Re: The solution to Phishing

[Nick FitzGerald <nick () virus-l demon co uk>]

Drsolly to me:

> > > > extra %'age on my mortagage
> > >
> > > Your mortgage % is based on the general interest rate, plus a bit more 
> > > that represents the risk that you'll default. Phishing won't affect that.
> >
> > Wrong.
> >
> > The risk of such defaulting (not the risk _I_ will default, but the 
> > statistical average risk) is partly determined by the rate and level of 
> > fraud perpetrated against the bank's customers.  Phishing-related fraud 
> > probably has a very small effect there, but it will have some effect.
>
> A very small effect indeed; a mortgage isn't something that you can draw
> cash out from, so why would a phisher phish a mortgage account? ...

Actually, that is wrong, at least here in NZ.

Some banks (all the larger commercial ones for sure -- the ones 
modelled more along the lines of the UK's "building societies" may be 
more circumspect in regard to this form of credit) offer a special form 
of mortgage (I forget the term they use for these) where some 
proportion of the mortagage's total value is available on an "on-
demand" basis.  For example, you may take out a $500,000 mortgage on a 
$700,000 house that you make a $300,000 down-payment on.  You obviously 
only draw down the first $400,000 of the mortgage to pay for the house, 
but then can draw up to the remaining $100,000 for anything you like -- 
buying a car, a boat, renovating or extendging the house, etc, etc.  I 
believe (I've not looked closely into the mechanics of these mortgages) 
that most banks that offer this type of credit arrangement transfer the 
"extra" mortgage limit into what is effectively a savings account with 
an overdraft limit equal to the credit balance on the mortgage account, 
so getting phished can easily and significantly impact mortgage costs 
for customers of these banks.  (And, yes, you pay a sufficiently higher 
additional interest rate for this, and some banks allow you to transfer 
(a protion of) the captical paydown on the mortgage account to the 
linked "savings" account too.)

> ...  I find it
> hard to see how a phisher would damage you by paying off all or some of
> your mortgage. I suppose one could call this "reverse phishing"; people 
> discovering your account details so that they can give you money.

No -- notwithstanding the above form of the mortgage (which may not be 
available in the UK), my main point was that there will always be some 
edge cases where someone will get cleaned out "between transactions", 
perhaps having exposed themselves to some costly, short-term bridging 
finance because they just had to have _that_ house (car, boat, 
whatever) and they knew their inheritance from Auntie Maud's estate 
would finally be sorted any week now.  Days/weeks pass, Auntie Maud's 
estate cheque arrives, is banked, is finally due to clear funds 
tomorrow, they get phished while checking their online banking the 
night before the cheque clears, the phisher wipes them out later that 
night (a few hours after midnight local time to the victims and thus a 
few hours after the funds from the cheque had been cleared by the bank) 
and next morning (or next week or month or whatever the term of the 
bridging finance) they can't pay off the debt.

That will affect their ability to keep meeting their other regular 
payments, such as the mortgage.  Please don't be so naïve as to think 
that just because a mortgage account can't be phished (which, I accept, 
may be the case in many places), mortgage rates are unaffected by 
phishing.  Phishing and the associated fraud affect some bank 
customers' ability to meet their obligations to the bank, and _that_ 
affects the banks' overall perception of the average risk of lending 
money and (at least in a vaguely free market banking system) _that_ 
affects the interest rate you pay for any and all of your borrowings 
from the banks.

...

Am I dense and entirely missing something here, or have some of you 
been missing the obvious?


Regards,

Nick FitzGerald


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.