[Clips] Banks Seek Better Online-Security Tools

mis at seiden.com mis at seiden.com
Mon Dec 5 11:26:14 EST 2005 

On Mon, Dec 05, 2005 at 09:24:04AM +0000, Ian G wrote:
> mis at seiden.com wrote:

> >it seems to me the question is how much liability do i expose myself to by
> >doing this, in return for what savings and convenience.  
> 
> That part I agree with, but this part:
> 
> >i don't keep a lot of money in banks (why would anyone?)  -- most of
> >the assets are in (e.g.)  brokerage accounts.  at most  i'm exposing
> >a month of payroll check to an attacker briefly until it pays some
> >bill or is transferred to another asset account.  
> 
> George's story - watching my Ameritrade account get phished out in 3 minutes
> https://www.financialcryptography.com/mt/archives/000515.html
> 
> Seems like a hopeful categorisation!
> 
> iang

okay, i read this story from 7/2005 reporting an incident in 5/2005.  the short form of it is:

the bad guys changed the associated bank account,
then they placed orders to sell everything at market prices.
at some point they changed the email address to a hotmail account  (if they'd done this first he would
have gotten less notice)
for some unexplained reason he received confirmations of the trades at the old email address.
actual cash didn't get transfered at least because of the 3 day settlement time for the trades.

the rest was dealing with law enforcement and customer service punes who wouldn't tell him
anything for "privacy reasons".  

well, i have lots of nit-picking questions, about the actual incident
and about the general point.

about the actual incident:
	maybe his password was phished, maybe it was malware, 
	maybe it was password reuse and some other account was phished.  
	how was the bofa account set up?  (the fraudster's destination account) in these days of 
	patriot act "know your customer"? (or was it someone's phished account also used just for transit?)

	why didn't they just do the wire transfer early, and leave him with a giant margin balance
	to be paid from the proceeds at settlement?  
	

about the general point:

the main thing online access changes (compared with phone access, or written
instructions) is the velocity.  
	most sensible institutions provide "change of account status" notifications
	by both email and postal mail (to both the old and the new addresses).
	some sensible institutions put brakes on removing money from the system,
	certainly for new accounts and (as i recommend to my clients) after an account 
	change reflecting identity or control.

aside from the time and energy drain of identity theft, what is the
financial liability for consumers if your us-based brokerage account
is phished resulting in a fraudulent funds transfer?  does anyone know 
if there is any uniform protection (such as reg e would cover for interbank
funds transfers?)

	i insert the weasel-words "consumers" and "us-based" because
	of bofa's behavior in the joe lopez malware case, where they
	are trying to claim he is a business not a consumer, and that
	they are without fault in wire transfering his funds to latvia.

slightly off-topic:
	remember abraham abdallah, the brooklyn busboy who assumed the
	identity of a large number of the fortune 200 richest?  made goldman
	sachs "signature guaranteed stamps" and opened accounts in their number?
	had 800 fraudulent credit cards and 20000 blank cards when he was 
	arrested?  ("hey kids!  collect 'em all!").  my point is only that this is
	possible without my participating.  as jerry leichter reminded me, 
	the fact there there are these facilities available means a bad guy can
	use them even if i do not, unless i can not only opt out but forbid anyone
	else from subsequently opting in, the moral equivalent of cutting your debit
	card in half and returning it to the bank (rather than just destroying 
	the PIN).
	

even more off-topic:
	i'm surprised that the people on this list don't feel as if they have enough
	personal connections that at least they could figure out what happened to them
	as *some* financial institution.  doesn't anyone else ask, as a basis for imputing
	trust  "exactly who did that {protocol, architecture, code} review as a basis for 
	imputing trust?  maybe i'm delusional, but i give fidelity some residual credit 
	for having adam shostack there, even some years ago, and there are some firms
	i'd use because i've been there enough to see their level of care.




	

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list