[Clips] Banks Seek Better Online-Security Tools
mis at seiden.com
mis at seiden.com
Mon Dec 5 11:26:14 EST 2005
On Mon, Dec 05, 2005 at 09:24:04AM +0000, Ian G wrote:
> mis at seiden.com wrote:
> >it seems to me the question is how much liability do i expose myself to by
> >doing this, in return for what savings and convenience.
>
> That part I agree with, but this part:
>
> >i don't keep a lot of money in banks (why would anyone?) -- most of
> >the assets are in (e.g.) brokerage accounts. at most i'm exposing
> >a month of payroll check to an attacker briefly until it pays some
> >bill or is transferred to another asset account.
>
> George's story - watching my Ameritrade account get phished out in 3 minutes
> https://www.financialcryptography.com/mt/archives/000515.html
>
> Seems like a hopeful categorisation!
>
> iang
okay, i read this story from 7/2005 reporting an incident in 5/2005. the short form of it is:
the bad guys changed the associated bank account,
then they placed orders to sell everything at market prices.
at some point they changed the email address to a hotmail account (if they'd done this first he would
have gotten less notice)
for some unexplained reason he received confirmations of the trades at the old email address.
actual cash didn't get transfered at least because of the 3 day settlement time for the trades.
the rest was dealing with law enforcement and customer service punes who wouldn't tell him
anything for "privacy reasons".
well, i have lots of nit-picking questions, about the actual incident
and about the general point.
about the actual incident:
maybe his password was phished, maybe it was malware,
maybe it was password reuse and some other account was phished.
how was the bofa account set up? (the fraudster's destination account) in these days of
patriot act "know your customer"? (or was it someone's phished account also used just for transit?)
why didn't they just do the wire transfer early, and leave him with a giant margin balance
to be paid from the proceeds at settlement?
about the general point:
the main thing online access changes (compared with phone access, or written
instructions) is the velocity.
most sensible institutions provide "change of account status" notifications
by both email and postal mail (to both the old and the new addresses).
some sensible institutions put brakes on removing money from the system,
certainly for new accounts and (as i recommend to my clients) after an account
change reflecting identity or control.
aside from the time and energy drain of identity theft, what is the
financial liability for consumers if your us-based brokerage account
is phished resulting in a fraudulent funds transfer? does anyone know
if there is any uniform protection (such as reg e would cover for interbank
funds transfers?)
i insert the weasel-words "consumers" and "us-based" because
of bofa's behavior in the joe lopez malware case, where they
are trying to claim he is a business not a consumer, and that
they are without fault in wire transfering his funds to latvia.
slightly off-topic:
remember abraham abdallah, the brooklyn busboy who assumed the
identity of a large number of the fortune 200 richest? made goldman
sachs "signature guaranteed stamps" and opened accounts in their number?
had 800 fraudulent credit cards and 20000 blank cards when he was
arrested? ("hey kids! collect 'em all!"). my point is only that this is
possible without my participating. as jerry leichter reminded me,
the fact there there are these facilities available means a bad guy can
use them even if i do not, unless i can not only opt out but forbid anyone
else from subsequently opting in, the moral equivalent of cutting your debit
card in half and returning it to the bank (rather than just destroying
the PIN).
even more off-topic:
i'm surprised that the people on this list don't feel as if they have enough
personal connections that at least they could figure out what happened to them
as *some* financial institution. doesn't anyone else ask, as a basis for imputing
trust "exactly who did that {protocol, architecture, code} review as a basis for
imputing trust? maybe i'm delusional, but i give fidelity some residual credit
for having adam shostack there, even some years ago, and there are some firms
i'd use because i've been there enough to see their level of care.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list