Half the victims of phishing emails respond to fraudulent emails within an hour of the receipt of scam messages, according to to a study by transaction security firm Trusteer. Within five hours, more than 80 per cent of the total pool of potential victims have responded, a figure that rises to 90 per cent after the first 10 …
makes sense really
if you're stupid enough to fall for on eof these schemes then you're likely not smart enough to spend an hour contemplating whether it's legit or not.
Using my average inteligence, what i do, is not get scammed in the first place.
This is an easy fail. Watch me explain.
Because you don't type your bank details into your banks website. You'd type them into a website where you where buying something (Amazon for example).
Since there are lots of websites where you could potentially enter your card legitimately, this solution would not work.
Hang on, he might be on to something...
"Since there are lots of websites where you could potentially enter your card legitimately, this solution would not work."
That's a good point, but those sites are likely to be using SSL. So writing a program that prompts a user who's about to enter bank card info on a non-secure page might be a good first step.
Yes, browsers show a padlock, which a surprising number of average users have no idea how to decipher. I have met an extraordinary number of users who can't distinguish between a padlock shown inside a page and one in the window chrome, for instance. A fraud artist puts a GIF of a padlock in the corner of a Web site and a lot of average users say "See? It's secure, there's a padlock right there!"
Actually, the killer fix would be for banking institutions to produce a native client app for Windoze / Mac / iPad, whatever, and only allow you to login to their services using the app.
The app would be hardwired to an SSL webservice on a specific domain. It may even use $browser's rendering engine to render pages fetched to the native client via the webservice. Importantly, there would be NO browser based alternate login.
Said bank then advises clients that if they invited to login to a web site, they should NEVER do so. They should always use their native client.
For added convenience, the client may also hash some of their login details for instant recall, so they only need to use a simple username and password combo which ONLY WORKS ON THIER INSTALLATION to login. Hence keyloggers also become useless.
Also, thinking about it
If the banks shipped this client on a USB stick, this would also protect users from downloading trojanised versions of the client from dodgy phishing sites as well.
It would also allow the customer to use the client on any machine.
So rather than having to have one of those daft little keyring login key generators, or card chip reader, you would have a little USB stick, which when plugged into a machine and provided with your login details, allows you to login to your bank account.
Maybe it could even be based on a bootable mini linux VM, to protect it from any other malware on your host machine?
@This is an Easy fix. Watch me Work.
First Direct suggested I installed a tool like this ... it basically detects when I type my FD username into a login prompt on other webistes and if so pops up a "did you really mean to do this - are you sure this site isn't spoofing the FD site" (well something along those lines) ... and its ****** annoying as I tend to use the same username on many different sites - its the passwords that I change!
The latter part of this article read like an advert for this utter crapware. As an independent IT consultant I regularly service hundreds of PCs, and when a person reports broken or sluggish browsing, this is the first thing I now look for following the usual malware (well, I class this as malware these days). In all cases where browsing was still broken or horribly slow, after malware removal, ripping out this rubbish fixes the problem.
The scary thing is, after looking into this company and its products and methods from a position of complete ignorance a couple of years ago, I now believe the entire banking industry is moving inexorably toward mandatory takeup of this failtastic application. Indeed, I have one client whose banker, name withheld, threatened to remove banking services following an ID theft incident where several thousand pounds were siphoned from his account, unless he installed Crapport.
Just reading the outrageous claims for this product is a revelation. Did you know that even a machine riddled with malware is 100% safe to perform online banking with, as long as you have TR installed? I kid you not. And apparently the secure tunnel it provides between client PC and bank is as rugged as the Rock of Gibralter! Except that without much skill in advanced hacking I am easily able to knock out the core TR engine with a simple script (does need a reboot after to complete the process but that will happen the next time the hapless owner switches their machine off).
Be afraid, very afraid.
then there is the inside job
in retail most theft is from employees...why should this be different in banking. I guess you saw the latest where internals helped load DNS proxy trojans (not a new assault just a surprising vector) onto customers' machines to steal their OTP or TANs.
Just delay, at the SMTP level, all email for stupid people for 12 hours.
Just like ...
cleaning up baby poo
clearing away fresh snow fall
The quicker its done the easier it is to do?
Uhh, not so much...
Generally, it is as easy to take down a phishing site 3 days later as it is 3 minutes. And it is generally just as -useful- to clear snow away 10 hours after it's snowed as it is to clear it away 10 minutes after it's snowed.
In addition, I can say as a father that it is *most definitely* relevant to clean baby poo, even - or particularly - if five hours have already gone by.
There's always a market
I've been offered TR by my bank and thought I'd give it a whirl. TR doesn't work with Firefox 3.6.
That seem to be a well thought out security product then!
The answer is...
Working in IT Security I believe the only way to avoid the complex Zeus Trojans and the like (until it changes) is to Linux or as much as it pains me to say a Mac.