A Real Remedy for Phishers

Bruce Schneier, the author of this article, makes a good point about how fraud mainly hurts individuals even though FIs bear a great deal of the financial burden. FIs simply accept the loss, take a little from column A, transfer it to column 2 and they are done. A victim of identity fraud is looking at months of work and stress to clear their name.

Now, Every Keystroke Can Betray You

Good overview of the latest scary problems facing consumers and, by extension, FIs.

Review: Mobile Payment Has Growing Pains

Just stretching my legs. I have to slowly work my way back into posting.

Reasons for No Posts

I haven't posted for awhile for a few reasons:

• I haven't really seen any "new" news related to Online Banking or Bill Pay; everything lately has seemed like a rehash.


• I'm starting to question the value of blogging; there just seems to be so much out there that it's hard to see how I can add anything especially since I don't really have any time to devote to it.
  


• No one reads my posts; this is probably the biggest reason.

Data Worries Stunt E-Commerce, Online Banking

I can believe that this is happening but Avivah Litan of Gartner's negativity is a little much:

"It looks like the bonanza of e-commerce is going to stop."

Her comments about getting a law passed allowing consumers to limit how their information is shared with third parties is equally pessimistic and I think a little out of the realm of Internet researchers:

"That'll never happen," said Litan. "The financial services companies will argue that opt-out would slow down the business of extending credit to consumers. And they spend millions on campaign contributions. The privacy groups, in comparison, have no money at all.

"It often comes down to who are the largest contributors to political campaigns," she added.

Thanks Avivah for the civics lesson.

Cash, Charge or Fingerprint?

I like this idea a lot. You don't have to remember to bring anything except your finger. Eventually we may not have to carry any identification or keys at all.

Easy check fraud technique draws scrutiny

"...consumers should realize that checking account numbers are just as valuable to criminals as credit card numbers and should be treated with similar care."

This I did not know.

If demand drafts are the problem and they were created to accomodate telemarketers, why not make telemarketing illegal? Okay, that's extreme but I think any time you can blame telemarketing, you should.

Bank of America gets personal

This could become the defacto two factor authentication. 13.2 million online banking users is a large chunk of the whole.

The only thing I don't get about this system is why you have to login from a registered IP address to see the image? Is this to remind users that they need to be wary because they are not at their regular PC? Are the images stored on the individual PCs rather than BoA servers? More research is needed.

Just wave to pay

This is a terrific idea because it makes the transition to contactless payment easier; the user can use the card just like a regular card in the places where a contactless reader isn't available.

PayPal seeks to expand influence

I think if PayPal were going to be a bigger player, it would have happened by now. Enough people are familiar with eBay, and by extension PayPal, that it seems they would have found other uses for their PayPal account by now.

Banks try to transfer the blame

Interesting article about Reg D. I didn't realize how flexible the regulation is and how we don't necessarily have to limit savings accounts to 6 electronic transfers a month. We can make the transfer, notify the member of the regulation, and then, if they go over the limit again, move funds into a share draft account or do something else to make sure the account doesn't become a transactional account.

Phishers Using New Methods To Steal User Information

As education starts to work, and users are going for the bait less, phishers change tactics and take some of the social engineering out of their scams.

Americans Pay Off Credit Card Debt!

This is good news except for, as the article points out, credit card companies, but I think it only hurts the credit card companies in the short term (that is if, and this is a big IF, this trend continues). Long term (again, IF the trend continues) this could be good news because it reduces the risk of a big bust in the future.

May I See Your Voice, Please?

Using voice recognition to activate a new credit card. Good idea? Yeah. Will it actually work? I have my doubts. A person's voice is such a fine instrument I don't know how the technology will account for subtle differences in someone's voice between the time they record their signature and when they activate a card. What if you have a cold when you record your signature but not when you activate the card or vice versa?

Mitigating identity theft

Bruce Schneier argues in this article that the focus of information crime prevention should be on fraudelent transactions rather than on identity theft. I'm not sure I completely understand the distinction or how it helps solves the problem but I thought I would post it because it sounds contrarian (and because I haven't posted in awhile).

Dialing up to do business

The subtitle of this article about Korea's 3G loving, Internet connected society says it all: "Paving the way for a cashless society."

Report Finds Banks Sloppy With Your Info

This is not the kind of news we need now. As we are trying to educate members/customers to be wary of the lurking threats we are getting the reputation for playing fast and loose with sensitive data (thank you Bank of America).

KISS: Keep – It – Secret – Stupid!

Gonzo Banker seems to have the market cornered on clear and pragmatic thinking. A simplification of their simplification: there is no solution to the security problems we are all facing but we all have to keep plugging away to try to keep ahead of the hackers and to show our members/customers that we are serious about it.

They (the article's author is Tripp Johnson) also make the point that banks/credit unions and their technology partners give too much away in their press releases touting new security. Good point! Hackers may be the only ones reading press releases because they are the only ones who benefit from reading them.

Security no match for theater lovers

The experiment described here was devious and effective. The sad part is that it will take an economic catastrophe before people are sufficiently skeptical of this type of social engineering.

Putting Phishers In The Banking Frame

This is another scary example of phishing, a cross site scripting vulnerability attack. This type of attack includes a link to a legitimate page but puts a frame of the bad guys site on top of the page.

Still, users will only see the frame if they click on the link within the email. We need to keep reinforcing with our members/customers that we will not send them emails with requests for information.

Banks 'wasting millions' on two-factor authentication

This is not good news. Getting rid of passwords in favor of other authentication (tokens, scratch cards, etc.), the latest state of the art security, only nudges the bad guys to use other tricks. I guess I never thought two-factor authentication would eliminate fraud but I thought it would at least be awhile before work arounds would be devised. It hasn't even become mainstream yet.

This note from Credit Union tech-talk is not good news either: "Some security experts believe that the day when two-factor authentication is mandatory for online banking access is drawing near."

If two-factor isn't the real solution but everyone is headed down that road it is only a matter of time before we all have to change direction again. This will be bad from a time and resources perspective and from a credibility one. We need to figure this out before consumers lose confidence and adoption starts to fizzle.

A.T.M.'s Pick Up Web Site Tricks

One of my favorite jokes while waiting in line behind someone at an ATM (Read: It's really only funny to me.) is: "What is this guy trying to do? Refinance his mortgage." If more ATMs like the ones talked about in this article become available it will no longer be a joke.

E-mail 'phishers' attack MSU Federal Credit Union

They're getting closer. MSU Federal is less than an hour away from us.

New Industry Helping Banks Fight Back

Phishing is creating opportunities for companies with the technology to fight it. Corillian, the Internet banking provider, uses the novel approach of monitoring activity and warning banks when a number of different accounts are accessed from the same IP address. Unlike the other measures mentioned in the article this seems the best because it can be done without adding technology, that info is already tracked, and because it is a single source, the others cull info from several sources. Maybe I'm being overly simplistic but I think simple works the best.

A Glimpse Of The Internet Banking Future?

I doubt the example Jeremy Wagstaff's cites in this post is really a bank backing away from Internet Banking but rather them making a transition from one platform to another. If the bank he's talking about is really trying to protect itself from phishing I don't see how it does. I don't understand how a VPN is protected from social engineering attacks like phishing.

When paying with plastic, why swipe? Just wave

This is great news for those of us who use their card so much that we wear them out.

Also great news that VISA is going to not require signatures for purchases under $25 dollars. I hope this is instituted even without the contactless cards.

For Some, No Purchase Is Too Small For Plastic

Great article regarding the shift in consumer attitude regarding using credit cards for small purchases. The stigma and guilt are going away.

Interesting also how increased use hasn't effected fraud:

"...even without signatures, fraud remains at an all-time low of 5 cents for every $100 spent on Visa cards. The company's research shows that low-value purchases tend not to attract fraud. And even if they did, Visa guarantees its payments to merchants."

The next step is figuring out a way to eliminating merchant reluctance. The dirty looks are still there even if consumers are ignoring them.

Online phishing scam hits UCLA's University CU

Okay it's getting scarier. Now it's getting down to smaller asset CUs too.

Online Banking Growing Rapidly, Survey Finds

This article from the Washington Post seems a bit dated, I think this Pew info came out a few months ago, but it is still encouraging to see it in print...uh online.

The Password Is Fayleyure

This TechnologyReview.com article argues that stronger password protection does nothing to enhance security.

"the logical conclusion of most "strong password” policies—don’t use names of family members or pets; don’t use birthdays or calendar dates; use randomized sequences of special characters; don’t use your password for more than one or two sites; change your passwords several times a year; don’t put your password(s) in your PDA or cell phone—is that passwords should be impossible to remember and should never be written down."

Good point, but what is the alternative? The article mentions ATM passwords are still only 4 digits but fails to mention that they require that physical piece of plastic which waters down his argument.

Phisher poses as State Employees' CU

Here's the first instance I've seen of a phisher targeting a Credit Union. It's starting...

More Identity Theft Offline Than Online-Study

Whew!!! Now I can relax, sit back and not worry about doing all of my banking online.

Phishers Drop Hooks Into Smaller Streams

It seems like it is only a matter of time before phishers drop their hooks into Credit Union and local bank streams.

On a related note, Thunderbird, Mozilla's email equivalent of Firefox, has a new phisher safeguard. The feature is supposed to alert users when the click on suspicious link within a suspected phishing email.

CheckFree Cashes In

The year over year growth numbers for online banking and bill pay have been terrific for years, mainly because they started from such a small base, and now that growth seems be translating into profits, at least for the companies that offer the infrastructure. Will it ever translate into verifiable increased profits for financial institutions? I don't know. It may just protect them from customer defection if they don't offer all of the online services.

Fraud victims facing cold shoulder

Some British banks are no longer going to offer blanket coverage of losses for customers who are victims of phishing scams. This article goes on to talk about the lax security measures that some British banks are taking to secure their sites. Maybe I'm missing something but I don't see how increased security, stronger password requirements, more authentication necessarily protect consumers and ecommerce sites from phishing. If you can convince someone to give up their user name and password with an email, what would be the problem with getting them to give up other kinds of personal information that could be used to compromise their accounts.

Momentum Is Gaining for Cellphones as Credit Cards

If it's in the New York Times, it can't be far from the mainstream.

Registration required.

Financials are phishers’ favorite targets

This small article is noteworthy for Scott Chasin's (of MX Logic) comment that phishing could have the same effect on ecommerce that spam has had on email. If this is true, and it sounds eerily dead on, ecommerce may have to shift in much the same way Internet communication has shifted from email to IM.