Don’t Take This Bait (but You’re Safe if You Do)
By RANDALL STROSS
Published: November 28, 2009
THE e-mail message from the bank looks real. It isn’t.
Photo illustration by The New York Times
Multimedia
Weekend Business: Randall Stross on the safety of online banking.
Law enforcement agencies that oversee computer security are well versed in the many permutations of “phishing,” the scam in which fraudsters try to lure people to a counterfeit replica of their bank’s Web site, for example, and have them part with their user names and passwords.
But even the professionally wary can be gulled — or close to it. Just ask Robert S. Mueller III, the director of the Federal Bureau of Investigation.
Mr. Mueller recently received an e-mail message that seemed to be from his bank. He clicked on the link and began to follow the instructions to “verify” his account information. Before completing the procedure, however, he realized that he had been led to a counterfeit site — so he left.
It’s the aftermath that is of most interest. After Mr. Mueller told his wife about his close call, he said she drew this conclusion from the experience: simply having online access to bank accounts is unacceptably risky.
“No more Internet banking for you,” she told him.
The F.B.I. director related the story in a speech to the Commonwealth Club of California in October. “Too little attention has been paid to cyber threats — and their consequences,” Mr. Mueller said that day.
He offered his own experience as a cautionary tale from “someone who spends a good deal of his professional life warning others about the perils of cybercrime,” yet who still came close to falling for a scam and “barely caught himself in time.” (The story ends there, and an F.B.I. spokesman for Mr. Mueller declined my interview request.)
An audience of civilians would naturally wonder, “What chance do we have of keeping our pockets from being picked?”
I’m not convinced, however, that online banking carries the high risk that Mr. Mueller implies. I know that as ordinary computer users, we are offered unlimited bait from phishers. But I’m not particularly worried: I’m not on the hook for losses from fraud — my bank is.
I could not find any online financial service — and I checked brokerage firms as well as banks — that stops short of promising to make a victimized customer whole.
Mr. Mueller, encouraging his audience to invest in “cybersecurity,” raised a terrifying specter when he spoke of guarding “against losing everything.” But how could I suffer “losing everything” at the hands of online criminals when my bank has this policy posted on its Web site: “We guarantee that you will be covered for 100 percent of funds removed from your Wells Fargo accounts in the unlikely event that someone you haven’t authorized removes those funds through our Online Services.”
“Zero liability is now an industry standard,” said Doug Johnson, vice president for risk management at the American Bankers Association. Restitution is full, and customers do not even have the $50 of exposure that credit card holders risk from unauthorized use of their cards.
Banks, online brokerage firms and payment sites like PayPal, exposed as they all are, would like for us to use more sophisticated security than a password to protect our accounts. One way to combat the phishing threat is to require that online customers supply a second piece of information when they log in, a one-time-only numeric code that is either generated by a little gizmo built for this purpose or is sent to the customer’s cellphone.
Your password is “something you know,” as security experts describe it, and the temporary security code is “something you have” — and something that a phishing fraudster would not. Requiring two dissimilar things is the essence of “two-factor authentication.”
Such a system isn’t perfect, but one can see why financial institutions would like to have a better lock installed on their front door. These institutions must proceed cautiously, however, lest they scare customers into abandoning online banking. At the moment, banks seem to be offering the security key system principally to customers with business accounts.
Teddy De Rivera, executive vice president in the Internet services group at Wells Fargo, said his bank would roll out its security key system more broadly over the next two years. Wells Fargo plans to require a code not every time a customer logs in, but only when its software detects a suspicious “high-risk transaction.” His group had collected feedback from customers who made clear that they “don’t want to have to use it every time,” he said.
I SIGNED up to try PayPal’s security key system, available to its users on request. Every time I log in, I receive a six-digit code in a text message sent to my phone — it’s easy to type in, but it adds an extra step.
When I asked Michael Vergara, director of risk management at PayPal, whether he recommended that all PayPal customers adopt the security key system, he said, “If I spend a lot of time going to shadier areas of the Internet, yes.”
“But if you’re talking about my mom, who visits three sites, having an extra level of security when she comes to PayPal is not going to improve her experience,” he added.
I don’t know whether Mr. Mueller at the F.B.I. has persuaded his wife to lift the household ban on online banking. If he hasn’t, he should deploy the two words that have the magical power to put the most anxious online bank customer at ease:
Zero liability.
Randall Stross is an author based in Silicon Valley and a professor of business at San Jose State University. E-mail: stross@nytimes.com.
Lori Cain, Realtor
Chinowth & Cohen Realtors
phone: 918.852.5036
web: www.LoriCain.com