Schneier on Security
A blog covering security and security technology.
« RFID Car Keys |
| SMS Denial-of-Service Attack »
October 6, 2005
My third Wired column is on line. It's about phishing.
Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers -- they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers' assets.
EDITED TO ADD: There's a discussion on Slashdot.
Posted on October 6, 2005 at 8:10 AM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Great points, Bruce, but the problem with legislating that responsibility over to the financial institutions is that corporations have lobbyists who write the laws on their behalf and cadres of lawyers who find the loopholes. So once the law is signed and the politocos are finished patting themselves on the back for doing such a fine job of protecting us, we end up with a zero sum gain for the victims.
I think the most effective path to the result you seek is to encourage a bank to adopt these measures as a customer service tool. "We will help restore your record as a way to earn your business" provides the incentive to the banks to protect against it in the first place, and gains them additional clients to help offset the cost.
The main problem is internation cooperation!
Many banks here in the UK do provide what they call "Identity Theft Assistance" (which has always struck me as being the wrong way round, surely :->) but I'm not sure quite what that entails.
My own bank, egg.com, helpfully sends out emails telling me that if I forget my PIN I can remind myself of it by logging on, and they have a handy URL in the email for me to click on and follow. They apparently didn't understand my concern when I complained to them about it.
It's very good to read something about fighting phishing that does not mention magical technical solutions.
However, I believe that defining the banks as the entities that are in the best position to mitigate the risks is not so easy. There are other phishing attacks besides doing money transactions, specially now that almost everything can be done online.
I believe that the user is the optimal poinst to be worked, as his decision will make the attack successful or not. I think that two issues need to be addressed:
We need to make the information needed by the user to identify the attack attempts easier to understand. This can be accomplished by changes in e-mail clients and browsers.
The other is that the user need to be aware of what can happen and know the meaning of his actions. Banks and e-commerce companies need to conduct a broad awareness campaign. People also need to address online risks in the same way that they do with risks related to driving, riding bikes, cooking and other common activities that have risks. They need to learn how to protect themselves while they are learning about the activities. What about "safe online behaviour" classes in high school? These things are part of evrybody's lifes now, they need to learn how to do it securely as soon as possible.
Banks can and need to work on their side. However, the point where the attack takes place need to be addressed too.
My solution to phishing is to do all my transactions with the bank in person.
I also don't purchase anything online.
The latter, I suspect, is what will eventually get corporations to do what is necessary to stop, or at least slow down, phishing attacks. When those attacks become an impediment to business.
> ...but the problem with legislating that responsibility over to the financial institutions
> is that corporations have lobbyists who write the laws on their behalf and cadres of lawyers
> who find the loopholes. So once the law is signed and the politocos are finished patting
> themselves on the back for doing such a fine job of protecting us, we end up with a zero
> sum gain for the victims.
That's not necessarily true. I blathered on about this on the thread on the dumbest ideas in computer security, but to sum up here ->
It's true that corporations will use lobbyists (and contributions to your politicians) to water down these sorts of legislative regulations. It's also true that they'll use the legal system to fight legislation that gets passed anyway - > witness their fight against California's prop 103 in '88. It's finally true that when they lose the first two steps, they'll author their own legislation to over-ride it (prop 64).
Our government is not designed to solve problems quickly. Legislating better security practices or higher liability for financial institutions will go through the above cycle -> it will take decades to solve this problem, barring huge public outcry. However, in the long run, it works. The meat packing industry isn't like Upton Sinclair's "The Jungle". Major financial crashes now cause recession, not depression.
You have to start somewhere. I think Bruce is enough of a realist to know that just writing legislation isn't going to be the magic salve that makes all of these problems go away next year. Just like rubbing cryptography on your computer application doesn't make it secure, rubbing legislation on an industry doesn't make it fix its broken practices immediately.
As someone in a highly regulated industry, I can tell you that having laws makes it easier to get support to do the right thing. For us, before HIPAA it was hard to cost-justify doing good security. While many people want to do the right thing, without laws saying "you must" it is hard to get the budget to do what needs to be done. Corporations aren't terribly moral, and they will generally do whatever is financially best, even if some other harm comes about in the process.
Laws don't solve the problems, but they do give leverage to those that want to do the right thing.
I like your column but the little thumbnail picture makes you look like an escaping felon.
I think that we're looking at "identity theft" in the wrong way, and the problem starts with the term I have quoted.
