies responsible for the data that so quickly gather on us, then you see that companies are actually able to lock boxes down. In addition, they will go to great lengths to avoid a lose by simply sending customers certificates that will work with only certain browsers.

      But to go further, they need to start holding companies responsible for all lost data. That means that CC card processors should be held liable. Both the company in Nebraska, and in Arizona should be held liable fo
    • They should all just use a security token [bendigobank.com.au]

      That way the scammers will either have to steal the token or make a frauduant login attempt within 60 seconds of logging their data.
    • Do not doubt the power and resources of the financial industry to solve a problem which is hurting their bottom line. If the laws changed to place the full financial weight of the burden of identity theft on the financial institutions then you can bet your bottom dollar that they will hire whomever or buy whatever products and services are necessary to make the problem go away. If you doubt that they have the resources to do this then just remember that they are the financial industry and they control the m
    • by nightsweat ( 604367 ) on Thursday October 06, 2005 @06:14PM (#13734884)
      Try the ING Direct site - best over the web security ever. You need your account number, some ever changing specific fraction of your social security #, zip code, or other identifier, and a set of letters that corresponds to a pin that are entered by clicking a icture of a number pad with a mouse. If "s" is assigned to "3" this time, it won't be the next time you're on.

      It's a minor pain in the butt to get to your account, but definitely more secure.
    • Some bank already require a thumbprint for cashing a check. If they would require a thumbprint for opening any kind of credit account, that would seriously cut down on the damage done by identity theft, wouldn't it? But it's not just the banks. How about if all catalog sales companies refuse to ship to any address other than the billing address of the credit card? How about if online purchases always require all customers to use single-use card numbers? How about if everybody stops accepting Social Security
    • Re:Hmmm... (Score:3, Interesting)

      by Anonymous Coward
      (checking to make sure "Post Anonymously" is checked)

      Ok. As a guy that both works for banks and works for ISPs and deals with end users web sites and all that... I have to say I see a lot of willful ignorance on all sides.

      People or the general public are really really far behind as to understanding the basics of keeping safe while using email. Sit them down in front of a computer and all of a sudden common sense is gone.

      The banks on the other hand, treat these issues as PR that the marking or HR chicks ta
      • Re:Hmmm... (Score:4, Interesting)

        by rpozz ( 249652 ) on Thursday October 06, 2005 @07:18PM (#13735397)
        Ok. As a guy that both works for banks and works for ISPs and deals with end users web sites and all that... I have to say I see a lot of willful ignorance on all sides.

        Definitely agree with you there. The companies who can actually do something about internet crime seem to do the least about it. If you email a webhost, even a reputable one about a blatent phishing site that they are hosting, they will do absolutely fuck all for at least 24-48 hours while the site gets more victims. A site designed to look exactly like PayPal or whatever should be shut down immediately, considering that it can have no ligitimate purpose.

        ISPs will happily let their customers continue to be connected to the internet even when they blatently have a virus attacking other hosts (in the form of excessive traffic out of port 139, 445 et all). And these same ISPs are the ones who supply the public with 2MBit DSL lines and no security software.
  • by mister_llah ( 891540 ) on Thursday October 06, 2005 @05:41PM (#13734534) Homepage Journal
    However, it doesn't seem very feasible.

    There is no way we can get the government to do such a thing... and such losses may even effect federal insurance and our interest rates...

    Depending on how many morons there are getting hit by phishing scams, this could have a large effect.

    Of course... that's assuming it ever got made into 'law'... ... which I think there is more than enough uncertainty on the subject to prevent that.
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Thursday October 06, 2005 @05:47PM (#13734593)
      Your bank already has your home address (and probably your home phone number).

      All they have to do is to institute a "no email from us, ever" policy and spend some time getting that message out to their customers.

      Sure, this will cut down on the ad revenue from the banks, so what?

      If they absolutely need to have some form of email interaction, they can run an internal (no external SMTP connections) web-based email system so the clients (you) can email the bank's employees.

