Sexy Jihad

Sexy Jihad header image 2
Python Bursts After Trying To Eat Alligator The Tortured Language of the Law

Banks Should Be Held Responsible For Phishing

October 7th, 2005 · No Comments

Phishing

In another bout of wisdom, Bruce Schneier has written a piece on wired on how banks should be held responsible for phishing. While this may at first sound ludicrous, after reading his arguments it makes a hell of a lot of sense:

The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it’s easy to make a transaction, open an account, get a credit card and so on. For years I’ve written about how economic considerations affect security problems. They can put security countermeasures in place to prevent fraud, detect it quickly and allow victims to clear themselves. But all of that’s expensive. And it’s not worth it to them.

It’s not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims. And in one in four cases, the victims have not been able to completely restore their good name.

In economics, this is known as an externality: It’s an effect of a business decision that is not borne by the person or organization making the decision. Financial institutions have no incentive to reduce those costs of identity theft because they don’t bear them.

Push the responsibility — all of it — for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won’t be enough for him to commit fraud — because the companies won’t stand for all those losses.

Of course all this is nothing new. Anyone who’s read Schneiers books will now that he’s been pushing for responsibility for a long time now.

Banks Conned For $5 Million

More Money Than Sense

Thunderbird 2.0 Roadmap

Radio Controlled Loch Ness Monster

Saudi Arabia Finally Bans Forced Marriages


Tags: Security · Business · Crime

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment