LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

I blame the banks.

I blame the banks.

Posted Dec 19, 2008 9:42 UTC (Fri) by dwmw2 (subscriber, #2063)
Parent article: "Vishing" advisory targets Asterisk

The really scary thing about phishing is that it's often indistinguishable from the genuine, but stupid, behaviour of the banks.

I often receive phone calls from banks without caller-id at all; their number is withheld. And yet they expect me to trust them, and to authenticate myself by providing 'secret' information.

This kind of behaviour from the banks, along with the fact that they habitually send email without PGP signatures, is actively encouraging naïve customers to submit to phishing attempts — because they just can't tell what's genuine and what isn't.

The regulatory authorities should deal with this, and force the banks to apply some clue to their own outgoing communications. Or failing that, perhaps some criminal prosecutions for aiding and abetting the fraudsters?

(Log in to post comments)

I blame the banks.

Posted Dec 19, 2008 16:07 UTC (Fri) by Los__D (guest, #15263) [Link]

Errrrr, what?

Luckily we don't have this in Denmark, in fact most banks tell you that they will never contact you and ask for that kind of information.

I blame the banks.

Posted Dec 19, 2008 16:14 UTC (Fri) by dwmw2 (subscriber, #2063) [Link]

Scary, isn't it?

I blame the banks.

Posted Dec 19, 2008 22:35 UTC (Fri) by oak (subscriber, #2786) [Link]

> Luckily we don't have this in Denmark, in fact most banks tell you that
they will never contact you and ask for that kind of information.

Same thing in Finland (I think it had even been mentioned in TV news when
there was a first large email phishing attempt in Finnish instead of the
normal English spam...).

I blame the banks.

Posted Dec 20, 2008 0:11 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

In the US, banks always remind us that they will never ask us for a password on the phone. However, they must ask for some kind of weak authentication because they don't know who answers the phone and people are so paranoid about privacy now, they would not tolerate a bank telling another member of the household about their bounced checks. That weak authentication could be a birth date or something. I presume that when the recipient isn't willing to let that information out, they offer the alternative of the recipient looking up the bank's customer service number and calling back.

Many of us are not scared enough to bother; we just give them the information. The actual risk to you from someone knowing your birth date or bank account number is much less than the media hype indicates.

I blame the banks.

Posted Dec 20, 2008 5:32 UTC (Sat) by mgb (guest, #3226) [Link]

I cancelled my Earthlink account recently because there was no way to call back to Earthlink's "finance department" in India. I'm not going to give someone a new credit card number just because he claims he's with Earthlink. Very dumb move by Earthlink.

I blame the banks.

Posted Dec 20, 2008 11:01 UTC (Sat) by rwmj (subscriber, #5474) [Link]

I can confirm dwmw2's account - my UK bank called me up recently, with blocked caller ID, and then demanded security details. I told them where to go of course, but I later got a secure message through their authenticated web service which confirmed it was in fact them.

Ironically, perhaps, the call was about that other ludicrous UK bank invention - "Verified for Visa". (a.k.a "we verified that you will take the blame, not Visa"). The one where you get taken to an iframe on a 3rd party site which asks for your security details. My inquiry which prompted the call was to ask when they might actually implement something secure, such as credit card device that generates one-time keys.

Rich.

I blame the banks.

Posted Dec 20, 2008 11:17 UTC (Sat) by dwmw2 (subscriber, #2063) [Link]

"My inquiry which prompted the call was to ask when they might actually implement something secure, such as credit card device that generates one-time keys."
So, not a conversation for which they actually needed to authenticate you at all. Thus, they were demonstrating an even more fundamental lack of clue about security than we originally thought...

I blame the banks.

Posted Dec 20, 2008 11:23 UTC (Sat) by rwmj (subscriber, #5474) [Link]

I hadn't thought about that actually, but yeah, they're even more stupid than we thought :-)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds