Phishing and Identity Theft
So, say your bank uses a username and password to login to your account. Conventional wisdom (?) says that you need to prevent the bad guys from stealing your username and password, right? WRONG! What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details? Your username and password are only valuable insofar as the bank allows anyone who knows them to take your money. And therein lies the REAL problem. The bank is too lazy (or incompetent) to do what Bruce Schneier describes as "authenticate the transaction, not the person". While it is incredibly difficult to prevent the bad guys from stealing access credentials (especially with browsers like Internet Explorer around), it is actually much simpler to prevent your money disappearing off to some foreign country....
When something goes wrong, the bank will tell you that you "authorised" the transaction, where in fact the party who ultimately "authorised" it is the bank, based on the information they chose to take as evidence that this transaction is the genuine desire of a legitimate customer.
The essay provides some recommendations as well.
- Restrict IP addresses outside Australia
- Restrict odd times of day (or at least be more vigilant)
- Set cookies to identify machines
- Record IP usually used
- Record times of day usually accessed
- Record days of week/month
- Send emails when suspicious activity is detected
- Lock accounts when fraud is suspected
- Introduce a delay in transfers out -- for suspicious amounts, longer
- Make care proportional to risk
- Define risk relative to customer, not bank
These are good ideas, but need more refinement in the specifics. But they're a great start, and banks would do well to pay attention to them.
Posted on May 10, 2005 at 4:24 PM • 60 Comments