Re: The solution to Phishing

[Drsolly <drsollyp () drsolly com>]

> Thanks for the economics lesson...

You're welcome. Since this is a public list, there might be at least one 
person reading these postings that didn't know.
 
> > > extra %'age on my mortagage
> >
> > Your mortgage % is based on the general interest rate, plus a bit more 
> > that represents the risk that you'll default. Phishing won't affect that.
>
> Wrong.
>
> The risk of such defaulting (not the risk _I_ will default, but the 
> statistical average risk) is partly determined by the rate and level of 
> fraud perpetrated against the bank's customers.  Phishing-related fraud 
> probably has a very small effect there, but it will have some effect.

A very small effect indeed; a mortgage isn't something that you can draw
cash out from, so why would a phisher phish a mortgage account? I find it
hard to see how a phisher would damage you by paying off all or some of
your mortgage. I suppose one could call this "reverse phishing"; people 
discovering your account details so that they can give you money.
 
> <<snip>>
> > > So, how much is it costing _me_ to support the current level of idiot 
> > > allowed to use the currently very weak online banking, sales, etc 
> > > business?
> >
> > It doesn't have to cost you anything. Just choose a bank that doesn't
> > offer online banking; ...
>
> Can't.
>
> All NZ banks offer online banking.  Most are very actively 
> _encouraging_ its (and telephone banking's) adoption and use.
>
> And anyway, _current_ online banking _is_ safe enough for me as I am 
> not an idiot user AND I find online banking really handy and desirable, 
> so dropping it is not actually the solution I'm looking for.
>
> Finally, if a bank did not offer online banking, it's _other_ costs 
> would probably be higher, so would I really be better of??
>
> > ... market forces lead to survival of the fittest banks.
>
> In this regard, all my choices are equally "unfit"...
>
> > If you can't find such a bank, then that's excellent news - it means that
> > there's a market opportunity for you to start one. If by doing that, you 
> > can make your bank charges lower, you'll prosper. If that doesn't lead to 
> > lower bank charges, then you've discovered something useful.
>
> And your serious suggestion is?

To start up a bank. What, did you think that was impossible? Lots of
people have done it, you don't need a licence (provided you pretend that
you aren't a bank) and you don't even need any capital. The one that comes
most readily to mind is Paypal.

And in the New Zealand Fitzgerald Bank, online services will only be
available to those who can demonstrate a degree of Clue. Alternatively, in
the NZFB, online services will use an authentication system that can't be
phished.
 
> > > I'd be much happier if I could easily find the comparative monetary 
> > > cost of what is currently the banks, CC companies, etc deciding that 
> > > current practice is (near enough to) "safe enough"...
> >
> > Interest rates are, in the long run, the rate of inflation plus about 2 or
> > 3 % (look at the yield on undated gilts). Anything more than that, is
> > either a risk premium or a profit. So, look at what you're paying, and you
> > can calculate it.
>
> That doesn't tell me the actual cost of phishing and other identity-
> theft related fraud,

It tells you the cost to *you* via the higher interest rates you're 
paying.

> and much as we see estimates of such losses/costs 
> (usually in terms of "X million per year", either for a specific bank 
> or a whole country's banking industry), I seriously doubt they are ever 
> vaguely accurate.

Of course they aren't, these are made-up numbers for the purposes of 
sky-is-falling journalism. Of course, no-one takes these figures 
seriously, just as no-one takes all the other sky-is-falling stories that 
the press runs at all seriously. Which, of course, is unfortunate if you 
live in a city where the sky really is about to fall (New Orleans a 
couple of months back, for example).

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.