Let's suppose Alice obtains enough information about Bob to masquerade as Bob, and uses the information to get money or goods from BigCorp. Notice that Alice has stolen nothing from Bob; Alice has stolen from BigCorp. But BigCorp finds this fact inconvenient, and wants to stick Bob with the bill. Worse, our current legal system supports them; the onus is on Bob to prove that he withdrew the money or bought the goods, and if he didn't, we act as though Alice has stolen from Bob. She hasn't, she's stolen from BigCorp. And the credit reporting companies are free to libel Bob by telling everyone that he's a deadbeat, until Bob proves otherwise. We're all told that Bob must be extremely careful with his information, shred his bills, etc., and credit card companies offer to sell the consumer services that they should be obliged to provide for free, that is, to provide elementary security measures to detect "identity theft".
If we simply reverse the burden of proof, business will suddenly have a huge incentive to fix the problem. In the meantime, obtaining credit will be more difficult, but slowing down our rampant borrowing could be a good thing.
Oh, and wiredog: do you use a credit card in restaurants? Your odds of having your credit information "stolen" are much greater if you do that than if you buy something online. A busboy was caught trying to buy something with my credit card number once, but he was caught by his extreme stupidity.
No, I don't use the CC in restaurants. I don't use it for /any/ purchase under $200.
So the solution is to drop out of the financial markets and return to cash. Well, when you are robbed of your cash, or you misplace it, you may find that 99.999% of the others will not follow your advice.
There was an interesting form of 'identity theft' described on the radio this morning. Apparently people were called by someone claiming to be from the court and told that their failure to report for jury duty would result in a warrant for their arrest. That psychological impact destabilized natural caution and they would give SS numbers and other identity info to the callers.
Bank of America has a nice anti-phishing gimmick. You enter your ID (but not the password) on the first page and then a second page is presented for your password. That page has a key phrase and an image that you have selected in advance. If you see the image and the phrase, then you know you are on a real Bank of America page, and that it's safe to enter the password.
That's a great scheme for protection against spoofing, and would only help people who know to look for something and then abort the login if that factor is missing. That probably covers less than 1% of the general population. It would do absolutely nothing to protect the general computer using population against a phishing attack where an e-mail asks for your user name and password. If you are going to give that information away, you almost certainly aren't going to abort that process because the e-mail requesting the info lacks a valid authentication device.
Just to be devil's advocate here: Bruce - you suggest that pushing the risk of decisions to the "the person or organization making the decision" - to avoid the externalities. You suggest that pushing these additional risks to financial institutions would mean they'd finally take this process seriously. It could also possibly suggest that end users - whose bad decisions enable phishing-style attacks - should bear the costs, right? Why should I worry about ID theft if my bank has a 100% no-fraud guarantee? There's a moral hazard there somewhere. But if we push the risks in that direction, is there a future for these kinds of transactions at all? Without consumer protections, I would stop doing business online, even though I try not to make bad decisions.
"There was an interesting form of 'identity theft' described on the radio this morning."
On a related note, I read an article that described how fraudsters have started using the phone to call potential victims using various schemes like that described.
People should generally be wary of any form of unsolicited communication, whether by email, phone, paper mail, someone knocking on there door, etc.), especially those that ask for personal information.
However, there generally seems to be more trust in communication using the phone system (placing/receiving a call) than in the Internet (sending/receiving an email). With the phone system, perhaps it is assumed that the cost of the phone call (on the part of the caller), or the perceived ability to trace the call using various methods like caller-id (many don't know it can be spoofed) likely add to a higher degree of trust.
Along these lines, I wonder how long it will be until the fraudsters figure out how to successfully pharm the phone system in large scale, so even calls that I originate can be redirected (without me knowing it). Then, I won't be able to know that it is not really my bank (or the SS office, etc.) that I am calling. Perhaps phone parming won't work at scale due to the localization and the central office nature of the phone system.
Pretty soon, it would seem, we won't be able to trust any form of communication. Will we have to teach our children to not trust anyone. Or perhaps to somehow "Trust but Verify" (seems I have heard that one before :-) ).
"I think that we're looking at "identity theft" in the wrong way, and the problem starts with the term I have quoted."
I completely agree! Perhaps this will be part of "making those that can mitigate the risk responsible for the risk".
It seems that the risk here is a bank not properly identifying who they are "handing out" money to (i.e. letting someone fraudulently access an account, letting someone set up an account in someone else's name, etc.).
This is no different from a bank cashing a counterfeit check. It is the bank who is responsible, not their customers.