      If you can't do something securely, maybe you should not be doing it.
  • by mackil ( 668039 ) <movie&moviesoundclips,net> on Thursday October 06, 2005 @05:43PM (#13734550) Homepage Journal
    Personal responsibility has to come into play somewhere. If people aren't educated enough to know NOT to email back their bank information to an unsolicited source, than just whose fault is it? The banks obviously need to do more, but in the end someone has to be responsible for their own actions.
    • ... to tell the difference.

      Suppose you get a legitimate email from myEBAYsecurity.com? You go to that site and a man-in-the-middle attack presents you with a 100% perfect eBay site? All it takes is skill and time and desire. The technology is available today.

      As long as banks and other sites use direct email to communicate with people, they will be subject to these attacks.

      There is nothing that can be done to prevent them when email is the contact method.
      • by JDevers ( 83155 ) on Thursday October 06, 2005 @06:03PM (#13734769)
        A properly formed e-mail from a reputable company nearly completely eliminates all possible intercepts. At least as many as can be eliminated by simply going to the website in the first place without an e-mail prompt.

        case in point:
        I recently received an actual e-mail from PayPal, this e-mail suggested that my on-file credit card was about to expire. The first thing that keyed me in and made me actually read this mail was that they referenced the last four digits of said card. Next, they suggested that I logon to their website and update the credit card's expiration date. Most importantly they didn't even offer a link to paypal.com, they simply said to logon and then gave instructions as to how to change it. Not the first link in the whole e-mail. This effectively eliminates fraud as a possibility. While it is still possible that paypal.com itself could be hijacked or some other esoteric scheme, the 99.9% possibilities are all eliminated simply by not providing any link.
        • You read one? (Score:3, Insightful)

          by khasim ( 1285 )
          I get over a hundred a week from "PayPal". I don't even bother sending them to spamcop anymore.

          The part about not having any links in the email is good. But not good enough. You could have been told to go to mypaypalsecurity.com and logon. Then you'd be back to the man-in-the-middle attack.

          Not to mention that most people who do read those emails will not know enough to not click on a link when the company involved has not specifically stated that they will not send links.
          • Re:You read one? (Score:4, Insightful)

            by Kelson ( 129150 ) * on Thursday October 06, 2005 @06:59PM (#13735267) Homepage Journal
            The part about not having any links in the email is good. But not good enough. You could have been told to go to mypaypalsecurity.com and logon.


            This is where user education and organizational consistency come in. IIRC, PayPal does everything through www.paypal.com. If you've never, ever logged in somewhere other than that one site, you might be slightly suspicious to see mypaypalsecurity.com. And if every administrative message that really comes from PayPal has no links, you might notice something funny about the message that does have one. (It's not a cure-all, of course -- witness the number of successful "Apply this update from Microsoft!" trojans. But it'll make it easier for some people to spot the phish.)



            Contrast this with, say, Citibank, which does some stuff through citibank.com, some through accountonline.com, I think has citicards.com and at one point was still using c2it.com. And I think they sometimes use third parties for email and redirectors. There's no consistency, so if you get something that says citibanklogin.com, you think "Oh, they've just added a new domain" and click/type it... and then you're on the fake site.

        • It's a stretch, but there are still ways.

          A hypothetical:

          I set up a website to mimic PayPal's. I sniff traffic on a network that you happen to be routed through and spot the legitimate PayPal email you received. My script intercepts that email, finds those "last four digits," and drops them into the site I set up. When you visit PayPal.com, I route your traffic to my fake PayPal site. You don't know the difference, so you continue to enter your new credit card information. Once completed, I change the routin
          • Here are the steps. (Score:3, Interesting)

            by khasim ( 1285 )
            #1. Acquire the 4 digits. Unless you're running your own email server, the email will be handled by someone else. Where I work, I keep every email going out or coming in. If someone sent that email to anyone where I work, I would have it. All it takes is one guy in the right location at google.com or earthlink or AOL and thousands of these would be collected.

            #2. Fake the site. This is the easy part.

            #3. Get the traffic to the fake site. Again, this will require ISP access (see #1). But it would be simple for
        • A properly formed e-mail from a reputable company nearly completely eliminates all possible intercepts.

