Banks Urge Businesses To Lock Down Online Banking 201
tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."
...and how would you do that? (Score:5, Interesting)
Re:...and how would you do that? (Score:5, Informative)
By locking down everything *but* that site?
Emphasis web *browsing* - if you're locked to a subset of one site, you can't do a whole lot of browsing. The browser effectively turns into a sandboxed application, which is what the banks here want.
English is a wonderful language.
Re: (Score:2)
Re: (Score:2, Interesting)
My dream:
A bank could dole out thumb drives to its customers, which thumb drives could boot up into an O/S [hopefully not within a VM] that only allows Internet access to the bank's website. Passwords could change every minute with use of a RSA key chain (eTrade facilitates minute-by-minute password changing).
It would be nice if the thumb drives were read only; perhaps some sort of dongle might work.
This would make me feel more secure in my online bank transactions.
Re: (Score:2)
This would make me feel more secure in my online bank transactions.
Or you could just secure your computer and put the tin-foil hat away. Just an idea. I've been using online banking in one form or another for 12 years from my regular old PC and I've yet to encounter a problem. Of course I don't generally agree to install the "ANTI-VIRUS SOFTWARE UPDATE ACTIVEX APPLICATION V 6.5.19.1.61" that pops up while I'm surfing for porn or warez ;)
Re: (Score:2)
If the computer being used is compromised, it follows you can't trust anything on it. You certainly can't trust that "lock down mode" is as locked down as you'd like.
Re: (Score:2)
To be decently secure, it would require a low level hypervisor that is hardened from compromise so a VM cannot get access to the hypervisor's settings, or affect other VMs on the system. This functionality would have to be on the BIOS level.
Re:...and how would you do that? (Score:4, Insightful)
The browser effectively turns into a sandboxed application, which is what the banks here want.
Why not just make a separate application? You're trying to force a browser to be essentially different than what it was designed to be, and then you're complaining that it's not really working.
I know cross-platform availability is great, but you can also do that with say Qt. Not to mention you'd have your own nicely designed UI instead of the clunky pile of shit most banks today do, without inheriting the security problems of every fucking browser out there. One would think that because this is an absolutely critical task in terms of security, banks would at least try to minimize the amount of code involved, or at least the amount of code they have no fucking control over whatsoever.
I know Web 2.0 is hyped right now, but stop acting like the browser is the only application capable of establishing a network connection. As a famous cat put it: THIS IS WHY WE CAN'T HAVE NICE THINGS.
Re: (Score:3, Insightful)
> The browser effectively turns into a sandboxed application, which is what
> the banks here want.
Regardless of the wishes of those greedy fucks, a browser and each site should
be sand-boxed in the first place. Viewing one site should have no relevance to
the tab beside it, even less for your user files and most certainly not your
system files.
Re:...and how would you do that? (Score:5, Interesting)
Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ [example.com] . Brilliant advice.
Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated), I'm not sure who they were suggesting that to. I have the only Linux virus I've ever seen, and it's safely tucked away on a floppy disk, in a concrete vault, underground, at a location that I forgot. :) Dammit, I knew I shouldn't have left the map in the vault. Most "bank customers" wouldn't keep a dedicated machine just to check their bank balance with. Hell, they'll call out on the company PBX and give their credit card information over the phone to any arbitrary business, with coworkers happily writing it down and the phone admin recording the call.
Users are their own worst enemy. Hmm, wasn't there a story today saying something to that effect? I once found a bank card (w/ Visa logo) on top of an ATM. For some reason, they set it down and forgot it there. Brilliant. Since there was no one around to claim it, I called the bank. It took me an hour to convince them that I found it and that the card should be canceled. They "couldn't release any information on the card holder until...." I told them, "I'm holding the card in my hand. I guess that makes me the card holder." Finally, they told me "Oh, just bring it to a branch on Monday", at which point they finally canceled it. I knew the people at the branch, so they knew I was legitimate, and they confirmed that it hadn't been canceled. The account hadn't even been noted that I called in to report it. What if I wasn't a nice guy? I would have had 2 days or more to charge anything I wanted. If you can't get a person to maintain control over a little physical piece of plastic, why should you they think that they're going to do any better elsewhere?