I've been complaining for a long time to my bank (Bank of America) to stop putting links in their emails. I know, it's supposed to be convenient if I can just click to get to my bank statement. But it also trains people into trusting links in email. Better would be to have a simple statement in the email explaining why there is no link, and to go to the bank's web site like you always do. The banks, ebay, etc, could go a long way to better educate people against clicking links in email. That's not a full solution, but legitimate links in email require people to have to figure out what is legitimate and what is not. That's fine for us, but not for Grandma.
I think there needs to be some sliding scale of responsibility. For example, if the bank texts my phone for confirmation anytime I use my credit card with a merchant I haven't dealt with before, and won't honour orders which ship to other than my home address, then they should be 100% responsible if someone forges a change-of-address notice for me and then buys stuff on my card.
On the other hand, if I want to be able to use my credit card over the internet to order goods from anywhere in the world and have them shipped anywhere, and never be bothered by the bank asking for confirmation of these orders, then the bank should bear less liability for fraud.
Nice concise writing.
Joe Buck is right.
The financial institution is a willing participant in each fraudulent transaction. The victim is not a party to any of it. When the corporation makes a bad bet, they should be responsible for all collateral damage. They should clean up the mess, complete the cleanup quickly, and come clean about their indiscretion.
Well, think about it. Why would financial institutions invest in security where they already have the law on their side as deterrent and the state doing all the dirty work for them in case shit happens. They'll just call police who will do all the investigation and the state will do all the prosecution whenever crime was committed. All with taxpayers money.
I recently got an email with a link to Ebay. Of course, I knew it was false because it showed up on the wrong email account, and I know Ebay doesn't do that anyway.
But, being curious to see where in Asia the link went, I checked it anyway. It resolved to an address owned by Ebay! So then I looked at the email source and saw that the link was wrapped in a with an action that went to a machine in Malaysia ...
"I also don't purchase anything online."
Using a credit card onlike is essentially safe. When you order from say a webshop you don't actually authorize any transactions yourself as thre's no signature. That means if something goes wrong there's no liability on you so you can always dispute any charges to your card later.
It's true that financial institutions need to be the gatekeepers, but it's unrealistic for consumers (us) to expect that lawmakers will force them to it -- we have to make our wishes known directly to the banks we do business with.
We need to cancel accounts with institutions who don't do enough, tell them why we are doing so, and tell them what they ought to be doing.
One thing I've wished for is the opportunity to pick from a menu of rules that state the kind of activity I want to allow for myself. For instance, "This credit card will never be used online" or "This credit card card will never be used physically outside the USA and Mexico", and if I want to change my profile (perhaps temporarily, for a vacation) I have to preauthorize it.
The problem with Identity Theft is that financial institutions and credit bureaus are basing the security of my "identity" on the secrecy of non-secret information. My SSN, DOB, mothers maiden name, etc, are not secret. Now, they aren't necessarily public, but they're definitely not secret, which means that current "authentication" schemes for financial accounts are hopelessly broken.
Bruce generally has sound ideas in the area of security, but this is absolutely ludicrous and I can't believe none of the comments have called this out yet.
Think about it - a financial institution can't possibly be held liable because some person was a victim to fraud. A fraudulent transaction typically looks no different than a normal one, and the only real way to verify the legitimacy of a transaction is to verify each transaction individually with the account holder. Then you'd also have to verify the recipient of said transaction, since in many cases these people aren't aware they're being defrauded. There is no reasonable way to verify the authenticity of each transaction without dramatically increasing costs. Those costs would then get passed onto all account holders.
Even if you could find a reasonable way to hold the financial institutions responsible for fraud, this would simply *skyrocket* instances of fraud. What ever happened to personal responsibility? When you take personal responsibility out of the equation, people are going to completely throw due caution out the window because it can't possibly impact them.
You all are thinking of this as a "stick it to the man" solution, as in it'll just reduce profits of the "evil corporations". The reality is if our financial institutions have to cover fraud, we'll *ALL* be paying for fraud in the form of increased fees. For those of us wise enough to avoid fraud, why should we have to pocket the expense of those who aren't? Especially if you take personal responsibility out of the picture.
This has to be the worst "solution" to phishing I've ever heard. It'll just increase fraud and pass the costs of it onto all of us.
The point bruce is making is actually exactly yours. The transactions look identical. However, that is a choice of the banks. There are many ways of designing the transactions and building in authentication. In Europe, for some banks we can get one time use passwords printed in sealed on envelopes (like you get your PIN code in). If I want to authorise a transaction then I have to open it and give the code. If this is linked with a normal PIN code then the bank gets to be much more sure. Other banks use SECURID cards or equivalent.
In America, I understand many transactions can be done by just knowing the SSN (+ pet name??)
When the authentication method for transactions is chosen by the bank then they are at fault if it is impossible to tell a fraudulent transaction from a real one.
My two pence...
I think it's criminal for the banks to provide a banking system where the authentication mechanism is not secure enough. I agree that all systems take time to mature but this is crazy. Banks are used by common people because they provide a secure mode for money to be stored and exchanged. All the ancient modes of authentication ensured that identity theft is difficult to achieve, least of all identity theft enmass.
I have to agree banks need to get their act together take responsibility and make the system more secure.
I fully agree. I think the whole phishing problem is essentially a problem of Anglo-Saxon banking, as those banks apparently tend to opt for the cheapest authentication system.
My UK bank, HSBC relies on three numbers (account, DOB, security), which are easy to obtain through phishing. My Dutch bank, ABN Amro, uses a small device (which looks like a calculator). I have to enter may bank card and PIN in it. The website provides me with a number to which the device calculates an answer. The user must enter this into the website; the device has no electronic connections except to the chip on the card. Though probably not water tight either, this system prevents successful phishing. (they are so sure of it they even offer a free 1MB electronic 'vault' to store your own documents).
For banks it thus is a business decision. Spend a couple of million on small devices, or let the clients bear the risks. Though I am not a lawyer, I'd say legislation is relatively easy, just force banks to follow industry best practices.
The law does already make the bank accept the liability for fraudulent credit card or debit card transactions. I don't know what this thread is about. I was a victim of identity theft about 10 years ago. Someone forged a credit card with my name, went to a bank and made an $1,800 withdrawal. I was asked to sign a single form denying I had benefited from the transaction and it was removed from my bill the same month it appeared.
The only effective anti-phishing technique I can think of would be to not deliver valuables to unknown parties. For example, online purchases could be mailed only to the cardholder address, online banking could transfer only to related accounts, etc.
The theme of 'be safe, avoid online banking' is somewhat off target. Many recent incidents including the DSW break-in, ChoicePoint, CardSystems and others were equally as likely to affect consumers who made an in-person transaction, even if the card never left their sight. The fraudsters simply stole the information from some point further on in the processing stream.
In fact, online banking can be a tool to reduce risk. A recent study by Javelin Strategies found that victims of identity theft who use online banking are likely to detect the problem earlier and with substantially lower losses than those who wait for a month-end statement before noticing the problem.
The issue here comes back to the point of "making those that can mitigate the risk responsible for the risk".
In this case, the individual account holder can't mitigate all the risks, so they can only be held partially responsible. That is, everyone needs to perform basic due diligence to manage their "identity" information. So, while you might have some control of your "identity" information, you typically have no control over what others do with your "identity" info once they have it. As Duard pointed out, if someone acquires (legally, hacking, etc) your "identity" info from a trusted agent (aka ChoicePoint, CardSystems, etc.), you as an individual have no way to mitigate that risk.
So, even though you are completely diligent, ensuring you don't reveal your "identity" info to anyone, someone could still commit fraud using your "identity" info, stolen from someone else. In this case, the individual account holder should still be held liable?
The bank, as the agent ultimately in control of your financial accounts (aka your money) can mitigate this risk and is the one that needs to be held responsible.
What matters most is not that a criminal can acquire "identity" information, but what they can do with it once they have it.
In this case, the bank is in the best position to mitigate the risks associated with what a criminal can do with your "identity" information, not the individual.
Be careful of the 'mile high pole.' Once there are powerful incentives for banks to protect themselves and their depositors from id-based fraud, do you suppose that fraud will end? Rather, you will see the criminal enterprises shift to other vulnerabilities. Among the current exploits that would presumably grow to fill the void would be extortion plots including blackmail, theft of services, industrial sabotage, manipulation of academic records, etc etc (not to even mention the ideological and political goals one can pursue through identity fraud).
Incentives for financial institutions are probably a good idea. But with so much of our productive energies based on technology that's fundamentally insecure, incentivizing the banks will only transform rather than eliminate the threat.
"I fully agree. I think the whole phishing problem is essentially a problem of Anglo-Saxon banking, as those banks apparently tend to opt for the cheapest authentication system."
People, me included, have been saying this for a long time on these pages. Here's an example of a Swiss bank recently improving their authentication system:
They have changed from one time authentication codes which are used up one after the other to a code card. At each login, the user is asked to enter a certain, randomly chosen code from the card. This is quite low-tech, so the cost of such a system can't be the problem.
