Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

3.2 Billion Dollars Lost to Phishing in 2007

Soulskill posted more than 6 years ago | from the hello-sir-madam-from-nigeria dept.

Security 112

mrneutron2003 brings us FastSilicon's summary of a Gartner survey which found that 3.2 billion dollars were lost in 2007 to phishing scams. "Gartner's latest survey into the realm of phishing attacks paints a rather bleak picture for 2007, with a record estimated loss of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall loss per incident fell (to $886 from $1,244 lost on average in 2006) but the numbers of individuals who fell victim rose quite sharply from 2.3 Million in 2006 to a staggering 3.6 Million. Though online portals Paypal and eBay remained the most spoofed brands, it appears phishers are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their attacks on consumers. Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley.

Sorry! There are no comments related to the filter you selected.

debit card protection (1)

BigHungryJoe (737554) | more than 6 years ago | (#21752048)

But my bank protects my money, right?

For years, I couldn't get a credit card because my credit was terrible, so I had no choice but to sign up for internet porn using my debit card (what else was I supposed to do? go without?)

So, I figure that my debit card # is sitting in a few forgotten databases around the internet. I'm not worried though, because ultimately, my BANK is liable, not me.

Re:debit card protection (1)

Apple Acolyte (517892) | more than 6 years ago | (#21752098)

There's less protection for debit cards than credit cards. I think that with debit cards they may make you jump through more hoops before restoring your lost funds. So I'd change your pin.

Re:debit card protection (2, Informative)

CastrTroy (595695) | more than 6 years ago | (#21752218)

That all depends on your bank. I got my debit card duplicated and somebody took $500 out of my account. The bank called me up before I even noticed the money was missing. They asked if I made the charge. I said I didn't, and the money was back in my account within 5 days. I had to go down to my local branch and pick up a new debit card, but there was very little trouble on my part. Just as a reference, my bank is TD Canada Trust [tdcanadatrust.com] .

Re:debit card protection (3, Interesting)

Billosaur (927319) | more than 6 years ago | (#21752648)

I'm surprised that more banks don't make you retrieve credit/debit cards at local branches. Lots of cameras to help verify who you are. I know that when I want to change my PIN, I have to go to a WAMU branch to do it, whereas I can remember doing it online just a few years ago.

Re:debit card protection (4, Informative)

dada21 (163177) | more than 6 years ago | (#21752136)

Get yourself a disposable credit "debit" card from any discount store (Wal*Greens, etc). GreenDot is very popular with the black market types. You can even use it on gambling sites, supposedly.

The best part of the disposable cards is that you can cap the spending without fees. If you're buying something for $500, put $500 on it, and don't refill it. A few times a year they have deals where the cards are free as is the first deposit, so pick up a few grand worth of them at various levels and you're set.

From what I know of the people who use them alot (google Rosemont, Illinois), they're also a great way to exchange money without anyone tracking it. Just what I've heard, though.

Re:debit card protection (1)

0100010001010011 (652467) | more than 6 years ago | (#21752148)

Sure, send me your Debit card and lets see how liable you are.

The "Best" part about a Debit card is you can only spend what you have. Keep $100 in the account and refresh it daily. But if that $100 gets out, it's gone.

Re:debit card protection (1)

Vexor (947598) | more than 6 years ago | (#21753288)

Actually through Wells Fargo if you have direct deposit you can get an advance at any atm. So they can take more then what you have.

You pay for internet porn??? (3, Funny)

brunes69 (86786) | more than 6 years ago | (#21752444)

Anyone dumb enough to pay for something that is abundantly free deserves whatever they get.

On another note I have an abundant supply of di-hydrogen monoxide I am looking to sell. It is extremely useful for many applications. Regularly priced at up to $4.00 / litre, I am willing to part with it for only $0.50 / litre. Msg me for details!