In related news... (Score:5, Funny)
Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ [example.com] . Brilliant advice.
Microsoft is urging it's customers to 'carry out all computing activity from a standalone, hardened, and locked-down computer which is not plugged into any electrical outlet. Such a secure "computer" is known colloquially as the "typewriter"
Re: (Score:2)
Dammit, my mom gave away our old mechanical typewriter. I guess I just have to stay away from Microsoft products, and I'll be fine. I'm doing pretty good with that so far. :)
Re: (Score:3, Insightful)
Users are their own worst enemy
Quite so. I dont know where I read it but the quote below sums it up nicely.
The average user wouldn't know a security issue if it was parading down the main street naked carrying a large sign saying "I am a security issue"
Re:...and how would you do that? (Score:4, Informative)
Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated)
Not true, actually. You most certainly can lock down Windows fairly heavily - in fact, Microsoft provide a tool to help you do it [microsoft.com].
Though to be perfectly honest I'd still stick the computer in it's own little /29 subnet with a firewall blocking all traffic in both directions except that which is explicitly allowed.
Re: (Score:2)
Re:...and how would you do that? (Score:5, Insightful)
Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!
Maybe next, we could graduate the bank's computers from Windows 2000 up to something remotely sane - like Redhat SEL.
The idea of a biometric ID in conjuntion with a reasonably secure password hash has it's appeal, as well. If my bank would use it, I'd install a fingerprint reader on my HOME computer. Businesses should just jump on that idea - it's a small price to increase security dramatically.
Finally, maybe we can get around to "Linux - the year of the desktop!" Face it, boys and fanbois - no unix-like machine is open to as many exploits as Windows is.
I'm just dreaming, of course. If I manage to live another 20 years, we'll still be having similar discussions, PIN numbers will still be 4 digit numerics, and Windows XP will be the ancient, outdated operating system of choice for banks.
Re: (Score:2)
Nice ideas, but there are flaws so big you could drive an 18 wheeler through them.
Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!
Remember the user. If we make the password/pin to big, it will be hard to remember for a major segment of the users. What happens then is it gets written down, and from my experience, more than few will just write down on the card itself. This makes everyone less secure, as thieves will
Re: (Score:2)
Biometrics are only appealing in environments where human life has value. I can assure you that the day banks in Johannesburg or Manila start requiring fingerprints for authentication, there are going to be a lot more fingerless vi
Re: (Score:2)
Fingerprint readers are much worse than passwords IMO, as you can't change them easily, and they aren't secret. A fingerprint scan from an untrusted location just tells the bank that someone has seen your fingerprints. It doesn't mean that your finger is present at the time.
Also, there are stories of people chopping off fingers to use in applications like these.
Re: (Score:2)
Re: (Score:3, Informative)
Any online banking transaction for me requires:
*My 10-digit personal number ("personnummer" = Swedish equivalent of SSN)
*My 4-digit PIN (assigned by bank when card is issued, not changeable by user)
*6-digit authorisation key from bank's website, good for 4 minutes from time of issue (I have 4 minutes to enter it into the card reader)
*My bank card
*Card reader (fits in a shirt pocket; first one provided gratis by bank, replacement unit is SEK 100 or about US$12.00)
*9-digit response code generated by card read
Old Tech. (Score:3, Informative)
Why bother trying to beef up local security when the best option is to take the transaction off the web. Just dial in to the bank with a good old 56K modem. It's common place with some Australian banks to have a small business's accounts department line up all transactions on a local client and then dial
Re: (Score:3, Insightful)
It is pointless to secure a system that is to be used by idiots.
A Default installation of XP or Vista is the most secure system in the world for an average user any security beyond that is invalidated by their stupidity. What they need are competent employees then these issues wouldn't exist.
Re: (Score:3, Interesting)
Businesses do not use the web browser
Yes they do. OK, big businesses may have apps that dial into big banks, but small businesses use local banks and local banks can not afford a custom written proprietary app that they give to their business customers. The vast majority of small businesses that use local banks do most of their banking through a web browser. I've seen businesses to payroll, wires, ACH payments, transfers, you name it, all through a common web browser.
