"Is Everything We Know About Password-Stealing Wrong?"

The next time your bank or credit-card company frantically calls and texts and e-mails you (all at the same time) to say it has noticed “suspicious activity” on your account — like buying gas in a ZIP code a bit poorer than your own — and says it has suspended your account “for your protection,” tell them to read this paper, by Dinei Florencio and Cormac Herley of Microsoft Research. A key passage:

We show that, in spite of appearances, password-stealing is a bad business proposition. … It is worth, at the outset, dispelling a widely-held misapprehension about password-stealing. Thieves certainly steal passwords, and money is certainly a large part of their motivation, but when they successfully extract money from financial accounts individual consumers do not pay. In the U.S., Regulation E of the Federal Reserve limits consumer liability, in the event of fraud, to $50 (this is separate from the $50 limit for credit-card fraud, Regulation CC) and covers “any electronic transfer that is initiated through an electronic terminal, telephone, computer or magnetic tape.” In the U.S. banks, brokerages, and credit unions are governed by this regulation and most go beyond it and o ffer a zero liability policy to consumers.

(HT: Peter Baehr)


While it's absolutely true that I won't bear the liability, my bank will. And if my bank pays, they don't just eat the loss. Any losses on their part are passed along to me as the customer. So in a way it is "for my protection."


How, exactly, is the cost passed on to you? Higher fees? Lower interest? Does your bank raise some fee every time it is defrauded?
Banks operate in a competitive market, they’re already charging the maximum fees and minimum interest rate the believe will be the most profitable. If they take a hit for fraud, all they can do is eat it.
It may be that at a lower equilibrium of fraud, bank fees would be lower across the board. But, at most, the cost of one case of fraud is diffused throughout the entire banking system, so the cost “passed back to you” of you getting defrauded would be immeasurably small.


I have a bit of a problem seeing how I don't pay for a fraudulent charge on my credit card. Maybe I don't pay the full amount of the loss, but $50 is still more than zero. Then too, I don't micromanage my card accounts, so transactions for reasonable amounts would simply go unnoticed - and if I did notice, I would be out the time & aggravation spent dealing with the problem.

Amy Frushour Kelly

Good point, for this specific instance. However, as the paper points out, the authors are only interested in banking passwords, not consumer or social media passwords. Consider what would happen if someone stole the password to your Amazon or iTunes account. Your associated financial accounts can easily be drained via consumer means. A malicious person with access to a victim's Facebook or Twitter account could wreak havoc on the victim's personal life. (See http://www.wired.com/gadgetlab/2012/08/ask-mat-honan-about-hack/ for the story of how malicious hackers destroyed a WIRED reporter's online life in minutes.)

Regarding Regulation E: the victim may be responsible for only $50, but the lost money has to be covered while it is being recovered. Tracking the thieves costs the feds and the banks significant time, effort, and money. And this translates into higher fees and taxes for consumers later on.

The stealing of financial passwords is still dangerous. The danger is simply less immediate for the consumer. (IMHO!)



I think the point of the paper is to right-size the perception of risk exarcerbated by the recent "cyber-attacks" on passwords. To a certain degree, I do believe that the monetary value of "hacked" passwords have been inflated - and this article reminds us that, as users, these laws reduce our overall risk.

And you are correct about Regulation E - it is designed to shift the incentive of securing the system to the banks instead of the users. Just look at the comments on this post from non-US folks whose governments tilt the risk to users themselves: the banks have rigged it so that they can't even complain about bad transactions past 60 days. Do these banks have any incentives to ensure that their systems are secure? It's all your fault that your password wasn't complex enought to secure your account - sorry.

Seminymous Coward

If you mean the comments from Eric and myself, we both live in the USA.

Speaking only for my own case, I'm pretty confident the bank knew the law and was either in technical compliance with it or simply betting that we wouldn't bring a lawsuit over the ~$30 involved. A quick search claims there's a 90-day detection window on the customer side for this particular kind of fraud. Astonishingly, it was even worse before; up through mid-2006, the liability was on the drafted bank and not the depositing one.

Also, the fraud involved was not dependent on passwords. It was dependent on the terribly lax standards for demand drafts, whereby a routing number and an account number were enough to pull money on the word of the recipient that they had authority. How's that for a secure system?


I once was blocked from making a purchase due to failing a "Verified by Visa" security check. The main credit card holder was my fiancee but I was also on the account. To pass the security check, I needed the last 4 digits of her SS, which I didn't have at the time. When I called, they gave me that same line, "This is for your protection" to which I angrily refuted, "I have zero liability for any fraudulent charges. So this isn't for _my_ protection, it's for YOURS!" I simply wanted them to just admit it, since I would have to wait until my fiancee got home to complete the transaction. They did not.


I'm not sure what we're supposed to do with this information, exactly. Suspicious credit card activity seems like it would only occasionally be related to password stealing and would more-likely be related to lost cards or card skimming (which are also covered by liability limits). And, even with liability limits, it's not exactly convenient to have your account drained.


I understand that it's the title of the paper that is excerpted in the article, but the article title is kind of misleading and makes the rest of the article confusing.


The banks are getting absolutely ridiculous with this... Bank of America suspended my credit card while I was vacationing in Thailand, after I specifically notified them to put a travel note on my account. When I called them their solution was "should receive a new card in 5-7 business days" for my home address.

Eric M. Jones

I was defrauded of $2000 by my bank (Southbridge Savings Bank), who wired the contents of my checking account to some terrorist in the UK via Western Union. Reporting this to the cops did nothing. The bank says they don't owe me anything because the theft passed their 60-day rule. Sorry.

I was mostly blind during this time due to eye surgery.

So what does a person do when surrounded by corrupt banks and cops? I'm still planning to march in front of the bank with a sandwich board when I find the time.

Seminymous Coward

My then-fiance had something like $6 taken out of her account each month for a few months. Her bank refused to refund all but the most recent chunk of the money they let a random business account demand-draft from her account, evidently without documentation. The account in question belonged to a "business" that solely executes such fraudulent drafts; it was widely identified as such on scam alert sites. Even after being told this, the bank also flat-out stated that they would honor any future demand drafts from that same fraudulent account. At least it made the decision of which bank to keep when we unified our accounts easier.


that sounds like a great business plan then since banks do not care how scammy the withdrawing entity is.


As another commenter noted, the biggest issue I have with bank security "theater" is that it doesn't use common sense.

For example...I live in Seattle....my account is based in San Francisco (where I grew up), since it was opened when I was 18, and there is no benefit to me (and a great deal of hassle) to officially move it to Seattle.

Yet when I travel to the Bay Area, I have on occasion had charges denied based on some computer algorithm's belief that they were fraudulent.

And in another case I had my credit card suspended while travelling abroad despite putting a travel notice on the account and having used said credit card to purchase the airplane to the country in which I was travelling.

Security is useful, as long as it doesn't interfere with the legitimate use of the card....