"Is Everything We Know About Password-Stealing Wrong?"
The next time your bank or credit-card company frantically calls and texts and e-mails you (all at the same time) to say it has noticed “suspicious activity” on your account — like buying gas in a ZIP code a bit poorer than your own — and says it has suspended your account “for your protection,” tell them to read this paper, by Dinei Florencio and Cormac Herley of Microsoft Research. A key passage:
We show that, in spite of appearances, password-stealing is a bad business proposition. … It is worth, at the outset, dispelling a widely-held misapprehension about password-stealing. Thieves certainly steal passwords, and money is certainly a large part of their motivation, but when they successfully extract money from financial accounts individual consumers do not pay. In the U.S., Regulation E of the Federal Reserve limits consumer liability, in the event of fraud, to $50 (this is separate from the $50 limit for credit-card fraud, Regulation CC) and covers “any electronic transfer that is initiated through an electronic terminal, telephone, computer or magnetic tape.” In the U.S. banks, brokerages, and credit unions are governed by this regulation and most go beyond it and offer a zero liability policy to consumers.
(HT: Peter Baehr)