However, most of these systems are cookie limited to a single computer per
Re: (Score:2)
That's an exception, not a rule.
I know back in the day, there were more interesting methods of security, just as you mentioned. They may need to use a special app, dial up or have a leased line, and then do the transactions directly. I can't say that I've seen that in years with any small or medium size business. I personally hold a business account at a large bank. My choices for interfacing with them are to show up at the teller, go to the web site, or call the CS depart
Re: (Score:2)
>Businesses do not use the web browser - they have special programs.
Sorry, but that is just wrong. Our business is not exactly small (400+ employees). We use https web to transfer our direct deposit to the bank, to download statements, to perform money transfers, to do just about everything. And we are not at all atypical.
Of course, it is all done in Firefox under Linux... and THAT part *is* atypical.
Many of us fought for years trying to get the banks to stop using crappy MS-Windows-only proprietary
Re: (Score:3, Interesting)
Why not put Linux on your laptop then? You should be able to run Vista in VirtualBox, if you really need it. I am shocked at how quickly VirtualBox became mature, how high-quality it is, how many features it has, and how often it is updated.
Getting the money back? WTF? (Score:3, Interesting)
Re:Getting the money back? WTF? (Score:5, Interesting)
It is also lax security on the banks side. The bank is not properly verifying that the transactions really come from the businesses. It is much like identity theft. The person didn't steal my identity they got around the bank or credit card companies poor security to trick the bank. They took nothing from me they tricked the bank into giving them my money.
What kind of security is common in the US? (Score:2)
I just wondered, do these businesses mostly use PIN/TAN security? Or a simple password? When I lived in the US, Citibank had a simple password protection - whereas my German bank account used (and still uses - no known successful attacks so far!) an HBCI compliant external card reader and home banking software.
I am wondering, because I can still imagine my banking software (StarMoney) being tricked into manipulating the online orders shown to me for verification and signing, but I have heard of no incidents
Re: (Score:3, Interesting)
In the online banking case, for instance, any bank that doesn't red-flag an situation where simultaneous online sessions on the same account are going on from an IP near the custo
Re: (Score:2, Interesting)
I agree that suing the banks seems like a strange reaction, but this type of attack only works because the banks simply do not care about security. On previous articles I have seen posters mention their banks (somewhere in Europe) have papers which have a list of single-use transaction codes which are used in some sort of challenge-response system. For example, choosing a code based on the transaction date, target, amount, and some randomness would protect against attacks like the one described where a comp
Read Much? WTF? (Score:2)
Yes, and you can bet your ignorant ass they will win too. They are responsible for it since the client can produce a contract stating exactly what has been violated. If the client honored their side of the contract, HOWEVER SHITTY THE SECURITY REQUIRED WAS, then it is the banks problem.
This article specifically deals with COMMERCIAL banks, and identifies them as such.
You, in your apparently myopic life bubble, specifically deal with RETAIL banks, and therefore think that is all that exists in the world,
Re: (Score:2)
In the US, a regular bank which accepts deposits is called a "commercial" bank. The other type is an "investment bank"; I'm not sure if any currently exist which are not also commercial banks.
The article concerns itself with commercial (business) CUSTOMERS, but the banks are mostly the same ones which individuals deal with.
"Next time you dont understand something, learn about it before speaking about it."
Sounds like they should hand out liveCDs (Score:5, Insightful)
No writable persistent storage, just a browser(configured so that it will only accept pages from the institution's set of domains and only when those pages have appropriate SSL certs. Completely reject all non-SSL pages, and any SSLed pages with certs for other institutions, or from other CAs).
There would probably be some annoying edge cases(some ghastly graphics card that isn't supported by default, and freaks out in VESA mode, say) or network issues(though you could always offer a cheap USB ethernet or wifi adapter, with a known working chipset, at cost to interested customers); but it'd be fairly easy to cover 95% of the boring business boxes and common home machines that you would be concerned about, if suitably generic settings were used.
As hardware gets cheaper and/or for larger accounts, it might even make sense to put together a dedicated banking appliance offering, basically the cheapo embedded ARM embodiment of the above.
Re: (Score:3, Interesting)
But, that's the type of technical support headache that they've been trying to get away from, with virtual POS terminals, using the web page instead of their custom app, etc, etc. Even if your live CD worked on every machine ever known to man, when something flakes out, they're calling the bank first. Come on, how many times have you fixed a "my computer can't get on the Internet" because they accidentally unplugged the network cable? Or maybe they didn't even turn it on. Anyone who's wor
Re: (Score:2)
Re: (Score:2)
In the US, do you have a system where any bank transfers to a new (previously unused) external account must be approved by a time-limited PIN that is sent to you by SMS? Both banks that I use provide this by default.
Re:Sounds like they should hand out liveCDs (Score:4, Interesting)
Scammers are getting around that by hijacking your phone number. Probably the best I've seen is using a challenge-response for all transactions, with a frob supplied by the bank.
Re: (Score:3, Informative)
I've been using such a challenge-response mechanism with my Dutch bank for several years now.
It works together with the smart chip in your bank card:
- At the appropriate points the bank website gives you a number that you enter in a little device where you have your bank card slotted. The device (using the smart chip in your bank card) calculates a response number which you type back in the bank website. If the numbers match you are given-access/have-pending-payments-approved.
No passwords or any other impor
Re: (Score:2)
Re: (Score:3, Insightful)
Sounds to me like a valid reason to run OpenBSD.
Or maybe all those fucking banks can make Web sites that don't recommend (or require) Internet Explorer.
Re: (Score:2)
Some of us don't want to have to reboot our computer just to access a bank "website". And we are to just trust that this live-whatever they make doesn't install something persistent on our computers or read data off the drives?
And each bank or "important" site would have their own pseudo-proprietary bootable image? So I have to reboot again with something else to access my retirement funds site? Reboot again to access Paypal?
Doesn't this sound a little impractical?
For now, I use a carefully administered
Re: (Score:2)
I merely suspect that, for the vast hordes of the clueless(or the otherwise interested: my dad was cranking out financial simulations in assembly when I was prenatal, and is far from stupid; but that doesn't help him much when it comes to the arcana of whether AV program X can detect infection Y) "Urg[ing] businesses to lock down online banking" will be a more or less
Re: (Score:2)
press a bunch of "Banking liveCDs"
And you'll be setting up a special call center to teach people how to switch their boot drive on BRAND X PC to the CD-ROM?
"Yes ma'am. I know it says LG-DVD. No, not the movie kind of DVDs. Yes, well, I guess it could play movies. No, ma'am, there's no movie on the CD we gave you. I know I said that, but the CD will work in a DVD player. No, ma'am, you have to use it with your computer, I mean the DVD player that's in your computer. Now press F10 and... what? No ma'am, don't select RESET. No, oh crap, now y
Re: (Score:2)
Sounds like a great idea, and in a sane world it could be implemented fairly easily. In reality though, the banks are looking for a cheap way to limit their own liability (See! We warned you you could be hacked in that configuration!), not put a giant SUE ME PLEASE logo on a cd and mail it out. If whatever executive's nephew, that "knows stuff about computers", and gets a fat consulting contract to develop this cd, fucks it up and it is in fact vulnerable, and it gets exploited, now they are in a positio
Wifi lack of support kills the LiveCD idea (Score:2)
I actually had this exact idea a few years back. I went as far as fiddling with customizing Knoppix. But then I got my first laptop - no Wifi support from ANY LiveCD (at the time). Even the laptop that I'm on now won't get wireless support out of the box with Knoppix (I haven't tried any other LiveCD).
Printer drivers (for receipts) would have been a pain too - I figured on PDFs to Flash drives for this. Never mind the huge hassle of rebooting to do a simple transaction.
I'm all for two factor authenticat
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That would be "identity copyright breach" wouldn't it?
(-:
Re: (Score:2, Insightful)
I make up single use lies for the security questions and store them in Password Safe (from what I gather, Keepass has better support for more platforms). That solves the Palin problem. Of course, I then can't access my bank account from other computers, but I don't trust all that many other computers, so that doesn't hurt all that much.
Re: (Score:2)
> How about just using SSL for the login page? Most of them don't--it's hidden
> in an iframe, and without viewing source or checking the form, you've got no
> reason to be certain your login data will be securely transferred.
There's a Firefox Plugin which you might appreciate, that attempts to address
this issue (or at least make you aware of it):
https://addons.mozilla.org/en-US/firefox/addon/11894 [mozilla.org]
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Convenience above all else, yes!! /sarcasm
In the case of business, it isn't SUPPOSED to be convenient. It's someone's JOB to take the time to be right.
In the case of private individuals - if you can't take time to be secure, don't whine to me about someone ripping you off.
Besides which, you're exaggerating beyond anything that's reasonable. A business can afford to use a dedicated machine for banking. Plug that LiveCD in, and there's NEVER a reason to reboot. At home? Maybe you don't have an extra mach
Huh...funny... (Score:2, Interesting)
Never once seen such a thing go down with Mac & Linux users. But hey, that's me.
Re: (Score:2)
Win win MS numbers on the back of a napkin after a fine wine every body is happy for another year.
Re: (Score:2)
Nope, I am sure no woman has ever gone down on a Mac or Linux user. Oh wait, I think I misunderstood you..
Seriously? (Score:3, Funny)
Seriously? A *standalone* machine? You mean I shouldn't check my bank accounts from my kids' Windows ME computer?
Just joking, I've already mastered the first skill of safe computer use ... not having kids, or Windows ME.
A worry, but limited in scope (Score:2)
Of course it's not nearly as big a problem as it could be here, since no tech-savvy person, running a business or otherwise, would ever have internet banking set up with any level of access other than read-only, except perhaps for a small number of pre-approved payees.
Ever.
Re: (Score:2)
You certainly can, well in New Zealand anyway. It strikes me as just basic security and I can't believe that some people accept internet banking services with anything less.
what about this (Score:3, Interesting)
i think the banks need to be more careful about who is logging on to their systems
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
Maybe. Maybe not. You, with your sporting good store, may have suppliers in other countries. You may go to their site. You may go on a trip elsewhere. While you're out, you can trust that the interim manager can handle everything, or you can look in on your bank accounts while you're gone. I know, it's not the best idea in the world, but no one ever said business owners always follow best security practices.
If you were locked out of the account while you were overseas, you
Re: (Score:2)
Scenario: Your computer is compromised with a keylogger. It's also got a proxy and other remote control features. The illicit transaction is bounced off your computer, so the bank sees it as coming from your IP address.
Seth
Re: (Score:2)
> dont you think the bank should reject anyone using my identity with an IP
> address that is in another country?
No, they shouldn't. I travel often and routinely log in to do banking from
overseas. Especially when somewhere else it'd be extremely irritating to get
locked out just because of where you are. Banks shouldn't care where you are
but who you are. And fortunately all authentication systems so far have been
based on that premise.
Re: (Score:2)
It can be optional. For example, my bank has an option on limiting withdrawals from ATMs abroad to a certain sum per week. You can as well set it to zero as long as you stay home.
Cost of using Windows (Score:4, Funny)
I guess this is what you get when you run your small business on Windows.
That's a great idea (Score:5, Funny)
And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.
Re:That's a great idea (Score:5, Funny)
Yeah, but you know they'd screw it up somehow, like have it run Windows or have a company like Diebold to make them...
Whoa, flashback (Score:2)
I'm having a flashback to dumb terminal days.
For a second I had hope that companies would be dusting off us old guys again.
ATMs here uses Windows (Score:3, Informative)
people who won't act civilized... (Score:5, Funny)
People who won't act civilized should sooner or later find themselves 'de-civilized'. Why are we taking an endless amount of shit from these losers?
A few hydrogen-to-helium convertors delivered right to their door does wonders to get across the message we are not a people to be fucked with!
If they can't police themselves and insist on ripping off systematically people in foreign countries, then send 'em some great balls of fire.
When this shit happened fifty years ago, Khrushchev would have just sent some NKVD to scoop up these parasites, take 'em back behind the outhouse, and beat their brains inside out. And all their friends and family would get ten years in the gulag.
I miss Nikita and Eisenhauer. (Nike and Ike) Great times. No one took any shit: no one gave anyone chickenshit like this. There were limits and those limits were respected. No one from Eastern Europe was sneaking into your bank account. Fucking peasants. Khrushchev slaughtered almost a million of his own troops to stop the Germans at Stalingrad. One phone call from the US State Department and all these sleazy little cock-sucking hackers would have been mince-meat.
Nike and Ike had the ability to blow up the world. But, they didn't blow up the world. They came to respect life after taking part in so much slaughter and bloodletting.
Would you trust a sleezy Ukrainian hacker with a modem to not blow up the world if he had a chance? No way. Or some smug little twisted little shit-for-brains in Estonia to behave himself. Let's face facts here; going to another country and randomly stealing people's money is an act of war! When is Putin gonna knock these guys upside the head so hard that their eyes roll out? We have real enemies now and we need to work together against them. All this cross-border chickenshit financial crime is inexcusable. It's a new world, a new century. Get a real job, stop fucking around with petty rip-offs. Assholes!
Let's all work together to rid civilization of the shit-people!
Another great Slashdot rant. Too bad it will get modded down to -1 by toads that don't appreciate this kind of thing.
Re: (Score:2)
Let's all work together to rid civilization of the shit-people!
Isn't that a quote from Mein Kampf?
Re:people who won't act civilized... (Score:4, Interesting)
Besides an image of "fucking peasants", of "sleezy Ukrainian hacker", etc. really hurts us on a global market place.
If Microsoft included One-Care into its Windows OS, we would not have this conversation at all. But they do not do it to milk customers twice: for insecure OS and for the anti-virus, anti-spy-ware products. It is a billions and billions business. And a cultivated image of an in-existing in reality "sleezy Ukrainian hacker" fits very conveniently in this business.
The man who sent the first human into space, Sergey Korolyov, was from Ukraine. The mathematician who helped him to calculate this flight, Ginsburg, was also from Ukraine.
But instead we are getting a reputation of "fucking peasants" and criminals. Of course there criminals and prisons in Ukraine, the same as in your part of the world. But we are not responsible for the insecure OS and the multi-billion business based on this fear.
Re: (Score:2)
Great reply bud, if ever there was a post deserving of +5 pwn3d, this was it :-D
lousy security (Score:3)
Security for online banking in the US is awful. Transactions should require a second physical authentication token in addition to the password; most US banks have nothing.
Re: (Score:2)
Real time keyloggers can breach even this level of security.
wrong (Score:2)
Even if that were true, it would already eliminate many kinds of attacks.
But it's actually not even true (the NYT article got it wrong--typical). In correctly implemented banking systems, such tokens aren't used for logging in, they are used for authenticating transactions, after the transactions have already been entered and confirmed.
Comment removed (Score:3, Interesting)
Re: (Score:2)
So are the banks unwilling or unable to spend the money on quality software?
Anyway, one of my peeves is the mysterious change from "Bank Fraud" to "Indentity Theft"... I suspect the Banks deliberatly retitled the offense to try and foist liability onto their customers...
If Person A uses Person B's indentity to take money from a bank, and the bank did not adaquitly verify the credentials and identity... how did that become Person B's problem?
Re: (Score:3, Insightful)
How about (dare I say it?) offline? (Score:2)
> The banking group is urging that commercial bank customers 'carry out all
> online banking activity from a standalone, hardened, and locked-down computer
> from which e-mail and Web browsing is not possible.
My bank still has actual human tellers.
Trademarks vs Phishing (Score:2)
These banks can call for everyone else to do all kinds of drastic things. But even though practically all phishing scams should be stopped by banks enforcing their own trademarks, banks do absolutely nothing like that.
These banks are businesses that get paid $TRILLIONS to lose everyone else's money, all the time. Of course they'll demand everyone else do a lot of hard work to protect them, while they do none but keep all the money.
people from Eastern Europe condemn crime (Score:4, Insightful)
Why should a malicious software be possible on a PC at all? People pay for the operating system. And they have to pay for anti-virus, for ant-spy-ware. This is the point.
