funsec mailing list archives
Re: The solution to Phishing
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 26 Oct 2005 03:00:55 +1300
Drsolly to me:
Nah -- that's just "faster Darwinism"... Face it -- some people really are just too stupid to be allowed to do some things (Dubya, president; thousands involved in self-inflicted, non-deliberate gun injuries per year, gun ownership/access; persistent drunks, driving, etc, etc, etc). We don't need a perfectly safe banking system -- we need a banking system that is "safe enough".Not even that. All we need is a banking system that's safe enough for me.
The _current_ one is more than safe enough me... At least, so long as your "typical idiot PC user" is NOT allowed to use it. (That was, in fact my point -- given Alan missed it, it must have been too deeply buried...)
So, we really don't need to worry about phishing or ATM fraud. Windows insecurities aren't a problem (except insofar as they lead to the spam I get and DDoS attacks on sites I want to use) and viruses ditto.
They're not a problem for you _directly_, but to the extent they affect other users of _your_ bank, they are...
The _real problem_ (and the one that really bothers me) is how much is it costing me (in terms of extra %'age on my CC interest rate and/orI pay zero on my CC, because I don't use it to borrow money, because the rates they charge for borrowing money are really high - this is because it's a *very* high risk loan.
Yawn... Thanks for the economics lesson...
extra %'age on my mortagageYour mortgage % is based on the general interest rate, plus a bit more that represents the risk that you'll default. Phishing won't affect that.
Wrong. The risk of such defaulting (not the risk _I_ will default, but the statistical average risk) is partly determined by the rate and level of fraud perpetrated against the bank's customers. Phishing-related fraud probably has a very small effect there, but it will have some effect. <<snip>>
So, how much is it costing _me_ to support the current level of idiot allowed to use the currently very weak online banking, sales, etc business?It doesn't have to cost you anything. Just choose a bank that doesn't offer online banking; ...
Can't. All NZ banks offer online banking. Most are very actively _encouraging_ its (and telephone banking's) adoption and use. And anyway, _current_ online banking _is_ safe enough for me as I am not an idiot user AND I find online banking really handy and desirable, so dropping it is not actually the solution I'm looking for. Finally, if a bank did not offer online banking, it's _other_ costs would probably be higher, so would I really be better of??
... market forces lead to survival of the fittest banks.
In this regard, all my choices are equally "unfit"...
If you can't find such a bank, then that's excellent news - it means that there's a market opportunity for you to start one. If by doing that, you can make your bank charges lower, you'll prosper. If that doesn't lead to lower bank charges, then you've discovered something useful.
And your serious suggestion is?
I'd be much happier if I could easily find the comparative monetary cost of what is currently the banks, CC companies, etc deciding that current practice is (near enough to) "safe enough"...Interest rates are, in the long run, the rate of inflation plus about 2 or 3 % (look at the yield on undated gilts). Anything more than that, is either a risk premium or a profit. So, look at what you're paying, and you can calculate it.
That doesn't tell me the actual cost of phishing and other identity- theft related fraud, and much as we see estimates of such losses/costs (usually in terms of "X million per year", either for a specific bank or a whole country's banking industry), I seriously doubt they are ever vaguely accurate. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The solution to Phishing Blanchard_Michael (Oct 24)
- Re: The solution to Phishing Craig Webster (Oct 24)
- Re: The solution to Phishing Nick FitzGerald (Oct 24)
- Re: The solution to Phishing Drsolly (Oct 25)
- Re: The solution to Phishing Nick FitzGerald (Oct 25)
- Re: The solution to Phishing Drsolly (Oct 25)
- Re: The solution to Phishing Nick FitzGerald (Oct 25)
- RE: The solution to Phishing Aditya Deshmukh (Oct 25)
- Re: The solution to Phishing Nick FitzGerald (Oct 24)
- Re: The solution to Phishing Craig Webster (Oct 24)
- Re: The solution to Phishing Drsolly (Oct 24)
- Re: The solution to Phishing Jim Murray (Oct 24)
- <Possible follow-ups>
- RE: The solution to Phishing Blanchard_Michael (Oct 24)
- RE: The solution to Phishing Blanchard_Michael (Oct 24)