FBI chief barred from online banking by wife
America's chief spook has been banned from internet banking by his wife after nearly falling prey to a common email phishing scam. FBI Director Robert Mueller was in San Francisco on Wednesday to advocate public vigilance against cybercrime. Speaking to the non-profit public affairs org, the Commonwealth Club of California, …
He emailed me offering to assist with my inheritance from someone who died in a ghastly car crash in Nigeria.
Why, not long ago, while some staffers and I were reading some of your emails, (and having a good chuckle too, I might add) I myself received an email purportedly from my boss that looked "perfectly legitimate." The email requested I tell him my login name and password to teh sekrit database. I obliged with the instructions and just before clicking "send" I realized "this might not be such a good idea." Well, to tell you the truth, if it hadn't been for a junior staffer shouting at me, I never would have suspected a thing. Whew! He really saved my bacon!
After writing a disciplinary case against the junior staffer for insubordination, (I appreciate his advice, but he shouldn't have called me an eff-ing idiot!) I quickly changed all my passwords and tried to pass the incident off to as a "teachable moment." I've now implemented a new agency-wide security policy that all inter-agency email communications must be printed, and read aloud over the telephone to the recipient. Live and learn I say!
I wish that I could say it surprises me when I read things like this.
He's director of the FBI and actually clicked a link in a 'bank email'.
Oh well, it's not like he's in a position to do anything about it: our banks suck because they're allowed to and it's the bank regulations that need to change - the FBI can't do jack.
It is kind of funny - the car warranty scammers calling a senator on the floor of the senate and now this - we don't do a damn thing unless someone in power is affected.
Pretty stupid. This is a guy who's out protecting us? T-riffic. OTOH, we could have the Thailand PM, whose maid defrauded him to the tune of around $30,000 with his bank card. How did she get his PIN? He wrote it on the back of his card.
You fellow geek fucktards.
That felt wrong and it is wrong.
I don't suppose has his email address to hand? You see he recently inherited $100 million from a relative he may not be aware of in Nigeria. Unfortunately, wouldn't you know it but there's a small issue with transferring the funds to a bank in the US, various fees that need to be met first. Anyway I'm sure he'd appreciate the good news, but he should be sure not to contact anyone else because he could end up getting scammed.
People in positions of power don't get there because of what they know, it's who they know.
Honestly, that's the kind of thing even my brother wouldn't fall for, and he's a truck driver!
I've gotten a few of those, too - you think he's gotten any? That'd be kinda funny... presumably he wouldn't fall for one of those!
Anyway, it's not TOO awful - he's the bureaucrat who sets policy for his department; it's not really his main area. If he were a CTO at a bank, it'd be REALLY bad - this is embarrassing, but not hypocritical, per se.
asking me to verify my details - I was very kind and replied - but used phising@<bank>. But I guess I don't spend all day just signing off paperwork for minions
If he did click on the link, I hope he hosed his system and rebuilt it because if his AV (if he had one installed) didn't pick up a drive-by virus then he's most likely got a nasty on his system.
If he didn't then I hope he doesn't mind his fellows a the FBI logging his porn website passwords.
What?
Remember, don't drink and post, kids!
He may have changed the password, but if he had one of those one time number doohickys he wouldn't need to because each login would be different.
Every bank account I've ever had, has those keyfob things, or a printed sheet of one time numbers. Except for UK ones, never had one with UK bank accounts.
Although I got the feeling that he will soon regret being so forward in his communication. Telling people how you "almost" got caught by a phish is like telling people you had an uncontrolled bowel movement that made you run to the bathroom to clean up - it's embarrassing, not educative.
because this shows me that 'the US government has struck "a pretty good balance" between respecting civil liberties and stewarding national security' by being incompetent at both.
Dear Big Brother
A distant relative of yours recently died in a plane crash and...
"We know the game plan of our adversaries. They will keep twisting the doorknobs and picking the locks until they find a way in. But we must not let them in. We must change the locks. We must bar the doors. And we must sound the alarms when we notice anything out of the ordinary."
Yeah, stay at home, you loonie, bar the doors, shoot at anyone knocking at the door, never get out, die alone, paranoid and as stupid as one can ever be.
Is it really that difficult to do online banking with your password only in your brain, and no compulsive click on whatever shite comes into your mailbox ?
