Phishing and Identity Theft
I’ve already written about identity theft, and have said that the real problem is fraudulent transactions. This essay says much the same thing:
So, say your bank uses a username and password to login to your account. Conventional wisdom (?) says that you need to prevent the bad guys from stealing your username and password, right? WRONG! What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details? Your username and password are only valuable insofar as the bank allows anyone who knows them to take your money. And therein lies the REAL problem. The bank is too lazy (or incompetent) to do what Bruce Schneier describes as “authenticate the transaction, not the person”. While it is incredibly difficult to prevent the bad guys from stealing access credentials (especially with browsers like Internet Explorer around), it is actually much simpler to prevent your money disappearing off to some foreign country….
When something goes wrong, the bank will tell you that you “authorised” the transaction, where in fact the party who ultimately “authorised” it is the bank, based on the information they chose to take as evidence that this transaction is the genuine desire of a legitimate customer.
The essay provides some recommendations as well.
- Restrict IP addresses outside Australia
- Restrict odd times of day (or at least be more vigilant)
- Set cookies to identify machines
- Record IP usually used
- Record times of day usually accessed
- Record days of week/month
- Send emails when suspicious activity is detected
- Lock accounts when fraud is suspected
- Introduce a delay in transfers out—for suspicious amounts, longer
- Make care proportional to risk
- Define risk relative to customer, not bank
These are good ideas, but need more refinement in the specifics. But they’re a great start, and banks would do well to pay attention to them.
Israel Torres • May 11, 2005 9:29 AM
“What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details?”
Actually there should be mention of those that are using stolen bank accounts to launder money. In this case it wouldn’t matter what monies the victim’s account had since the purpose is not to steal money but to steal identity. It may not be a popular thought, but that doesn’t mean it doesn’t happen and shouldn’t be accounted for.
Some of the recommendations listed are rather outdated for the “man of today”. For example there are those that enjoy banking at 1am. The Internet is open 24/7 by design, putting limitations on such an idea is putting a limitation on yourself as an individual.
Also who in the world isn’t familiar with the constant flow of “phishing emails” from fake banks that state your security is at risk if you don’t update your records because someone has just attempted to login to your account. Secure transactions were never meant to happen over email and spammers and their ilk are taking advantage of those trusting email all too much.
Israel Torres