RE: bankone/chase non-scam

[Nick FitzGerald <nick () virus-l demon co uk>]

Larry Seltzer to Drsolly:

> > > I would tell Aunty Gi, not to access her accounts online. 
>
> Really, you think it's that bad? I think the benefits of online banking
> are so enormous that it's hard to blow it off like that.

For myself, I agree -- but then, unlike your Aunty Gi, I am well-suited 
to accurately and reliably make the critically important calls that 
affect _my_ online safety (and yes, unlike some other high-profile 
techies on this list, I _do_ use online banking because my judgement of 
the risks is that those I take are acceptable for the convenience pay-
off, BUT I doubt I'd ever use an "online only" bank or take some deal 
like lower bank fees for using only online services).

Sadly however, because most online banking users (perhaps those like 
your Aunty Gi?) are _not_ as well equipped as me to make those critical 
decisions, for the last several years my bank fees have continued to 
soar past the rate of general inflation _despite_ all of the bank's 
modernization, computerization, automation, reduction in face-to-face 
an voice-to-voice bank staff/customer interaction.   Why?  Because 
losses to fraud have gone up, reaching perilously close to (or 
surpassing) the "comfort level" already factored into the service fees, 
transaction margins and so on...

> If you were to tell Aunty Gi to ignore *all* mail purportedly from the
> bank, without exception, I doubt she would be in trouble with respect to
> online banking. The only real e-mails I've ever gotten from Bank of
> America have been informative, not critical.

And you're absolutely sure that Aunty Gi can tell that every (or most) 
actual scam Emails purportedly from her bank "informing" her that she 
has to verify her account details or whatever actually _are_ what you 
label "critical" rather than "informative"?

Why don't you see that requiring entirely ill-trained, ill-prepared and 
ill-equipped users to make such decisions _IS_ the root of this 
problem?  It doesn't matter how you fancy-up or dumb-down the language, 
the point is that there are no sufficiently reliable, trivially easy to 
use and teach the user to use properly ways of avoiding that problem 
with typical contemporary online banking and other Internet messaging 
protocols, etc.

Placing the onus on the user in an information poor, technology poor 
frame to make the "right" decision, there will always be too many 
"ooopsies"...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.