Although this is not phishing-specific, the U.S. Treasury operates a program where citizens can purchase Treasury securities and savings bonds directly. Currently, certain Treasury securities transactions such as changing one's bank account for payments and transferring securities to someone else's account require a signature guarantee. They are seeking to change this system over to an Internet-based system requiring only a password for any transaction, and apparently placing all risk of fraud on the user. (http://www.treasurydirect.gov/news/tdmarketablesqa.htm) (http://www.access.gpo.gov/su_docs/fedreg/a050930c.html#Fiscal%20Service)
This is a two-part problem. I agree that it makes sense to push the risk back on the financial institution for an additional reason nobody has put forth here (yet):
Banks don't make authentication more complex because their customers don't want to fiddle with devices or remember good passwords or anything else that would increase their security. If an individual bank started using an authentication method better than what we have now, they'd probably lose a bunch of their customers ("I use to bank with BofA, but then they started requiring me to carry a widget that gave a password I had to pass on to the merchant, and after I forgot it for the umpteenth time I decided to switch to Wells Fargo").
An individual bank implementing something like this would be committing competitive suicide -> for every customer that they would gain (for more secure banking) they would lose dozens. People, as a mob, don't want security, they want convenience.
It's a classic free rider problem -> for things to get better for everybody, you have to force everybody to do things a better way, even those that don't want to...
So forcing banks to accept the liability for the fradulant transaction would mean that *all banks* would have to improve their authentication methods. Then you no longer have competitive suicide problems, as all of the "lazy" customers can complain, but they can't just change financial institutions...
Some of the largest (mostly US) banks, do not properly protect their login pages. These banks invoke the SSL protocol to encrypt the password - as required - _but_, only _after_ the user typed the password into the form. If the user gets a fake login page, say by phishing or pharming attack, then all is lost - the fake page would probably send the password to the attacker, not (encrypted) to the bank... Problem exists for Chase, PayPal, BoA, ... also Microsoft Passport & Hotmail!
I keep a `Hall of Shame` of such sites (see my site). I warn them before posting; few fixed, most ignored, few threatened to sue me, one sent me coupons for free trades. Facts were acknowledged by FDIC experts and many (most) security experts. Crazy.
The main excuse I received was that users won't notice a fake site, even if the bank did protect their sites. Reason is that current browser security indicators (the padlock, mainly) are so poor. This is correct, but:
(a) A very lame excuse. Banks should do their part (protect the page). And even with current browsers, some users _can_ identify nonprotected sites, although most will, indeed, fail to detect.
(b) Browsers can and should be improved... We develop a (free) toolbar (currently for FireFox) called TrustBar, which may significantly improve detection rates - even for naive users (users 7 to 70...)
See both TrustBar and Hall of Shame in my site http://AmirHerzberg.com/TrustBar
Hi Bruce, great article. You first mention that due to the economies of scale afforded by the web the criminal only needs a 1-in-a-million hit rate to be a success. A few paragraphs down you talk about spear phishing, which is individualised emails targetting unsuspecting users, if phishing attacks rely on economies of scale, then how will spear phishing attacks be effective?
"You first mention that due to the economies of scale afforded by the web the criminal only needs a 1-in-a-million hit rate to be a success. A few paragraphs down you talk about spear phishing, which is individualised emails targetting unsuspecting users, if phishing attacks rely on economies of scale, then how will spear phishing attacks be effective?"
I don't know. In the long run, it might not be.
Basically, the attackers are trading off scalability with liklihood of success. A more targeted phishing email doesn't scale as well, but has a higher liklihood that it will result in passwords and etc.
I don't know where the "sweet spot" is for this sort of attack, but the criminals will figure it out.
I think bruce is largely correct and makes a strong case for a change in liability. At present in the UK most banks make a play a strong hand with a "piece of mind guarantee" agreeing to refund losses resulting from phishing. This doesn't go far enough - dealing with the theft of money is a messy business and the bank needs to be straight with the customer with the customer compensated accordingly.
They are not compensated for coming forward (a reward)* they are not compensated for any problems resulting from the absence of funds (compensation), nor to they realise that by coming forward it is perfectly possible for the bank to prevent other thefts (finders-fee!)
* did you know that in the UK most banks will give any member of the public 20 quid for handing in an ATM card to a branch. It is perfectly possible to go to the cash machine, find you've no money and then go into the branch and get £20 by handing in your own card. A recent ID theft conviction featured this reward scam in the court case.
when it is a family member whom you have helped with thousands before and to find them phishing off your account just as they had bragged about doing the same to other so called friends it sucks
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.