Expert Slams Online Bank On ID Fraud
from the yes,-but... dept
Earlier this week we mentioned the case of a South African bank where several accounts were wiped out, after a scammer sent a spam with some keylogger software attached to it. A few people unknowingly installed the software, and had their account info snagged by the scammer. Now, a "security expert" is criticizing the bank for this. The fact that there really was nothing the bank could do doesn't seem to enter into the picture. The bank wasn't hacked. It was due to things that happened on each individual's computer. And, the bank has responded by restoring the money to the accounts. Blaming the bank doesn't seem fair. The one point that does make sense is that it would have been better if the bank had a more stringent security policy that required a smartcard or some biometric reader. Unfortunately, almost no one has a smartcard reader or biometric reader at home - so no banks will require such a thing, since it pretty much guarantees that no one will use their online banking service (and, that they'll go to another bank that makes it easier). Yes, security should be better, but it's hard to see how the bank was at fault in this case.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Social Hack...
How did the social engineer target the individuals of the bank? If it was purely fishing, then customers of other banks would have received similar emails and trojans, but it appears (at least from reading the articles,) that the social engineer targeted specific customers of the bank in question, through emails none-the-less.
My bank knows my email address, partly because I gave it to them as part of the effort of obtaining an account with them, but also because I occasionally send emails to them about problems I have while banking with them. They keep some sort of record of customers' email addresses, because occasionally I get "unsolicited" email from them as well.
However, until I just announced it on a public website, nobody other than my bank or I knew that they had my email address. And even though I have given this information out, most people probably still don't know which bank I have my account at.
So what I am saying, is that somehow this engineer has already hacked enough into the bank to obtain a listing of customer's email addresses. And that is the banks problem. They have somehow, through negligence or otherwise, allowed someone to use their records to send directed emails to their customers.
[ link to this | view in thread ]