Stephen Wilson - Lockstep Consulting - Sydney 21 February, 2009, 04:00 0 likes

You ask, why is it so difficult to get customers to install a toolbar?

Robert, if your starting premise is that they are "complete idiots", then you have, in one fell swoop, answered your own question, pissed off a whole lot of your targets, and exacerbated the problem.

Yes, those who fall for phishing are not highly computer literate, but why should we expect them to be?  We don't expect all drivers to be automotive engineers, or Niki Lauda.  Any purported solution to phishing that requires average Internet users to install special toolbars is likely to be beyond the capacity of the very people who are falling prey.

Cheers,

Stephen Wilson, Lockstep.

Robert Siciliano - Safr.me - Boston 21 February, 2009, 04:25 0 likes

The point is made the phishers "are in fact getting smarter"

And...

As a rowdy teen, the only thing that smartened me up was a back hand. A little tough love never hurt anyone.  Exacerbating the problem is failing to inform, remind, and if necessary reprimand the users of their responsibilities to protect themselves. Personal responsibility. Its been 10 years of phishing. It’s getting worse. The public needs a backhand.

And you shouldn’t necessarily know how to engineer a car, but you better know how to drive it safely. ya know?

Stephen Wilson - Lockstep Consulting - Sydney 21 February, 2009, 05:36 0 likes

Robert,

I do not believe it's reasonable to put the onus on users to this extent to protect themselves online.  This is not supposed to be the Wild West anymore; we're talking about making people safe as they go about their business in the digital economy.

The traditional preoccupation with education and training does not serve ordinary people well.  The best advice from governments and banks -- such as www.protectfinancialid.org.au and www.staysmartonline.gov.au -- runs to a dozen pages or more.  It's simply overwhelming.  And technicians know it's already out of date: keeping an eye out for the SSL padlock for example is not enough anymore given Man-in-the-Middle attacks on the certificate chain. The theft of credit card details en masse from back-end databases means that even when a user diligently follows all the cyber safety advice, they can still have their IDs stolen and replayed in CNP fraud.

As for the idea of 'safe driving' online, well when the equipment is inadequate, relying on education alone, with a dose of tough love, can border on reckless.  As Ralph Nader said, some cars are "unsafe at any speed". 

I don't want to turn people off, nor do I expect people to be protected from stupidity.  My point is that we need more balance in the cyber safety debate, and a greater emphasis on proper security infrastructure is urgently needed, as a matter of public policy.  In particular, it is high time that governments and banking regulators took a greater interest in digital identity technologies, and stopped letting market forces alone cater for consumer protection online.  We don't let the public connect any old bit of kit onto the telephone network, so regulators should be prepared to take a more active role in digital economy infrastructure. 

Robert Siciliano - Safr.me - Boston 21 February, 2009, 18:30 0 likes

NZ Banks

Robert Siciliano - Safr.me - Boston 21 February, 2009, 20:39 0 likes

Let me be clear. Law enforcement and security professionals are providing tremendous value. They can only do so much. Even when more security is introduced there will still be another path to exploit.

I speak to law officers who break their humps to protect us, and the public expects more than they or us can provide. Security is a process that requires a coordinated effort among the protectors and the protected. Maybe shaking up the status quo will seed a little inspiration to be security minded.

David Divitt - VocaLink - London 23 February, 2009, 10:16 0 likes

Dont forget, an "attack" is just a criminal setting up a phish site/email and attempting to sucker the public...doesnt mean they are successful!  In my experience phishing success, or at least the average loss per successful attack is falling.

Robert Siciliano - Safr.me - Boston 23 February, 2009, 12:15 0 likes

There is a tremendous burden on government and industry to protect. And that burden is just. There still needs to be a degree of citizen accountability. 

If consumers are to enjoy the conveniences of technology, they should have a sense on how to use it securely.

I'm not the only loon on the planet holding the publics feet to the fire. In the NZ Banks links above see;

"Banks in New Zealand are seeking access to customer PCs used for online banking transactions to verify whether they have enough security protection.

Under the terms of the banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date.

The code, issued by the Bankers' Association now has a new section dealing with Internet banking.

Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have "used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are up-to-date."

I'm moving to NZ... if they'll have me.

A Finextra member 27 February, 2009, 17:40 0 likes

There are some e-banking anti-fraud systems already available. They build up a customer profile (what OS, browser do you use, what is your network segment, how do you use e-banking, when do you make transaction, what are the transaction amounts, etc), and if you make a new transaction then it is compared to your profile.

So lets say i use my e-banking from Budapest, from the office, daytime, Windows Vista, Firefox 3.0...

If someone wants to make a transfer from China, from a Linux PC, using Chrome during the night, then the anti-fraud system will alert that it is a very suspicious transaction, blocking it or asking for a secondary authentication over the phone.

I think it is a good tool to increase security and can filter 80% of the attacks.