“Is Everything We Know About Password-Stealing Wrong?”

The next time your bank or credit-card company frantically calls and texts and e-mails you (all at the same time) to say it has noticed “suspicious activity” on your account — like buying gas in a ZIP code a bit poorer than your own — and says it has suspended your account “for your protection,” tell them to read this paper, by Dinei Florencio and Cormac Herley of Microsoft Research. A key passage:

We show that, in spite of appearances, password-stealing is a bad business proposition. … It is worth, at the outset, dispelling a widely-held misapprehension about password-stealing. Thieves certainly steal passwords, and money is certainly a large part of their motivation, but when they successfully extract money from financial accounts individual consumers do not pay. In the U.S., Regulation E of the Federal Reserve limits consumer liability, in the event of fraud, to $50 (this is separate from the $50 limit for credit-card fraud, Regulation CC) and covers “any electronic transfer that is initiated through an electronic terminal, telephone, computer or magnetic tape.” In the U.S. banks, brokerages, and credit unions are governed by this regulation and most go beyond it and o ffer a zero liability policy to consumers.

(HT: Peter Baehr)

Leave A Comment

Comments are moderated and generally will be posted if they are on-topic and not abusive.



  1. Ryan says:

    While it’s absolutely true that I won’t bear the liability, my bank will. And if my bank pays, they don’t just eat the loss. Any losses on their part are passed along to me as the customer. So in a way it is “for my protection.”

    Well-loved. Like or Dislike: Thumb up 25 Thumb down 6
    • Clancy says:

      How, exactly, is the cost passed on to you? Higher fees? Lower interest? Does your bank raise some fee every time it is defrauded?
      Banks operate in a competitive market, they’re already charging the maximum fees and minimum interest rate the believe will be the most profitable. If they take a hit for fraud, all they can do is eat it.
      It may be that at a lower equilibrium of fraud, bank fees would be lower across the board. But, at most, the cost of one case of fraud is diffused throughout the entire banking system, so the cost “passed back to you” of you getting defrauded would be immeasurably small.

      Hot debate. What do you think? Thumb up 12 Thumb down 8
      • James says:

        I have a bit of a problem seeing how I don’t pay for a fraudulent charge on my credit card. Maybe I don’t pay the full amount of the loss, but $50 is still more than zero. Then too, I don’t micromanage my card accounts, so transactions for reasonable amounts would simply go unnoticed – and if I did notice, I would be out the time & aggravation spent dealing with the problem.

        Thumb up 1 Thumb down 1
    • Seminymous Coward says:

      The traditional phrase to accompany such ludicrous rationalizations is “from a certain point of view” not “in a way,” Obi-Wan.

      Thumb up 3 Thumb down 2
    • Joe says:

      Banks can mitigate their losses by designing better security systems – that’s the point of this law. If it didn’t exist – as in the UK where users are forced to bear the liability for poorly desgned security systems – then the banks have no incentive to secure their systems. If a better secured systems mitigates these risks, then the losses (incurred by the bank and you) should be dampened as well.

      So, go ahead and take away those quotes around “my protection”. Everyone benefits from better secured systems – not just you.

      Well-loved. Like or Dislike: Thumb up 9 Thumb down 0
  2. Amy Frushour Kelly says:

    Good point, for this specific instance. However, as the paper points out, the authors are only interested in banking passwords, not consumer or social media passwords. Consider what would happen if someone stole the password to your Amazon or iTunes account. Your associated financial accounts can easily be drained via consumer means. A malicious person with access to a victim’s Facebook or Twitter account could wreak havoc on the victim’s personal life. (See http://www.wired.com/gadgetlab/2012/08/ask-mat-honan-about-hack/ for the story of how malicious hackers destroyed a WIRED reporter’s online life in minutes.)

    Regarding Regulation E: the victim may be responsible for only $50, but the lost money has to be covered while it is being recovered. Tracking the thieves costs the feds and the banks significant time, effort, and money. And this translates into higher fees and taxes for consumers later on.

    The stealing of financial passwords is still dangerous. The danger is simply less immediate for the consumer. (IMHO!)

    Well-loved. Like or Dislike: Thumb up 6 Thumb down 1
    • Joe says:

      I think the point of the paper is to right-size the perception of risk exarcerbated by the recent “cyber-attacks” on passwords. To a certain degree, I do believe that the monetary value of “hacked” passwords have been inflated – and this article reminds us that, as users, these laws reduce our overall risk.

      And you are correct about Regulation E – it is designed to shift the incentive of securing the system to the banks instead of the users. Just look at the comments on this post from non-US folks whose governments tilt the risk to users themselves: the banks have rigged it so that they can’t even complain about bad transactions past 60 days. Do these banks have any incentives to ensure that their systems are secure? It’s all your fault that your password wasn’t complex enought to secure your account – sorry.

      Thumb up 3 Thumb down 1
      • Seminymous Coward says:

        If you mean the comments from Eric and myself, we both live in the USA.

