For many years banks and credit card vendors have accepted that there will be some amount of fraud and built those costs in to the operational model. The thinking goes that if the loss is small enough then it isn’t worth pursuing so they simply pass the cost on to the public through fee structures, such as return check fees, ATM fees, and differentials in the rate that they borrow money at and the rate they loan money at.
Perhaps this was a viable model before the internet gained popularity, but today it accounts for significant losses, perhaps in the billions of dollars if the polls are to be believed.
The lack of an aggressive stance against phishing means that banks are clearly not the enemy of the cyber criminal and facilitate their nefarious deeds.
The fact is that many financial institutions actively teach their customers to become victims through insanely ignorant worst practices. American Express sends a monthly statement with a link to your account. Financial institutions should not be sending links to pages that require a login… this is what phishers do and reinforces unsafe cyber habits.
My own credit union, First Technology Credit Union accepts complaints/feedback on line, but when they reply they send a link that the customer must use to provide more information or comments, etc. Granted this link does not ask for log on information, but it is also teaches customer to follow the same practices that lead to successful phishing attacks.
The Industrial Credit Union (http:icu.org) recommends “If you receive an email from the IRS requesting information, we recommend you simply delete or ignore it.” but the IRS wants you to report the emails. http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1. The Marine Federal Credit Union offers similar advice to that misguidedly given by the Industrial Credit Union
Recently the FDIC recommended that Banks step up efforts to spot money mule related activity http://www.wired.com/threatlevel/2009/10/money_mules/. A money mule is a person who is recruited to illegally transfer stolen money from the victim’s account to the criminal’s account. Many, perhaps even most, money mules do not know they are participating in an illegal activity until they also become a victim.
That the FDIC has to recommend this course of action shows how completely out of touch the financial services industry is with their responsibility to assist in online security.
Currently the banking and credit card industry are the educational and operations arms of cyber crime. It is long past time for banks, credit card companies, and credit unions to stop sending links in email and to step up to the plate when it come to fighting cyber crime. Until the financial institutions stop teaching people to be phishing victims and start playing a proactive role in fighting cybercrime, they are finding cyber crime through apathetic and ignorant complicity, much as a misguided money mule does.
Director of Technical Education
Author ESET Research, We Live Security