Why Windows-One-Care cannot be part of the OS? And people all over the world will sigh with a relief. Is it not done to milk billions from customers first for a monopoly insecure OS and then second time for making the OS secure.
Very conveniently fit people from Eastern Europe of criminal persuasion in this picture. Very conveniently. But this image really hurts interests of honest hard working people from Eastern Europe on a global market scene. There are a lot of good people in Eastern Europe who brought good things into this world, say, periodical system of elements, first flight into space, etc.
Include the Windows-One-Care in Windows and stop harassing us.
Re: (Score:2)
Why Windows-One-Care cannot be part of the OS? And people all over the world will sigh with a relief. Is it not done to milk billions from customers first for a monopoly insecure OS and then second time for making the OS secure.
Because they can? Microsoft isn't in the business of making the world a better place; they are in the business of making money.
A reasonably educated user doesn't need to buy antivirus software to keep their computer safe. All they need to do is to regularly apply patches. I've never used AV on my Windows computers, and got hit only once by a 0-day worm. Think of cost of purchasing AV as a convenience fee for not having to learn how to properly use your computer.
Re: (Score:2)
I've never used AV on my Windows computers, and got hit only once by a 0-day worm.
Since one time is all it takes to drain your life's savings, that's one time too many, don't you think?
Linux Partition (Score:3, Interesting)
American banks seem to be too lazy (Score:2)
iTAN/iTANplus [wikipedia.org] is a very safe method to do online banking and it is widely used in Europe. Why can't American banks just implement the same solution?
Blame to be allocated closer to home (Score:2)
All very well blaming "Eastern Europeans", but the idiots who think transferring cash through their personal bank account makes them a "Regional Sales Representative" must share some of the blame. These companies are being ripped off by fellow Americans who actually believe that foreign companies need their personal help to collect money due to them, and that an honest job can be that easy.
This is not the weakest link (Score:3, Interesting)
In my dealings with TD Ameritrade, and an online brokerage starting with the letter Z (guess which one I signed an (weak) NDA with and am now regretting), and then dealing with the SEC and the FBI to clean up what I found, I can tell you this:
Businesses with insecure workstations are not necessarily the reason why banks are getting broken it to.
Banks are _careless_ with their online security, leaving things like token validation and referrer logging well beyond their vocabulary. After my findings, contact with the agencies shows that they prioritize things like DDOS (which affects businesses) higher than "loss" of information (which affects customers.)
Re:Oh, yeah! Another "Eastern Europe" story... (Score:4, Insightful)
Do you have a citation for your claim?
I would certainly believe that most of this crime comes from places like Eastern Europe and Russia, because it makes perfect sense. Those parts of the world are now connected to the West through the internet, and the people there are smarter and better educated than Americans (especially in regards to science and math). There's a good reason so many companies have software development teams in places like Russia, Latvia, and Romania these days. With all the computer expertise in those regions, it makes perfect sense that a lot of fraudulent activity would come from there as well.
Re: (Score:3, Interesting)
Re: (Score:2)
lot of smart people in Russia, but if they were top notch, they would be working for the same wage as American workers (because they would be providing the same value)
Career analyst Dan Pink examines the puzzle of motivation, starting with a fact that social scientists know but most managers don't: Traditional rewards aren't always as effective as we think. Listen for illuminating stories -- http://www.youtube.com/watch?v=rrkrvAUbU9Y [youtube.com]
Re: (Score:2)
Right, but if you want dirt-cheap, you'll get cheaper programmers in India and China. The fact that they're using programmers in Russia I think is pretty significant.
Plus, I could be wrong, but in my experience it seems like there's a bit of a shortage of good programmers in the USA, at least in certain specialties.
Re: (Score:2)
to whomever modded my post "flamebait" there is absolutely no reason why these companies can't use ubuntu to avoid malware. I didnt mean anything other than that poor choice of words and all...
Re: (Score:3, Insightful)
"wait until big businesses in China are bankrupted by cyberterrorism"
Maybe they've just thawed you out after a nice cryogenic nap? China is migrating to Linux. Red Flag Linux. They may not be invulnerable to cyberterrorism, but they certainly don't leave their WINDOWS OPEN for terrorists, like US businesses do.