Well... Maybe (1)

Sycraft-fu (314770) | more than 6 years ago | (#21752856)

A debit card is more dangerous because ti isn't clear cut. Credit cards, the liability limits are very clear. More or less, because it isn't actually your money involved (you are being loaned the money by the bank) you are liable for anything. With a debit card you can be. It is more discretionary to the bank. With a credit card, you stop a transaction and that's it, it's done. The merchant basically has to take you to court if they want to get their money, which they won't do if they are a fraudster of course. However with a debit card the money has actually been taken from you. The bank can choose to return the money to you, and often will, however they don't have to in various situations.

So there is more risk. It is more up to your bank with a debit card, whereas they just don't have much choice with a credit card. In teh case of a credit card, you are disputing that you owe them money, and they really don't have any ability to take it from you. In the case of a debit card, the money has already been taken, and you are asking for it back.

Re:debit card protection (1)

toddabalsley (1163625) | more than 6 years ago | (#21753524)

If the debit card has a Visa or MasterCard logo, you should be protected past $50 (I think). Getting your money back is going to be a major pain, but you are protected.

That said, you should find a better option than your primary checking account for online purchases.

It has been a while since I working in banking, but the nice people at the major credit card companies have a lot of sway over the practices of the people using their networks.

Solution (1)

Apple Acolyte (517892) | more than 6 years ago | (#21752056)

We can just phish the phishers and get a lot of money back!

Re:Solution (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21752100)

You could use this phish script I wrote [http]

Hoax (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21752060)

THis article is a HOAX [tinyurl.com]

Re:Hoax (1)

trolltalk.com (1108067) | more than 6 years ago | (#21752398)

The above link is a hoax - its some guy spamming to get traffic to his site, and has nothing to do with the article whatsoever.

Re:Hoax (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21752552)

If you read TFA then you would know this is a hoax [tinyurl.com]

Re:Hoax (1, Informative)

Anonymous Coward | more than 6 years ago | (#21753276)

for anyone else thats fed up of this guy - this greasemonkey script [blogspot.com] shows the actual tinyurl destination in the tooltip when you hover over it.

and if you dont want to run greasemonkey directly - convert it into a standalone firefox extension [arantius.com]

This was already covered on Ultra-Slashdot (4, Funny)

Nova Express (100383) | more than 6 years ago | (#21752072)

Really, all this has been covered on Ultra-Slashdot in much greater detail.

Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you...

Re:This was already covered on Ultra-Slashdot (0)

Anonymous Coward | more than 6 years ago | (#21752430)

i.am@dumb.ass
N0b0dyW1llGue55Th15!oneone!11One!1
1234567890123456

Re:This was already covered on Ultra-Slashdot (5, Informative)

russ1337 (938915) | more than 6 years ago | (#21752440)

Really, all this has been covered on Ultra-Slashdot in much greater detail.

Oh, and those of you who don't have Ultra-Slashdot, just send me your e-mail address, your Slashdot password, and your credit card number (just for verification), and I'll be sure to enable it for you..

Email Address: Raymond.A.Carnine@dodgit.com,

Slashdot password is: "imFishingYouberleethaxors"

Visa: 4916 7995 1982 5659
Expires: 5/2008

oh, and you may need this: SSN: 381-80-6521


Thanks!!!!

Raymond A. Carnine [fakenamegenerator.com]
4882 Prudence Street
Farmington Hills, MI 48335

Re:This was already covered on Ultra-Slashdot (1)

foodnugget (663749) | more than 6 years ago | (#21753082)

Ok, creepy.
I clicked on your link, and hey, that's nifty. First load, however, it gave me the exact birthday as my actual one. I wonder what their year range is. The odds of this are what, 20 or so by 365? damn!
I wonder if they have a super unusual feb 29....

Re:This was already covered on Ultra-Slashdot (1)

OrangeTide (124937) | more than 6 years ago | (#21753470)

birthday paradox!