Geez, I'm glad my security has nothing to do with the FBI. No way I stay in a country which security is even remotely influenced by a moron told by his wife: "It is not my teachable moment. However, it is our money. No more internet banking for you!"
Almost falling for a scam like that, and admitting to it!
Is he a card-carrying member of the local 1D10T group?
US Banks.
I believe they don't use onetime pads or 'dohickeys' because they're too difficult for the average American to understand...
Of course, a lot of banks that DO use the 'dohickeys' implement the service incorrectly.
Usually, if it's the type where the code changes automatically, they define a 'bracketing' scheme, allowing the next or previous code to work instead of the 'correct' one(as defined by the server clock) to account for the cheap electronics, temperature variations and user fumbling.
Except...
Some banks set up a WIDE window, of maybe 5 or 7 allowed codes both ways.
This means that YOUR 'unique' code may be valid for 5 or 7 minutes(or more, if the clock in the dohickey is much off) where that one code is still valid and can be used to log in another session.
A GOOD bank setup is 1 or 2 minute brackets, then all transfers out of your accounts must be verified by a DIFFERENT code, and it must automatically disallow the code from being reused until the next time it cycles in naturally.
I know my bank follows the first two points. The third I haven't tested... yet...
@AC - Are you joking???????
You mean, the UK banks don't have the 'one-time-pad' system???
(Climbs back on bar stool, after having apoplectic fit laughing)
Really?? Fuc*k me, I suppose the UK still uses cheques. Plus, "Three working days". If there is any work still over there.
Myst-all-chucking-frighty. Wish I could add multiple icons. Actually, one of a steaming dog-turd would get my vote. With a Union Flag sticking out of it.
I use a UK Bank (as I'm UK Based) - I have a 1 time code generating thngy... I had to ask for it though!
Before I asked for the 1 timer thing I standardly had to enter parts of my whole password. (eg please enter the 1st 5th and 9th letters of your password).
@American to understand...
Nice yank bashing comment.
Why they don't offer it id cause it cost money.
I had to go through 3 pages of Bof A web site before the allowed me to create a one time credit card number . Banks in the US don't make it easy.
Indeed I only need a single username and password, an customer number and and 2 pieces of memorable data to login to my bank account here in blighty. None of which is one time.
However in order to actually transfer any money, or make any payments I need a card reader and my bank card, and my bank card PIN so I am fairly happy that it is as secure as needs be.
Also, as long as I take reasonable care with my cards, passwords, PINs and computer then the bank will be liable to return any fraudulently removed money anyway. They might try to weasel out of it but they would have to cough up in the end.
What is the problem with cheques? I admit I only write a few each year but they are safer than sending cash and easier than setting up transfers.
The problem with cheques are that they are an utterly pathetic, primitive and backwards way of sending money that only continue to exist because of brain-dead semi-literates and companies who like to rob their customers of legitimate refunds. In most civilized countries they long since went the way of other historical relics like rotary-dial telephones, sash windows and black&white TV.
I honestly have not dealt with a single cheque in 3-4 years that has not come from some company hoping to benefit by erecting an inconvenience barrier to getting my own money back. Even my 68 year old mum can manage one-off money transfers - what's your excuse for continuing to inflict cheques on people?
"I believe they don't use onetime pads or 'dohickeys' because they're too difficult for the average American to understand..."
As an American, it's certainly difficult for me to understand why the average European is so arrogant.
"What is the problem with cheques? I admit I only write a few each year but they are safer than sending cash and easier than setting up transfers"
My ex. sometimes runs out of money. When she's in the city. She 'phones me up, and asks if I can lend her €20. Of course, I reply. We're good friends.
So then I access my 'puter - using the one-time bank codes, natch, and electronically mail her the 20 euros. Takes me a few seconds. I phone her and tell her "It's done" and she goes back to the ATM - 20 seconds later - and takes the cash out.
Beats the shit out of waiting for a postal strike to end....or cheques to clear.
(Lee - Feisty Wife hasn't arrived yet. Guess "she's in the post". Oh, yeah. Forgot. Stuck at Basildon's depot due to the strike, no doubt.)
These kind of convenient, unverifiable personal anecdotes are, most often, not quite what one would call 'true'.
I've been banking online for at least 10 years, yet my bank does not have any of my several emails.
I wouldn't even give them an email that I never look at b/c it may lead to phishing for other people.
Sign up, sign up for The Register's weekly IT security newsletter - click here
