Re: The solution to Phishing

[Nick FitzGerald <nick () virus-l demon co uk>]

Drsolly to me:

> > Nah -- that's just "faster Darwinism"...
> >
> > Face it -- some people really are just too stupid to be allowed to do 
> > some things (Dubya, president; thousands involved in self-inflicted, 
> > non-deliberate gun injuries  per year, gun ownership/access; persistent 
> > drunks, driving, etc, etc, etc).  We don't need a perfectly safe 
> > banking system -- we need a banking system that is "safe enough".
>
> Not even that. All we need is a banking system that's safe enough for me. 

The _current_ one is more than safe enough me...

At least, so long as your "typical idiot PC user" is NOT allowed to use 
it.

(That was, in fact my point -- given Alan missed it, it must have been 
too deeply buried...)

> So, we really don't need to worry about phishing or ATM fraud. Windows 
> insecurities aren't a problem (except insofar as they lead to the spam I 
> get and DDoS attacks on sites I want to use) and viruses ditto.

They're not a problem for you _directly_, but to the extent they affect 
other users of _your_ bank, they are...

> > The _real problem_ (and the one that really bothers me) is how much is 
> > it costing me (in terms of extra %'age on my CC interest rate and/or
>
> I pay zero on my CC, because I don't use it to borrow money, because the 
> rates they charge for borrowing money are really high - this is because 
> it's a *very* high risk loan.

Yawn...

Thanks for the economics lesson...

> > extra %'age on my mortagage
>
> Your mortgage % is based on the general interest rate, plus a bit more 
> that represents the risk that you'll default. Phishing won't affect that.

Wrong.

The risk of such defaulting (not the risk _I_ will default, but the 
statistical average risk) is partly determined by the rate and level of 
fraud perpetrated against the bank's customers.  Phishing-related fraud 
probably has a very small effect there, but it will have some effect.

<<snip>>
> > So, how much is it costing _me_ to support the current level of idiot 
> > allowed to use the currently very weak online banking, sales, etc 
> > business?
>
> It doesn't have to cost you anything. Just choose a bank that doesn't
> offer online banking; ...

Can't.

All NZ banks offer online banking.  Most are very actively 
_encouraging_ its (and telephone banking's) adoption and use.

And anyway, _current_ online banking _is_ safe enough for me as I am 
not an idiot user AND I find online banking really handy and desirable, 
so dropping it is not actually the solution I'm looking for.

Finally, if a bank did not offer online banking, it's _other_ costs 
would probably be higher, so would I really be better of??

> ... market forces lead to survival of the fittest banks.

In this regard, all my choices are equally "unfit"...

> If you can't find such a bank, then that's excellent news - it means that
> there's a market opportunity for you to start one. If by doing that, you 
> can make your bank charges lower, you'll prosper. If that doesn't lead to 
> lower bank charges, then you've discovered something useful.

And your serious suggestion is?

> > I'd be much happier if I could easily find the comparative monetary 
> > cost of what is currently the banks, CC companies, etc deciding that 
> > current practice is (near enough to) "safe enough"...
>
> Interest rates are, in the long run, the rate of inflation plus about 2 or
> 3 % (look at the yield on undated gilts). Anything more than that, is
> either a risk premium or a profit. So, look at what you're paying, and you
> can calculate it.

That doesn't tell me the actual cost of phishing and other identity-
theft related fraud, and much as we see estimates of such losses/costs 
(usually in terms of "X million per year", either for a specific bank 
or a whole country's banking industry), I seriously doubt they are ever 
vaguely accurate.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.