Is Everything We Know About Password-Stealing Wrong?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Cash
Posts: 1572
Joined: Wed Mar 10, 2010 9:52 am

Is Everything We Know About Password-Stealing Wrong?

Post by Cash »

I thought this paper was interesting in light of the frequent discussions about password security and cyber theft. I just checked the guarantee for my WellsTrade account, and WF does indeed have a zero liability policy for online fraud for its brokerage accounts.
We argue that passwords are not the bottle-neck, and are but one, and by
no means the most important, ingredient in the cyber-
crime value chain. We show that, in spite of appear-
ances, password-stealing is a bad business proposition.

. . . .

It is worth, at the outset, dispelling a widely-held
misapprehension about password-stealing. Thieves cer-
tainly steal passwords, and money is certainly a large
part of their motivation, but when they successfully
extract money from nancial accounts individual con-
sumers do not pay. In the US, Regulation E of the Fed-
eral Reserve [1] limits consumer liability, in the event
of fraud, to $50 (this is separate from the $50 limit for
credit-card fraud, Regulation CC) and covers "any elec-
tronic transfer that is initiated through an electronic
terminal, telephone, computer or magnetic tape." In
the US banks, brokerages, and credit unions are gov-
erned by this regulation and most go beyond it and oer
a zero liability policy to consumers. Bank of America,
for example, "guarantees zero liability for any unautho-
rized activity originating from Online Banking or Bill
Pay." Wells Fargo says "We guarantee that you will
be covered for 100 percent of funds removed from your
Wells Fargo accounts in the unlikely event that someone
you haven't authorized removes those funds through our
Online Services." Fidelity "will reimburse your Fidelity
account for any losses due to unauthorized activity" and
"under HSBC's $0 Liability, Online Guarantee, you're
covered 100% and liable for $0." Even non-traditional
nancial institutions offer this guarantee. For exam-
ple in its Dec. 2009 10-K ling eBay states: "Pay-
Pal currently voluntarily reimburses consumers for all
financial losses from transactions not authorized by the
consumer, not just losses above $50."

Thus, in the US, individual consumers are largely in-
sulated from the direct financial consequences of creden-
tial theft (losses of small businesses and indirect losses
are briey mentioned below). Consumers who have
their accounts emptied through stolen credentials are
made whole. Of course, the cost of the fraud doesn't
just go away: covering fraud is a cost which gets passed
back to consumers in the form of increased fees. How-
ever, the idea that consumers are just a few clicks
away" from having their accounts irretrievably emp-
tied is simply incorrect. There is a world of dierence
between being personally liable for losses, and shar-
ing losses that are diluted across the whole population.
While we all pay for cyber-crime" is true in a general
sense, it is not the case that individual users face grave
financial risk.
http://research.microsoft.com/pubs/1618 ... WeKnow.pdf
User avatar
jeffyscott
Posts: 13438
Joined: Tue Feb 27, 2007 8:12 am

Re: Is Everything We Know About Password-Stealing Wrong?

Post by jeffyscott »

The first sentence of that paper is: Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen.

Vanguard's guarantee, in contrast, seems pretty weak with all the burdens it puts on the victim:

https://personal.vanguard.com/us/help/S ... ontent.jsp
User avatar
norookie
Posts: 3016
Joined: Tue Jul 07, 2009 1:55 pm

Re: Is Everything We Know About Password-Stealing Wrong?

Post by norookie »

" Wealth usually leads to excess " Cicero 55 b.c
User avatar
nisiprius
Advisory Board
Posts: 52105
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Is Everything We Know About Password-Stealing Wrong?

Post by nisiprius »

With news stories suggesting that cyberwar is already in progress, and that U. S. banks are among the targets being attacked, I have a feeling that within the next ten years we will probably be learning a lot more about what happens to individual consumers when their financial institution's electronic infrastructure is damaged.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
LadyGeek
Site Admin
Posts: 95466
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Is Everything We Know About Password-Stealing Wrong?

Post by LadyGeek »

This thread is now in the Personal Consumer Issues forum (password security).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
protagonist
Posts: 9242
Joined: Sun Dec 26, 2010 11:47 am

Re: Is Everything We Know About Password-Stealing Wrong?

Post by protagonist »

If so, this may explain why password security strength is so weak at Fidelity and Vanguard than at most online banks. The institutions have much less to lose if an account is hacked. Am I being overly cynical here?
User avatar
LadyGeek
Site Admin
Posts: 95466
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Is Everything We Know About Password-Stealing Wrong?

Post by LadyGeek »

There's a currently running thread which deep dives into Vanguard's security. Consider posting there: How good is vanguard website security?
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Post Reply