          Even organizations that should know better sometimes fail to do this. I once received an email message from an address at openvenue.com claiming to be from the ACM and asking me to go to confirmit.com to fill out a survey. Imagine my surprise when it turned out to actually be from the ACM. (To add further insult, when I emailed the ACM about it, the two line response was followed by two copies of a t

    • I had to open a paypal account for some testing, closed it when done, and about an hour later got phishing email. This was spring 2002 I believe. Phishing was still somewhat rare, IIRC. I immediately logged back on to paypal, checked, yes the account was closed, I figured the email was just a typical big corp screwup. It wasn't til later that I realized it was a phisher. About the only reason I didn't get snookered was that I typed in the paypal URL directly rather than clicking on the email link.

      Recen
  • yeah, right (Score:3, Interesting)

    by KilobyteKnight ( 91023 ) <bjm&midsouth,rr,com> on Thursday October 06, 2005 @05:43PM (#13734552) Homepage
    Yes, let's remove all responsibility from individuals and beg the big friendly government to make someone else take care of us.

    While we're at it, let's make Slashdot responsible for trolls.
    • Re:yeah, right (Score:2, Insightful)

      by mctk ( 840035 )
      I think you and the rest of the "personal responsibility" crowd are missing his point. He's saying that, at this point in time, our information is out there. Whether we put it out there ourselves or whether it was stolen from some organization or whatever. It's out there.

      Now if a bank intends to hold me responsible for payments on a credit card, that bank better make damn sure that the credit card has been requested by and given to me. Right now, according to Mr. Schneier, that isn't happening.

      And

  • Banks should require their users to have SSL Client Certificates [apache.org]
  • No Chance (Score:5, Insightful)

    by derfel ( 611157 ) on Thursday October 06, 2005 @05:44PM (#13734568)
    I don't think there's much of a chance of this kind of thing ever getting implemented. The financial industry would kill any legislator who tried to introduce legislation like this. If anything got through, they'd convince the executive branch not to enforce it. I'm sorry to say this, but the banks hold our money and they're very cavalier about to whom they give access and they like it that way.
  • by mark-t ( 151149 )
    Holding financial institutions responsible for something like this makes about as much sense as holding the fire department responsible for fire damage to a building and any casualties.
    • I think its more like holding a landlord responsible for not having a building up to code (shoddy wiring, faulty fire alarms, blocked fire escapes, etc.) if there is any loss of life or property when a fire happens. Banks make it incredibly easy to get credit. If they changed their procedures, it could cut down considerably on the amount of fraud.

      Of course, that would also cost them new (legitimate) customers. That's the problem right there.

    • Re:WTF? (Score:2, Interesting)

      by besenslon ( 918690 )
      This analogy is completely wrong.

      The fire department is public service, put in place to deal with the consequences (fight the fire after it starts), while the banks are private business, which is there for customer's money.

      The online banking is benefit for both parties - banks and clients. The banks save a big $ not paying for tellers and office space, customers do not need to drive to the bank.

      And guess who gets more :)

      So, the banks are much more interested in keeping the online banking. Then they
  • Or... (Score:5, Insightful)

    by Captain Scurvy ( 818996 ) on Thursday October 06, 2005 @05:45PM (#13734573)
    This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.

    What's wrong with "all of the above?" It would seem to me that a multi-pronged attack to the problem would be best, because I really don't see how "just" holding the financial institutions responsible will make the problem disappear completely. Scammers are creative, after all, and the people who fall for their scams can be pretty friggin' dumb.

  • by somethingwicked ( 260651 ) on Thursday October 06, 2005 @05:46PM (#13734587)
    Dear Bruce Schneier,
              We read with interest your comments on preventing phishing activities.

    Our conclusion is that we are not taking appropriate measures to prevent phishing.

    Therefore, we have acted to prevent such damages in the future. This action is the only certain method of fraud provention: Your account has been closed and we have placed you on a universal banking blacklist to prevent you being able to open an account with any other bank.

    Thank you for your refreshing point of view, and good luck.

    Sincerly,
    Your Bank
  • Bad idea (Score:4, Insightful)

    by kentrel ( 526003 ) on Thursday October 06, 2005 @05:46PM (#13734589) Journal
    This will mean that banks will be forced to put their customers through more and more identification hoops than they already do. We will be inconvenienced even more and all because of the phishers. They are criminals like any other, and it's the governments responsibility to deal with them.

    Forcing the responsibility on the banks is only going to encourage the banks to treat the customers worse than they already do.

    • I'm more than happy that my bank requires me to enter a one-time password every time I make a transaction. I probably would refuse to use one that relies on a single password. There really is no excuse for having that bad security, not even stupidity.
  • by sexyrexy ( 793497 ) on Thursday October 06, 2005 @05:48PM (#13734605)
    This will always be a problem because people don't want to have to deal with complex security. I wouldn't mind keeping an RSA authenticated keychain that has a rotating cryptographic key that changes every 60 seconds (a pretty cool solution, I've seen in action), but moron hick who doesn't see why he should have to have more than one password will never stand for it. Juggling multiple methods of authentication is too complex for the average Joe.

    Thankfully, that average Joe is also the same moron who will fall victim to phishing instead of me. I'll never lose my money, so it's not my problem. A connundrum, if you will - the only people smart enough to do anything about it (or be willing to do anything about it) are the ones that such scams don't apply to anyway.

    (No offense to any geeks/intellects happened to be named Joe)
    • I wouldn't mind keeping an RSA authenticated keychain that has a rotating cryptographic key that changes every 60 seconds (a pretty cool solution, I've seen in action), but moron hick who doesn't see why he should have to have more than one password will never stand for it.

      You know, given the combination of social skills and common sense with which our IT personnel are endowed, it's hard to understand why everyone is so eager to send their jobs to India...

  • Hrm (Score:5, Insightful)

    by Auckerman ( 223266 ) on Thursday October 06, 2005 @05:49PM (#13734617)
    The only way something like this works is if there is an neutral agency that one can report this to. Even then it probabaly won't. It's in the financial institutions best interest to keep all security problems secret. That is today, even with them not being responsibile, in a day where they are resonsible, they'll act just the tabacoo companies did/do "There is no security problem, Mr. Senator. No, there is no problem with identity theft, not at all, we have it under control.". The cheapest short term solution is the best one to a company, these guys pretend to think long term, but they don't. Don't assume they will.

    • The only way something like this works is if there is an neutral agency that one can report this to.

      And then, only if that neutral agency is more secure than the banks. There is no reason to suppose that would be the case.

      And when someone cracks that neutral agency - and make no mistake, someone will eventually - then they can phish anyone.
  • If I show up at the bank to do a transaction, how do they know it's me? I provide various forms of ID, answer questions, etc. If a phisher can trick me into giving him those same bits of info, and then masquerades as me...how is the bank liable? How do they know it's not me?

    Conversely, how many hoops do I want to jump through to prove it is me?

  • Whatever... (Score:5, Insightful)

    by borawjm ( 747876 ) on Thursday October 06, 2005 @05:49PM (#13734620)
    In the end the consumer will always pay no matter what happens. If they exclusively make financial institiutions responsible for phishing then that just means they will charge us more for their services. If they don't do anything about it, well, then we still pay when some schmuck steals our identy and our money.

  • by podperson ( 592944 ) on Thursday October 06, 2005 @05:51PM (#13734643) Homepage
    It amazes me that, for example, no-one really checks signatures on credit card slips or that you don't need a PIN to buy gas with a card at the pump.

    If you tighten up all these processes then just knowing five pieces of data about a person won't let you access their accounts. Why sign your credit card at all when no-one even LOOKS at the signature and YOU are liable for fraudulent use of the card?
    • Why sign your credit card at all when no-one even LOOKS at the signature and YOU are liable for fraudulent use of the card?

      It's entirely for investigating after the crime has taken place. The bank will get copies of all the receipts and compare the signatures to decide if you are telling the truth about having not made those charges. They will also require you to file a police report since it is a serious crime to file a false police report, they won't take you seriously if you don't. All the credit card
    • I have a job where I deal with credit cards daily. Not at a gas station, mind you... One of my jobs is delivering fast food.

      But I check and compare signatures. Every time.

      If their signature is smudged on their CC beyond legibility, I will always ask for photo ID, and the name must be identical to the name on the card. I also always advise them to re-sign the back of their if it is too smudged to read, for the next time they might want to use it. If they do not have photo ID in such a case, I do not

      • A signature does NOTHING to ensure security. All it does is provide me with something to practice with if I get ahold of someone's card. Why won't credit card companies start taking fraud seriously and put a PIN on the cards, just like ATM cards? Theft of ATM cards is a lot less common for this exact reason. Store employees are not trained in handwriting recognition and cannot ensure security through signature checking, even if they try.
        • It provides _ME_ with security.

          If I obtain a matching signature and verify it as such, the credit card company assumes responsibility for fraudulent activity. If I fail to check signatures, my company will be held liable for fraudulent use, and they will fire me in a New York minute.

    • Why sign your credit card at all when no-one even LOOKS at the signature

      VISA/MC merchant requirements are that it does not matter what the signature looks like, if the card is signed, then they are to accept it as valid unless there are other extenuating circumstances. They do this because VISA/MC wish to make using their cards as easy as using cash. Extra security measures like you describe reduce the utility of the cards and risk pushing people back to using cash.

      YOU are liable for fraudulent use of the
  • by bcrowell ( 177657 ) on Thursday October 06, 2005 @05:52PM (#13734651) Homepage
    The real problem is e-mail. If you get an e-mail purporting to be from paypal, you have no good way of knowing whether it's really from paypal or not. Only when SPF, or DomainKeys, or SenderID or whatever becomes ubiquitous will we have a solution for this problem -- "ubiquitous" meaning that the 99% of users who have their computer and software set up in the default configuration will not even realize they had any option of turning DomainKeys off.

    Legislation shouldn't be used as a way of solving a technical problem, and this is really just a technical problem with e-mail.

    • I've had email rejected because we are SPF compliant.

      If the sender verification is under the control of the domain owner, the phishers will just register domains (as they always have) that look "right."

      If it's not under the control of the domain owner, no business in their right mind would use it. Especially a bank. I wouldn't do business with a bank that would.
  • He's essentially claiming that identity theft is too easy, and the banks should not allow you access to funds with such simple authentication (name, ssn, address, etc)
    Here's the news flash -- if his recommendations are put into practice today, then bank web sites will use some super-nifty-turbo authentication before you gain access to your funds. That will lock out any Phishers who just have yesterday's identity theft kit.
    Instead, the phishers will just spoof the super-nifty-turbo website, and have a new
  • Americans will experience losses like they've never seen before as banks go belly up under the burden of the enormous losses they take on.
  • Alright... (Score:3, Insightful)

    by DarkBlackFox ( 643814 ) on Thursday October 06, 2005 @05:53PM (#13734669)
    So I fall for a phishing email and enter my credit card info, bank passwords, etc. into some scam site. Said scammer proceeds to empty my bank account.

    If I directly gave the scammer enough info to do such financial damage, how can the bank be held responsible? It's like if I forget my wallet on the table at some fast food restaraunt, and someone picks it up and maxes out each of my credit cards. Should the bank be held accountable that I forgot my wallet? Banks should make a better effort to confirm identities in cases of large sums of money being transfered/spent under strange circumstances, but holding them financially accountable for my own faults?
  • Banks are RESPONSIBLE for all the money that we give them. If they fumble and lose it, guess who's fault it is...

    On the other hand, we're responsible for the money we have, and if we lose it, guess who's problem it is...

    The bank needs to take due caution. If your entire account balance is drained in one day by someone from Taiwan, Russia, or some other far-away nation, then it should be pretty obvious that its a fraud thing. They should place it on hold to call and verify the purchase.

    On the other hand,
  • Never happen (Score:5, Insightful)

    by wowbagger ( 69688 ) on Thursday October 06, 2005 @05:55PM (#13734684) Homepage Journal
    It will never happen.

