Saturday, April 01, 2006

fyi German Bank Fights Phishing With Electronic Signatures

All:

Found content: http://www.computerworld.com/securitytopics/security/story/0,10801,110054,00.html?source=NLT_SEC&nid=110054

My take:
Fight phishing with common sense, not electronic signatures on e-mails and websites….OK, use the latter as well, if you wish…but if you’re like me, you’ll:
  • Use online banking as little as possible….direct deposits for regular paychecks and direct debits for regular bill payments are totally automated…which eliminates most of the need to visit a physical or online bank
  • Believe no e-mail that purports to come from a financial institution, including those in which you have accounts…and doubt whether there might ever be legitimate circumstances under which a financial institution would ever send you an e-mail to notify you of some account-related event or anomaly….and tell all of your financial institutions in no uncertain terms that monthly statements and all other official communications must come from them via postal mail, printed at their expense, on their letterhead, and on a regular schedule, to your permanent street address.
  • Tell your legitimate financial institutions that, if there’s a serious event-driven issue concerning your account (e.g., overdraft), they will have to contact you via phone…so at least you have some evidence that somebody somewhere spent sufficient resources (to print and mail paper and/or to have a human being call and talk) to discuss something of critical importance to both them and you….even though scams also make use of the phone system on occasion.
Make the scammers really work if they want to separate you from your assets, through online or other approaches.

Asking you to periodically “verify” existing account information online is a crock….you verify it implicitly every day by going about your life as usual and not noticing anything out of the ordinary with your checking or brokerage accounts….accept that you’re responsible for checking your statements every month, and that no legitimate institution will prompt you to exercise that responsibility….banks don’t call you to ask if you received and have reviewed your printed-out monthly statements…or balanced your checkbook register….do they?

Asking you for your password so that they, the “institution” that supposedly manages that account, can manage it is also a crock…if their “employee” or “representative” doesn’t already have full access to your account information, that’s their problem, not yours…they’ll have to prove that they have sufficient information on you already before you even begin to speak to them…if it seems like they know nothing about you, clam up…if they can’t even tell you what your current mailing address is for the purpose of verifying it over the phone, then they have never mailed you a paper statement…which means they have never actually established a real relationship with you…which means they’re a fraud…they don’t have the nucleus of an “identity system of records” on you, or can’t match up the data in their iSoR with the equivalent data that only you have possession of…they’re obviously fishing/phishing for that data…don’t give it to them…close your browser and/or hang up…

Asking you to verify an electronic signature on a financial institution’s e-mail or website strikes me as a bad idea. They're putting the burden on you, the customer, to verify the authenticity of the institution that purports to have sent you a message or operates a website that you’re visiting. You have to do all the work, per the referenced article: “Under the Postbank certification system, users can verify an e-mail by clicking a certification symbol, which, when opened, provides details about the signature. A warning symbol appears if any inconsistencies arise during the signature authentication process.”

When the customer has to do any work at all to verify an electronic signature, you can best believe that most customers will do nothing. Which means that there will still be plenty of scams that use electronic signatures to convey the illusion of legitimacy, and that verify few customers will actively “verify” these signatures. And that few users who do attempt to verify the signatures will know what to do with the information that the signature system presents to them.

The more I stare at the following two statements from the article, the more they bother me:
  • “users can verify an e-mail by clicking a certification symbol, which, when opened, provides details about the signature.”
  • “a warning symbol appears if any inconsistencies arise during the signature authentication process”
What “details” are presented about the signature? Will it tell me that a certain “E_Trade” (scammer) that signed a message or webpage is not the same as the “E*TRADE Securities LLC” that actually manages my accounts? Would I pay attention even if it told me? Who actually keeps track of these typographic differences between alternate possible versions of these concocted corporate names anymore (Yahoo vs. Yahoo!...yeesh)?

What “inconsistencies” might arise during the signature authentication process that would make the recipient have second thoughts about trusting a message? Pharming thrives because people blithely ignore the inconsistencies or discrepancies between an authentic financial institution’s URL and the one that pops up in their browser (to which they’ve been redirected, possibly, by a virus planted on their PC). Might malware also hijack your PC’s electronic signature software and produce bogus “everything’s cool” messages that hide any “inconsistencies” in the signature verification process?

So, in summary: Paper is safer. Letterhead is a better bet. When an institution commits ink to pulp and regularly sends it out, it shows that it holds your master account data. That it’s working hard to hold your confidence and continued patronage. That it isn’t waiting for technologists and lawyers to get the kinks out of electronic signatures.

Jim
Posted by at