more on Banking Alert (fwd)

[David Farber <dave () farber net>]

Begin forwarded message:

From: Vin McLellan <vin () theworld com>
Date: May 25, 2005 3:23:59 AM EDT
To: dave () farber net
Subject: Re: Banking Alert (fwd)


Hi Dave,

Citibank's attempt to personalize its outgoing email to customers  
seems to be a simple but effective anti-phishing mechanism to salvage  
the inexpensive (and thus popular) business-to-customer email channel  
that many banks and other commercial firms have be loath to give up.  
Note, however, that many of the popular articles about recent bank  
data thefts recommend that customers never click on unverified urls  
(for good reasons since clicking alone can install a virus or a  
keylogger or other malware.)

Of course, the authenticator Citibank uses (the last four digits of  
the customer's ATM card) is essentially just another static password,  
which goes through the network unencrypted  and thus unprotected  
against even simple sniffers. If this "secret" info is captured by a  
potentially hostile party, it could potentially opens the customer up  
for a targeted attack.

The recent BoA, Wachovia, data thefts involved the relatively  
inexpensive purchase ($10 per name) of hundreds of thousands of very  
detailed customer data files (account numbers, account balances,  
transaction records) from bank insiders. Would not the customers' ATM/ 
Debit card numbers (but hopefully not the PIN) have been as easily  
accessible to those same insiders?

I wonder what the black market price for these ATM/Debit card numbers  
is? And what will it be next year?  Debit cards, after all, are often  
used is POS transactions and thus routinely pass through the hands of  
non-bank employees, non-bank equipment, and probably non-bank networks.

Still, Citibank's mail authentication mechanism doubtless raises the  
bar and requires a phishing fraudster to launch a directed multi- 
stage attack to get around it (or else suborn some bank insiders like  
those recently arrested in the latest BoA case.) It's a major step in  
the right direction.

Makes you wonder what other simple security mechanisms are (or could  
be) implemented today by banks and other eCommerce firms to  
authenticate their emails to their customers?

_Vin




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/