    Consider this: The credit card companies were getting reamed by people getting a boatload of credit cards, running them up to the limit, then filing for bankruptcy.

    Now, the real solution to this would have been for the credit card companies to have done their jobs and really examined the credit ratings of the people to whom they gave these cards, and to have given people reasonable credit limits (I shall use myself for an example - I have a single credit card which has a limit of well over one-half of my yearly salary - there is NO REASON for me to have that much unsecured credit - and no, I did NOT request that limit, they gave it to me on their own).

    However, that would require the credit card companies to actually do work and would impair their ability to take people almost to bankruptcy and make lots of money on revolving credit interest.

    So, what did the credit card companines do? They took their enourmous profits and paid for immense lobbying to get a law passed to insure they get their money even if you file for bankruptcy.

    Now, what is another word for "credit card company"? I'll give you a hint - it starts with "B", ends in "K", and has 4 letters. Wanna buy a vowel (at 15% APR)?

    Making banks actually take responsibility for phishing means banks would have to do work on their online banking and credit applications. It would mean they would have to make it harder for people to buy things online (read: go into debt). It would CUT INTO THEIR PROFITS!

    So what is a good, responsible banker to do? Call 1-800-RENT-A-SENATOR.

    • "Hi, this is Joe Lieberman, and I'll be your Senator today. What can I do for you? Oh? Let me transfer you to my supervisor, Senator Biden"
    • Re:Never happen (Score:4, Interesting)

      by kindbud ( 90044 ) on Thursday October 06, 2005 @07:14PM (#13735373) Homepage
      So, what did the credit card companines do? They took their enourmous profits and paid for immense lobbying to get a law passed to insure they get their money even if you file for bankruptcy.

      The laughable part of the new bankruptcy law is that no one is required to file for bankruptcy, and you can't get blood out of a turnip. If you have a house secured by a mortgage, yeah - you can save your house if you file. You could also just blow off all your creditors except the mortgage bank, pay just your house payment, and keep all your stuff you bought on unsecured credit. 7 years later, the written-off credit card accounts disappear from your credit report. You will suffer no sanctions, other than having a hard time getting credit for 7 years. There is no reason to file for bankruptcy unless you stand to lose your home without it. And if you can make your mortgage payment by defaulting on everything else, why bother with bankruptcy? They aren't going to throw you in debtor's prison. They aren't going to take your plasma TV. And, your spendthrift habits made possible the gainful employment of a lot of Circuit City and Starbucks people, not to mention the local sales taxes that went into your home county's coffers.

      Don't file, just Default!
  • ...and while we're at it lets make all software developers responsible for the consequences of every bug and flaw in all of their products. This will make Microsoft and other closed source non-free embracing corporate demons 'go away'.

    Whether you're playing with people's money, time or lives there is a personal risk and responsibility to to end user (us) when we do anything in life. Yet we're constantly trying to make it somebody elses problem?

    Rather than just shifting the blame why doesn't somebody come up
  • I doubt this will work because a phisher can easily set themselves up as a man-in-the-middle -- asking the customer for the password, shoe size, mothers maiden voyage, SSN, automagical secret electronic box code, etc. and relaying that to the bank whilst performing criminal transactions. Because most consumers don't have static IPs (or might want to use multiple machines to check their bank accoutns), the phisher can attack from anywhere including zombie PCs in your own geographic area. Because software o
  • The problem always is.

    It's time to drive a stake through the heart of that protocol and start over. Like telnet and ftp, it just doesn't meet the standards of today's Internet.
  • Diluted Phish (Score:3, Interesting)

