Is Everything We Know About Password-Stealing Wrong?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

Is Everything We Know About Password-Stealing Wrong?

Postby Cash » Thu Feb 14, 2013 7:44 am

I thought this paper was interesting in light of the frequent discussions about password security and cyber theft. I just checked the guarantee for my WellsTrade account, and WF does indeed have a zero liability policy for online fraud for its brokerage accounts.

We argue that passwords are not the bottle-neck, and are but one, and by
no means the most important, ingredient in the cyber-
crime value chain. We show that, in spite of appear-
ances, password-stealing is a bad business proposition.

. . . .

It is worth, at the outset, dispelling a widely-held
misapprehension about password-stealing. Thieves cer-
tainly steal passwords, and money is certainly a large
part of their motivation, but when they successfully
extract money from nancial accounts individual con-
sumers do not pay. In the US, Regulation E of the Fed-
eral Reserve [1] limits consumer liability, in the event
of fraud, to $50 (this is separate from the $50 limit for
credit-card fraud, Regulation CC) and covers "any elec-
tronic transfer that is initiated through an electronic
terminal, telephone, computer or magnetic tape." In
the US banks, brokerages, and credit unions are gov-
erned by this regulation and most go beyond it and o er
a zero liability policy to consumers. Bank of America,
for example, "guarantees zero liability for any unautho-
rized activity originating from Online Banking or Bill
Pay." Wells Fargo says "We guarantee that you will
be covered for 100 percent of funds removed from your
Wells Fargo accounts in the unlikely event that someone
you haven't authorized removes those funds through our
Online Services." Fidelity "will reimburse your Fidelity
account for any losses due to unauthorized activity" and
"under HSBC's $0 Liability, Online Guarantee, you're
covered 100% and liable for $0." Even non-traditional
nancial institutions o ffer this guarantee. For exam-
ple in its Dec. 2009 10-K ling eBay states: "Pay-
Pal currently voluntarily reimburses consumers for all
fi nancial losses from transactions not authorized by the
consumer, not just losses above $50."

Thus, in the US, individual consumers are largely in-
sulated from the direct fi nancial consequences of creden-
tial theft (losses of small businesses and indirect losses
are briey mentioned below). Consumers who have
their accounts emptied through stolen credentials are
made whole. Of course, the cost of the fraud doesn't
just go away: covering fraud is a cost which gets passed
back to consumers in the form of increased fees. How-
ever, the idea that consumers are just a few clicks
away" from having their accounts irretrievably emp-
tied is simply incorrect. There is a world of di erence
between being personally liable for losses, and shar-
ing losses that are diluted across the whole population.
While we all pay for cyber-crime" is true in a general
sense, it is not the case that individual users face grave
fi nancial risk.


http://research.microsoft.com/pubs/1618 ... WeKnow.pdf
Cash
 
Posts: 873
Joined: Wed Mar 10, 2010 10:52 am

Re: Is Everything We Know About Password-Stealing Wrong?

Postby jeffyscott » Thu Feb 14, 2013 8:15 pm

The first sentence of that paper is: Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen.

Vanguard's guarantee, in contrast, seems pretty weak with all the burdens it puts on the victim:

https://personal.vanguard.com/us/help/S ... ontent.jsp
press on, regardless - John C. Bogle
User avatar
jeffyscott
 
Posts: 5991
Joined: Tue Feb 27, 2007 9:12 am
Location: Wisconsin

Re: Is Everything We Know About Password-Stealing Wrong?

Postby norookie » Thu Feb 14, 2013 8:46 pm

" Wealth usually leads to excess " Cicero 55 b.c
User avatar
norookie
 
Posts: 3016
Joined: Tue Jul 07, 2009 1:55 pm

Re: Is Everything We Know About Password-Stealing Wrong?

Postby nisiprius » Thu Feb 14, 2013 10:21 pm

With news stories suggesting that cyberwar is already in progress, and that U. S. banks are among the targets being attacked, I have a feeling that within the next ten years we will probably be learning a lot more about what happens to individual consumers when their financial institution's electronic infrastructure is damaged.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
nisiprius
Advisory Board
 
Posts: 26115
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Is Everything We Know About Password-Stealing Wrong?

Postby LadyGeek » Thu Feb 14, 2013 10:28 pm

This thread is now in the Personal Consumer Issues forum (password security).
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 20117
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia

Re: Is Everything We Know About Password-Stealing Wrong?

Postby protagonist » Thu Feb 14, 2013 10:34 pm

If so, this may explain why password security strength is so weak at Fidelity and Vanguard than at most online banks. The institutions have much less to lose if an account is hacked. Am I being overly cynical here?
protagonist
 
Posts: 2463
Joined: Sun Dec 26, 2010 12:47 pm

Re: Is Everything We Know About Password-Stealing Wrong?

Postby LadyGeek » Thu Feb 14, 2013 11:02 pm

There's a currently running thread which deep dives into Vanguard's security. Consider posting there: How good is vanguard website security?
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 20117
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia


Return to Personal Consumer Issues

Who is online

Users browsing this forum: bottlecap, canderson, Peculiar_Investor, Southbendk1, Spirit Rider and 47 guests