On Mon, Dec 05, 2005 at 09:24:04AM +0000, Ian G wrote: > [EMAIL PROTECTED] wrote:
> >it seems to me the question is how much liability do i expose myself to by > >doing this, in return for what savings and convenience. > > That part I agree with, but this part: > > >i don't keep a lot of money in banks (why would anyone?) -- most of > >the assets are in (e.g.) brokerage accounts. at most i'm exposing > >a month of payroll check to an attacker briefly until it pays some > >bill or is transferred to another asset account. > > George's story - watching my Ameritrade account get phished out in 3 minutes > https://www.financialcryptography.com/mt/archives/000515.html > > Seems like a hopeful categorisation! > > iang okay, i read this story from 7/2005 reporting an incident in 5/2005. the short form of it is: the bad guys changed the associated bank account, then they placed orders to sell everything at market prices. at some point they changed the email address to a hotmail account (if they'd done this first he would have gotten less notice) for some unexplained reason he received confirmations of the trades at the old email address. actual cash didn't get transfered at least because of the 3 day settlement time for the trades. the rest was dealing with law enforcement and customer service punes who wouldn't tell him anything for "privacy reasons". well, i have lots of nit-picking questions, about the actual incident and about the general point. about the actual incident: maybe his password was phished, maybe it was malware, maybe it was password reuse and some other account was phished. how was the bofa account set up? (the fraudster's destination account) in these days of patriot act "know your customer"? (or was it someone's phished account also used just for transit?) why didn't they just do the wire transfer early, and leave him with a giant margin balance to be paid from the proceeds at settlement? about the general point: the main thing online access changes (compared with phone access, or written instructions) is the velocity. most sensible institutions provide "change of account status" notifications by both email and postal mail (to both the old and the new addresses). some sensible institutions put brakes on removing money from the system, certainly for new accounts and (as i recommend to my clients) after an account change reflecting identity or control. aside from the time and energy drain of identity theft, what is the financial liability for consumers if your us-based brokerage account is phished resulting in a fraudulent funds transfer? does anyone know if there is any uniform protection (such as reg e would cover for interbank funds transfers?) i insert the weasel-words "consumers" and "us-based" because of bofa's behavior in the joe lopez malware case, where they are trying to claim he is a business not a consumer, and that they are without fault in wire transfering his funds to latvia. slightly off-topic: remember abraham abdallah, the brooklyn busboy who assumed the identity of a large number of the fortune 200 richest? made goldman sachs "signature guaranteed stamps" and opened accounts in their number? had 800 fraudulent credit cards and 20000 blank cards when he was arrested? ("hey kids! collect 'em all!"). my point is only that this is possible without my participating. as jerry leichter reminded me, the fact there there are these facilities available means a bad guy can use them even if i do not, unless i can not only opt out but forbid anyone else from subsequently opting in, the moral equivalent of cutting your debit card in half and returning it to the bank (rather than just destroying the PIN). even more off-topic: i'm surprised that the people on this list don't feel as if they have enough personal connections that at least they could figure out what happened to them as *some* financial institution. doesn't anyone else ask, as a basis for imputing trust "exactly who did that {protocol, architecture, code} review as a basis for imputing trust? maybe i'm delusional, but i give fidelity some residual credit for having adam shostack there, even some years ago, and there are some firms i'd use because i've been there enough to see their level of care. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