    by Doc Ruby ( 173196 ) on Thursday October 06, 2005 @06:04PM (#13734789) Homepage Journal
    Phishers use trademarked corporate ID images, names, slogans to fool victims into trusting the phisher as they would the simulated corporation. When a trademark holder does not "vigorously defend" their mark from dilution by others offering the same service, when the trademark owner knows about the dilution, they can lose their ownership. The Lanham Act defines the mark monopoly assigned by the PTO in terms of consumer protection. I'd like to see a phisher bring a new mark registration application for "Citibank" (and their logo), on the basis that the Lanham Act puts it up for grabs, after Citibank has slothfully ignored their dilution. That might wake up some of these banks to their responsibility to their customers, the flipside to the "brand equity" they cruise around on, garnering profits without earning trust with even the most rudimentary security that protects their customers, not just their branches.
  • by slashkitty ( 21637 ) on Thursday October 06, 2005 @06:09PM (#13734822) Homepage
    Every time there is a banking security article, I start pointing to Chase bank and Amex, both of which use pitiful security practices on their sites. The most important one of all, is to teach the user to always login from a secure site, and one with the bank name.

    Chase - has a login on their insecure site http://www.chase.com/ [chase.com], and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.

    Amex - does the same thing that Chase does on americanexpress.com.

    CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!

    • Chase - has a login on their insecure site http://www.chase.com/ [chase.com],

      The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.

      and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.

      That I agree with; putting the padlock icon there is not a good idea.

      Amex - does the same thing that Chase does on americanexpress.com.

      I had to do a little more digging for this one, as t
      • by braindead ( 33893 ) on Thursday October 06, 2005 @08:55PM (#13735950)

        The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.


        No, that's not enough. https gives you two things:

        (1) it encrypts your answer, and
        (2) it authenticates the site you're talking to.

        The situation with Chase [chase.com] does not provide guarantee number 2: if they're not using https then you would have to check the source every single time to make sure that no hacker replaced some packets in flight to steal your account information.

        I agree with the grandparent: login pages that don't use https: are a pityful security practice, regardless of whether the form gets submitted over https.

  • by ewe2 ( 47163 ) <.moc.liamg. .ta. .ootewe.> on Thursday October 06, 2005 @06:09PM (#13734825) Homepage Journal
    Technically, they are, but 9/10 times they seek to hide the problem and avoid liability. It is irresponsible in my view to put major databases in another country where it is known the information is being sold on the blackmarket, yet banks continue to insist there's nothing to be done. Remember, these are the same guys who organized shadow accounts so that the Russian mafia could siphon off billions in US aid to Russia a few years ago. It took the combined efforts of several governments to put political pressure on all countries where this method was known to exist (in places like Bermuda, etc). Banks will *never* act in the customer's interest unless forced, and yes, charge the customer for the privilege afterwards.
  • Have you heard of anybody who actually lost money due to phishing, and wasn't reimbursed by their bank, provided that they were willing to submit their computer to an independent third party for forensic analysis?

    Maybe the situation in the U.S. is drastically different, but over here, the banks take full responsiblity, and things aren't much better. We even use one-time passwords and two-factor authentication, but all this doesn't help that much if there's a trojan horse on the customer's machine.
  • by anthony_dipierro ( 543308 ) on Thursday October 06, 2005 @06:17PM (#13734909) Journal

    Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away.

    Isn't the responsibility already on the financial institutions? If someone takes out a loan in your name, do you really think you're required to pay it back?

    The victims of "identity theft" are the banks. The consumers only pay in the form of higher fees and interest rates.

  • by Bombcar ( 16057 ) <racbmob@nOsPam.bombcar.com> on Thursday October 06, 2005 @06:17PM (#13734910) Homepage Journal
    I sent a nice email to Bruce, but I didn't keep a copy (sent through Wired).

    Basically, we already have this with CC numbers, it's almost no hassle at all to get unauthorized charges removed. Yet CC fraud still happens, if anything, even more widespread than before. The little 3 digit number on the back was nice, but does it really slow anything down? After all, that number is now part of the databases, just like the expiration date.

    So who pays for CC fraud? The CC company? No, they backcharge the merchant. Does the merchant pay? No, he raises costs for all his customers, either in hassle proving identity, or by raising costs.

    In the end the customer always pays, so we might as well make it easy for him to solve problems.
  • by eflester ( 715184 ) on Thursday October 06, 2005 @07:51PM (#13735595)
    I think the poster has a point. I've not had a problem with my bank, but I did have a situation with a cellular phone company that issued an account in my name to someone who was pretending to be me. My conclusion from that experience was that the phone company was much too eager to open a new account without due diligence. Ultimately I didn't have to pay anything, but the experience was moderately expensive in terms of time and fees for certified mail, etc., and quite unpleasant. A simple legal principle something like "if you give someone who claims to be me some money, and it turns out not to have been me, too bad for you" is what I'd like to see. I think then we would see some real attention paid to the problem of securing transactions over the Internet and the POTS. Yes, I suppose this would make it more expensive for banks and others to do these transactions, but it seems that a reduction in fraud would make their overall expenses lower over time. Under the present system, much of the risk and frustration is borne by the consumer, who can do little to prevent fraud other than follow the boilerplate advice given out by government and commercial representatives.
  • by achurch ( 201270 ) on Thursday October 06, 2005 @08:23PM (#13735787) Homepage

    Japan recently enacted a law along similar lines. The target is skimming, not phishing, but it makes banks 100% responsible for account owners' losses from duped ATM cards (with a few limited exceptions, like if you write the PIN on the card you don't get your money back). The net effect has been to speed the introduction of IC-based cards, some of which use biometric verification as well--my own bank (Tokyo-Mitsubishi [btm.co.jp]) has this funky palm reader thing on their latest ATMs that makes me wonder if it tells you your fortune while it's processing.

  • Short-sighted (Score:3, Informative)

    by Jesus IS the Devil ( 317662 ) on Friday October 07, 2005 @01:15AM (#13737192)
    This solution is too draconian to work. In real life much of the problem lies in ignorant users getting tricked. There also needs to be a tough love solution whereby stupid users get punished financially.

    Right now, when someone gets their credit card stolen and a crook uses it to commit fraud, it's not the bank that gets to eat the loss, nor Visa/Mastercard/Discover/American Express. It's the merchant who gets it in the rear. The banks would love to make you think it's them protecting you, when in fact they're doing really little. After all, it's the merchants and not them eating the losses.

    So, if say stupid Joe gives up his cc info to some crook, who is smart enough to circumvent most fraud screening methods like AVS, IP geography check, and inputs a fake phone number (remembere, phone numbers are not verifiable by AVS), the merchant really has no way of knowing it's fraud.

    The bank wins, Joe wins (because he can do a chargeback), the crook wins, and the merchant loses.
  • by jdoeii ( 468503 ) on Friday October 07, 2005 @01:46AM (#13737319) Homepage

    There is a simple and cheap solution that banks can implement to stop phishers cold. They can use disposable pins for every outgoing transaction. When the customer opens an account, he gets a plastic card with pins. The card is either given in person, or sent by postal mail. Whenever the customer makes a payment, he is prompted by the bank to enter a pin. One pin - one transfer, the pin is never reused. The standrd credit-card sized card can hold about a hundred pins covered with scratch-off paint. The phishers can get the password and see the contents of the account, but they will not be able to transfer the money out of the account.

    Why don't the banks do it? Becuse such system would seem like an unnecessary hassle to the majority of customers.

  • by MythoBeast ( 54294 ) on Friday October 07, 2005 @12:42PM (#13740529) Homepage Journal
    It seems that a lot of people in this discussion seem to think that this would be (a) impossible, or at least (b) horribly expensive, so I thought I'd illustrate how it could be accomplished cheaply and effectively.

    First, the bank would need to have a readily recognizable web address that fully described the company name. www.wellsfargoofnorthamerica.com, for instance. It's kind of long to type, but we're talking security procedures here.

    Second, have ALL FINANCIAL INSTITUTIONS institute a policy of never sending a link in any email. Announce this policy on TV commercials. Make people sign a notice recognizing this policy when they sign up for an account. Put it in big letters on the initial credit card contracts. Put posters up in the bank lobby, that kind of thing. Awareness is truly the place where we're falling down here.

    There will always be idiots who fall for this stuff, but if people in general know that banks won't send these links, then they won't fall for this kind of thing nearly as often.

Money may buy friendship but money cannot buy love.

Working...