        Speaking only for my own case, I’m pretty confident the bank knew the law and was either in technical compliance with it or simply betting that we wouldn’t bring a lawsuit over the ~$30 involved. A quick search claims there’s a 90-day detection window on the customer side for this particular kind of fraud. Astonishingly, it was even worse before; up through mid-2006, the liability was on the drafted bank and not the depositing one.

        Also, the fraud involved was not dependent on passwords. It was dependent on the terribly lax standards for demand drafts, whereby a routing number and an account number were enough to pull money on the word of the recipient that they had authority. How’s that for a secure system?

        Thumb up 1 Thumb down 1
  3. Dave says:

    I once was blocked from making a purchase due to failing a “Verified by Visa” security check. The main credit card holder was my fiancee but I was also on the account. To pass the security check, I needed the last 4 digits of her SS, which I didn’t have at the time. When I called, they gave me that same line, “This is for your protection” to which I angrily refuted, “I have zero liability for any fraudulent charges. So this isn’t for _my_ protection, it’s for YOURS!” I simply wanted them to just admit it, since I would have to wait until my fiancee got home to complete the transaction. They did not.

    Thumb up 7 Thumb down 5
  4. Tony says:

    I’m not sure what we’re supposed to do with this information, exactly. Suspicious credit card activity seems like it would only occasionally be related to password stealing and would more-likely be related to lost cards or card skimming (which are also covered by liability limits). And, even with liability limits, it’s not exactly convenient to have your account drained.

    Thumb up 4 Thumb down 0
  5. Jamie says:

    I understand that it’s the title of the paper that is excerpted in the article, but the article title is kind of misleading and makes the rest of the article confusing.

    Well-loved. Like or Dislike: Thumb up 5 Thumb down 0
  6. YX says:

    The banks are getting absolutely ridiculous with this… Bank of America suspended my credit card while I was vacationing in Thailand, after I specifically notified them to put a travel note on my account. When I called them their solution was “should receive a new card in 5-7 business days” for my home address.

    Thumb up 3 Thumb down 0
  7. Eric M. Jones says:

    I was defrauded of $2000 by my bank (Southbridge Savings Bank), who wired the contents of my checking account to some terrorist in the UK via Western Union. Reporting this to the cops did nothing. The bank says they don’t owe me anything because the theft passed their 60-day rule. Sorry.

    I was mostly blind during this time due to eye surgery.

    So what does a person do when surrounded by corrupt banks and cops? I’m still planning to march in front of the bank with a sandwich board when I find the time.

    Thumb up 6 Thumb down 2
    • Seminymous Coward says:

      My then-fiance had something like $6 taken out of her account each month for a few months. Her bank refused to refund all but the most recent chunk of the money they let a random business account demand-draft from her account, evidently without documentation. The account in question belonged to a “business” that solely executes such fraudulent drafts; it was widely identified as such on scam alert sites. Even after being told this, the bank also flat-out stated that they would honor any future demand drafts from that same fraudulent account. At least it made the decision of which bank to keep when we unified our accounts easier.

      Well-loved. Like or Dislike: Thumb up 5 Thumb down 0
      • econobiker says:

        that sounds like a great business plan then since banks do not care how scammy the withdrawing entity is.

        Thumb up 1 Thumb down 0
    • Tung Bo says:

      If this is the one situated in Massachusetts, it looks like a state chartered bank. You can go here to file a compalint with the MA Bank regulator:

      Similarly, you might be able to file a complaint with CFPB.
      Even if the legal time limits had expired, the regulators might persuade the bank to negotiate with you to come to some settlement.
      No guarantees. But nothing ventured, nothing gained.

      Thumb up 3 Thumb down 0
    • Joe says:

      The paper discusses a US security control mandated federally – and your particular experience is a very good reason why other governments should force their banks to do the same. One of the major takeaways from this paper is that govt controls like this effectively moves the burden of securing individual accounts from the user to the bank. It shifts the incentives for applying more security to the system from users (who can only work within the constraints imposed by the system, ie stronger passwords) to the banks who have responsibility in designing the security of these systems (eg, the use of predictive systems monitoring “anomalous” activity).

      UK citizenry should make the govt pass laws like this – in your particular experience, you would have lost only $50 instead of $2000. And if the incentive had been shifted previously, Southbridge may have proactively designed security controls that may have thwarted such a withdrawl in the first place.

      Thumb up 1 Thumb down 0
  8. mfw13 says:

    As another commenter noted, the biggest issue I have with bank security “theater” is that it doesn’t use common sense.

    For example…I live in Seattle….my account is based in San Francisco (where I grew up), since it was opened when I was 18, and there is no benefit to me (and a great deal of hassle) to officially move it to Seattle.

    Yet when I travel to the Bay Area, I have on occasion had charges denied based on some computer algorithm’s belief that they were fraudulent.

    And in another case I had my credit card suspended while travelling abroad despite putting a travel notice on the account and having used said credit card to purchase the airplane to the country in which I was travelling.

    Security is useful, as long as it doesn’t interfere with the legitimate use of the card….

    Thumb up 0 Thumb down 0