funsec mailing list archives
Re: The solution to Phishing
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 26 Oct 2005 11:10:14 +1300
Drsolly to me:
extra %'age on my mortagageYour mortgage % is based on the general interest rate, plus a bit more that represents the risk that you'll default. Phishing won't affect that.Wrong. The risk of such defaulting (not the risk _I_ will default, but the statistical average risk) is partly determined by the rate and level of fraud perpetrated against the bank's customers. Phishing-related fraud probably has a very small effect there, but it will have some effect.A very small effect indeed; a mortgage isn't something that you can draw cash out from, so why would a phisher phish a mortgage account? ...
Actually, that is wrong, at least here in NZ. Some banks (all the larger commercial ones for sure -- the ones modelled more along the lines of the UK's "building societies" may be more circumspect in regard to this form of credit) offer a special form of mortgage (I forget the term they use for these) where some proportion of the mortagage's total value is available on an "on- demand" basis. For example, you may take out a $500,000 mortgage on a $700,000 house that you make a $300,000 down-payment on. You obviously only draw down the first $400,000 of the mortgage to pay for the house, but then can draw up to the remaining $100,000 for anything you like -- buying a car, a boat, renovating or extendging the house, etc, etc. I believe (I've not looked closely into the mechanics of these mortgages) that most banks that offer this type of credit arrangement transfer the "extra" mortgage limit into what is effectively a savings account with an overdraft limit equal to the credit balance on the mortgage account, so getting phished can easily and significantly impact mortgage costs for customers of these banks. (And, yes, you pay a sufficiently higher additional interest rate for this, and some banks allow you to transfer (a protion of) the captical paydown on the mortgage account to the linked "savings" account too.)
... I find it hard to see how a phisher would damage you by paying off all or some of your mortgage. I suppose one could call this "reverse phishing"; people discovering your account details so that they can give you money.
No -- notwithstanding the above form of the mortgage (which may not be available in the UK), my main point was that there will always be some edge cases where someone will get cleaned out "between transactions", perhaps having exposed themselves to some costly, short-term bridging finance because they just had to have _that_ house (car, boat, whatever) and they knew their inheritance from Auntie Maud's estate would finally be sorted any week now. Days/weeks pass, Auntie Maud's estate cheque arrives, is banked, is finally due to clear funds tomorrow, they get phished while checking their online banking the night before the cheque clears, the phisher wipes them out later that night (a few hours after midnight local time to the victims and thus a few hours after the funds from the cheque had been cleared by the bank) and next morning (or next week or month or whatever the term of the bridging finance) they can't pay off the debt. That will affect their ability to keep meeting their other regular payments, such as the mortgage. Please don't be so naïve as to think that just because a mortgage account can't be phished (which, I accept, may be the case in many places), mortgage rates are unaffected by phishing. Phishing and the associated fraud affect some bank customers' ability to meet their obligations to the bank, and _that_ affects the banks' overall perception of the average risk of lending money and (at least in a vaguely free market banking system) _that_ affects the interest rate you pay for any and all of your borrowings from the banks. ... Am I dense and entirely missing something here, or have some of you been missing the obvious? Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The solution to Phishing Blanchard_Michael (Oct 24)
- Re: The solution to Phishing Craig Webster (Oct 24)
- Re: The solution to Phishing Nick FitzGerald (Oct 24)
- Re: The solution to Phishing Drsolly (Oct 25)
- Re: The solution to Phishing Nick FitzGerald (Oct 25)
- Re: The solution to Phishing Drsolly (Oct 25)
- Re: The solution to Phishing Nick FitzGerald (Oct 25)
- RE: The solution to Phishing Aditya Deshmukh (Oct 25)
- Re: The solution to Phishing Nick FitzGerald (Oct 24)
- Re: The solution to Phishing Craig Webster (Oct 24)
- Re: The solution to Phishing Drsolly (Oct 24)
- Re: The solution to Phishing Jim Murray (Oct 24)
- <Possible follow-ups>
- RE: The solution to Phishing Blanchard_Michael (Oct 24)
- RE: The solution to Phishing Blanchard_Michael (Oct 24)
- RE: The solution to Phishing Blanchard_Michael (Oct 24)
- RE: The solution to Phishing Blanchard_Michael (Oct 25)