The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.06 - Nov.-Dec. (2012 vol.10)
pp: 63-69
Dinei Florêncio , Microsoft Research
Cormac Herley , Microsoft Research
ABSTRACT
US Federal Reserve Regulation E guarantees that consumers are made whole when their bank passwords are stolen. The implications lead to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Password-enabled transfers can always be repudiated, which explains the importance of mules who accept bad transfers and initiate good ones. This suggests that the mules' accounts, rather than the victims', are pillaged. Passwords are but one link in the cybercrime value chain. Despite appearances, password stealing is a bad business proposition.
INDEX TERMS
Government policies, Banking, Computer crime, Marketing and sales, Privacy, Computer security, computer security, cybercrime, passwords, phishing
CITATION
Dinei Florêncio, Cormac Herley, "Is Everything We Know about Password Stealing Wrong?", IEEE Security & Privacy, vol.10, no. 6, pp. 63-69, Nov.-Dec. 2012, doi:10.1109/MSP.2012.57
REFERENCES
1. “Part 205: Electronic Fund Transfers (Regulation E),” US Nat'l Archives and Records Administration, 2011; www.fdic.gov/regulations/laws/rules6500-3100.html .
2. “Banking Solution: Zero Liability Guarantee,” Bank of America, 2005; www.bankofamerica.com/onlinebanking/real_banking_soln/ noflashrobert.html.
3. “Online Security Guarantee,” Wells Fargo, 2012; https://www.wellsfargo.com/privacy_security/ onlineguarantee.
4. “Fidelity Customer Protection Guarantee,” Fidelity, 2012; https://401k.fidelity.com/public/content/ Shared/SecurityProtectionGuarantee.
5. “HSBC's Personal Internet Banking Security Pledge,” HSCB, 2012; www.us.hsbc.com/1/2/home/personal-banking/ pibonline-guarantee.
6. “United States Securities and Exchange Commission Form 10-K, eBay Inc.,” no. 000-24821, 2009; www.sec.gov/Archives/edgar/data/1065088/ 000119312510033324d10k.htm.
7. M. Mannan and P.C. van Oorschot, “Security and Usability: The Gap in Real-World Online Banking,” Proc. New Security Paradigms Workshop (NSPW 07), ACM, 2007; www.ccsl.carleton.ca/paper-archivemannan-nspw07.pdf .
8. R. Stross, “Don't Take This Bait (but You're Safe If You Do),” The New York Times,28 Nov. 2009; www.nytimes.com/2009/11/29/business29digi.html .
9. B. Krebs, KrebsonSecurity, blog; http:/krebsonsecurity.com.
10. R. Anderson, “Closing the Phishing Hole—Fraud, Risk and Nonbanks,” Proc. Federal Reserve Bank of Kansas City Conf. Nonbanks in the Payments System, 2007; www.cl.cam.ac.uk/~rja14/Papersnonbanks.pdf .
11. R. Thomas and J. Martin, “The Underground Economy: Priceless,” ;login:, vol. 31, no. 6, 2006, pp. 7–16; http://static.usenix.org/publications/login/ 2006-12/openpdfscymru.pdf.
12. J. Franklin et al., “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” Proc. ACM Conf. Computer and Comm. Security (CCS 07), ACM, 2007, pp. 375–388.
13. “The 2010 Federal Reserve Payments Study: Noncash Payment Trends in the United States: 2006–2009,” US Federal Reserve System, Dec. 2010; www.frbservices.org/files/communications/ pdf/press2010_payments_study.pdf.
14. D. Florêncio and C. Herley, “Phishing and Money Mules,” Proc. 2010 IEEE Workshop Information Forensics and Security (WIFS 10), IEEE, 2010; http://research.microsoft.com/pubs/143095 mules.pdf.
15. T. Holz, M. Engelberth, and F. Freiling, Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones, tech. report TR-2008-006, Reihe Informatik, 2008; http://honeyblog.org/junkyard/reportsimpersonation-attacks-TR.pdf .
16. B. Stone-Gross et al., “Your Botnet Is My Botnet: Analysis of a Botnet Takeover,” Proc. ACM Conf. Computer and Communications Security (CCS 09), ACM Press, 2009, pp. 635–647.
17. “RSA Online Fraud Report,” RSA, Oct. 2008; www.rsa.com/solutions/consumer_authentication/ intelreportFRARPT_DS_1008.pdf.
18. “Cisco 2010 Annual Security Report,” Cisco, 2011; www.cisco.com/en/US/prod/collateral/vpndevc security_annual_report_2010.pdf.
19. RSA FraudAction Research Labs, “Follow the Money, and Go for the Mules!” blog, 6 Oct. 2010; http://blogs.rsa.com/rsafarlfollow-the-money-and-go-for-the-mules .
20. “Symantec Internet Security Threat Report: Trends for January–June 07,” white paper, Symantec, Sept. 2007; http://eval.symantec.com/mktginfo/enterprise/ white_papersent-whitepaper_internet_security_threat_report_xii_09_2007.en-us.pdf .
21. C. Herley and D. Florêncio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” Workshop on Economics of Information Security, 2009; http://research.microsoft.com/apps/pubs?id=80034 .
22. C. Herley and D. Florêncio, “A Profitless Endeavor: Phishing as Tragedy of the Commons,” Proc. New Security Paradigms Workshop (NSPW 08), Assoc. Computer Machinery, 2008; http://research.microsoft.com/apps/pubs?id=74159 .
23. A. Greif, “Contract Enforceability and Economic Institutions in Early Trade: The Maghribi Traders' Coalition,” American Economic Rev., vol. 83, no. 3, 1993, pp. 525–548.
24. D. Florêncio and C. Herley, “Sex, Lies and Cyber-Crime Surveys,” Workshop on Economics of Information Security, June 2011; http://research.microsoft.com/apps/pubsdefault.aspx?id=149886 .
25. “Statistics about Business Size (Including Small Business)from the U.S. Census Bureau,” US Census Bureau, 2012; www.census.gov/econsmallbus.html.
26. J. Sullivan, “Bank Teller Foils Holdup, Nabs Suspect—Loses Job,” Seattle Times,1 Aug. 2009; http://seattletimes.com/html/localnews2009579648_teller01m.html .
44 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool