http://research.microsoft.com/pubs/1618 ... WeKnow.pdfWe argue that passwords are not the bottle-neck, and are but one, and by
no means the most important, ingredient in the cyber-
crime value chain. We show that, in spite of appear-
ances, password-stealing is a bad business proposition.
. . . .
It is worth, at the outset, dispelling a widely-held
misapprehension about password-stealing. Thieves cer-
tainly steal passwords, and money is certainly a large
part of their motivation, but when they successfully
extract money from nancial accounts individual con-
sumers do not pay. In the US, Regulation E of the Fed-
eral Reserve [1] limits consumer liability, in the event
of fraud, to $50 (this is separate from the $50 limit for
credit-card fraud, Regulation CC) and covers "any elec-
tronic transfer that is initiated through an electronic
terminal, telephone, computer or magnetic tape." In
the US banks, brokerages, and credit unions are gov-
erned by this regulation and most go beyond it and oer
a zero liability policy to consumers. Bank of America,
for example, "guarantees zero liability for any unautho-
rized activity originating from Online Banking or Bill
Pay." Wells Fargo says "We guarantee that you will
be covered for 100 percent of funds removed from your
Wells Fargo accounts in the unlikely event that someone
you haven't authorized removes those funds through our
Online Services." Fidelity "will reimburse your Fidelity
account for any losses due to unauthorized activity" and
"under HSBC's $0 Liability, Online Guarantee, you're
covered 100% and liable for $0." Even non-traditional
nancial institutions offer this guarantee. For exam-
ple in its Dec. 2009 10-K ling eBay states: "Pay-
Pal currently voluntarily reimburses consumers for all
financial losses from transactions not authorized by the
consumer, not just losses above $50."
Thus, in the US, individual consumers are largely in-
sulated from the direct financial consequences of creden-
tial theft (losses of small businesses and indirect losses
are briey mentioned below). Consumers who have
their accounts emptied through stolen credentials are
made whole. Of course, the cost of the fraud doesn't
just go away: covering fraud is a cost which gets passed
back to consumers in the form of increased fees. How-
ever, the idea that consumers are just a few clicks
away" from having their accounts irretrievably emp-
tied is simply incorrect. There is a world of dierence
between being personally liable for losses, and shar-
ing losses that are diluted across the whole population.
While we all pay for cyber-crime" is true in a general
sense, it is not the case that individual users face grave
financial risk.
Is Everything We Know About Password-Stealing Wrong?
Is Everything We Know About Password-Stealing Wrong?
I thought this paper was interesting in light of the frequent discussions about password security and cyber theft. I just checked the guarantee for my WellsTrade account, and WF does indeed have a zero liability policy for online fraud for its brokerage accounts.
- jeffyscott
- Posts: 13438
- Joined: Tue Feb 27, 2007 8:12 am
Re: Is Everything We Know About Password-Stealing Wrong?
The first sentence of that paper is: Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen.
Vanguard's guarantee, in contrast, seems pretty weak with all the burdens it puts on the victim:
https://personal.vanguard.com/us/help/S ... ontent.jsp
Vanguard's guarantee, in contrast, seems pretty weak with all the burdens it puts on the victim:
https://personal.vanguard.com/us/help/S ... ontent.jsp
Re: Is Everything We Know About Password-Stealing Wrong?
" Wealth usually leads to excess " Cicero 55 b.c
- nisiprius
- Advisory Board
- Posts: 52105
- Joined: Thu Jul 26, 2007 9:33 am
- Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry
Re: Is Everything We Know About Password-Stealing Wrong?
With news stories suggesting that cyberwar is already in progress, and that U. S. banks are among the targets being attacked, I have a feeling that within the next ten years we will probably be learning a lot more about what happens to individual consumers when their financial institution's electronic infrastructure is damaged.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
Re: Is Everything We Know About Password-Stealing Wrong?
This thread is now in the Personal Consumer Issues forum (password security).
-
- Posts: 9242
- Joined: Sun Dec 26, 2010 11:47 am
Re: Is Everything We Know About Password-Stealing Wrong?
If so, this may explain why password security strength is so weak at Fidelity and Vanguard than at most online banks. The institutions have much less to lose if an account is hacked. Am I being overly cynical here?
Re: Is Everything We Know About Password-Stealing Wrong?
There's a currently running thread which deep dives into Vanguard's security. Consider posting there: How good is vanguard website security?