[IP] more on Banking Alert (fwd)

To: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on Banking Alert (fwd)
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 25 May 2005 05:27:58 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <6.1.2.0.0.20050525011231.01e1ec08@xxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Vin McLellan <vin@xxxxxxxxxxxx>
Date: May 25, 2005 3:23:59 AM EDT
To: dave@xxxxxxxxxx
Subject: Re: Banking Alert (fwd)


Hi Dave,

Citibank's attempt to personalize its outgoing email to customersseems to be a simple but effective anti-phishing mechanism to salvagethe inexpensive (and thus popular) business-to-customer email channelthat many banks and other commercial firms have be loath to give up.Note, however, that many of the popular articles about recent bankdata thefts recommend that customers never click on unverified urls(for good reasons since clicking alone can install a virus or akeylogger or other malware.)

Of course, the authenticator Citibank uses (the last four digits ofthe customer's ATM card) is essentially just another static password,which goes through the network unencrypted and thus unprotectedagainst even simple sniffers. If this "secret" info is captured by apotentially hostile party, it could potentially opens the customer upfor a targeted attack.

The recent BoA, Wachovia, data thefts involved the relativelyinexpensive purchase ($10 per name) of hundreds of thousands of verydetailed customer data files (account numbers, account balances,transaction records) from bank insiders. Would not the customers' ATM/Debit card numbers (but hopefully not the PIN) have been as easilyaccessible to those same insiders?

I wonder what the black market price for these ATM/Debit card numbersis? And what will it be next year? Debit cards, after all, are oftenused is POS transactions and thus routinely pass through the hands ofnon-bank employees, non-bank equipment, and probably non-bank networks.

Still, Citibank's mail authentication mechanism doubtless raises thebar and requires a phishing fraudster to launch a directed multi-stage attack to get around it (or else suborn some bank insiders likethose recently arrested in the latest BoA case.) It's a major step inthe right direction.

Makes you wonder what other simple security mechanisms are (or couldbe) implemented today by banks and other eCommerce firms toauthenticate their emails to their customers?


_Vin




-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] So now the FTC is in on the act
Next by Date: [IP] Minnesota court takes dim view of encryption
Previous by thread: [IP] So now the FTC is in on the act
Next by thread: [IP] Minnesota court takes dim view of encryption
Index(es):
- Date
- Thread