Re:This was already covered on Ultra-Slashdot (1)

Technician (215283) | more than 6 years ago | (#21755472)

Thanks Raymond A Carnie, but that is only good for the phishers you don't fall for.

I found that a popular porn filter is very good at weeding out fake business sites such as the fake pay pal and ebay fakes. This adds a strong layer of protection. They may send me a direct link to their fantastic deal on ebay, but when I get the scrubit page instead of ebay, then there is no way to give them real info by accident. Filtered internet is good for more than keeping the kids from surfing porn all day.

I have tried to go to some of the more obvious fakes to poison their login collection spoof site, but my DNS filter is often in the way. If you encounter a bad site, they have a quick browser button that you can add to immediately add a site to the scrub list. It's fast and works well. It's kind of like a RBL for websites instead of email spam.

http://www.webware.com/html/ww/100/2007/browsing_info.html [webware.com]
http://www.scrubit.com/ [scrubit.com]

Re:Quick address fake detector.. (1)

Technician (215283) | more than 6 years ago | (#21755556)

Just for grins I looked to see if any unlucky bloke would start getting demand letters in the mail. Google maps returned;
"Your search for 4882 Prudence Street, near Farmington Hills, MI 48335 did not match any locations.

Suggestions:

        * Make sure all words are spelled correctly.
        * Try different keywords.
        * Try more general keywords."

This BS detector might be useful for sellers who get a ship to which isn't the same as the billing address.

Re:This was already covered on Ultra-Slashdot (1, Funny)

Billosaur (927319) | more than 6 years ago | (#21752462)

Be sure to post a journal with the usernames/numbers of anybody who actually does this, so we can stone them.

One person's loss is another's gain (4, Insightful)

lecithin (745575) | more than 6 years ago | (#21752082)

$3,200,000,000 isn't chump change. This is an organized effort.

Are these people that good? Is it that hard to follow the trail?

Do the companies care that their consumers are being duped?

No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now?

Re:One person's loss is another's gain (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21752314)

That's nothing compared to the $8 Billion a week that the crooks in the white house are wasting in Iraq each WEEK...

Re:One person's loss is another's gain (2, Insightful)

tha_mink (518151) | more than 6 years ago | (#21752320)

No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now?
No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve. It's akin to walking down to and asking people where you can buy a nice and handing them your wallet. If you don't know HOW to distinguish genuine emails from from a phishing attack, then you should put your credit card away, step away from the computer, get in your car, and go shopping at the mall like the olden days. To an extent, the banks and businesses can do a better job, but it falls on the consumer to act responsibly with their money and information.

Re:One person's loss is another's gain (1)

Stanislav_J (947290) | more than 6 years ago | (#21752534)

No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve.

Amen to that. You know, I get phishing e-mails every day at my main account, and tons more to my hotmail and yahoo accounts (where their filters catch most of them, but it's fun sometimes just to look them over before they get shit-canned). I would say that at LEAST 2/3 of them are so obviously fake (misspellings, fractured syntax, totally unprofessional looking, etc.) that you would have to be deaf and blind to be fooled by them. Most of the rest look pretty legit, but can easily be distinguished by mousing over the links, or noting the information in the e-mail (I frequently get "eBay" e-mails about items I never sold or bought, or sent to an address that isn't registered with eBay). I don't think over the course of a year I see more than half a dozen phishing attempts that are SO realistic looking that even an educated person might be fooled on a bad day, or when distracted or in a hurry.

Re:One person's loss is another's gain (0, Redundant)

sveard (1076275) | more than 6 years ago | (#21752682)

I'm deaf and blind and I find that offensive!

Re:One person's loss is another's gain (1)

Blkdeath (530393) | more than 6 years ago | (#21753984)

No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve.

I think one of two things has happened here, either you mis-understand what a phishing e-mail actually is or your anti-spam mechanisms catch most of the phishing e-mails that come your way. These are not the "v14gr3" type mailings - these are often exact replicas of bank, eBay, PayPal, etc. websites and/or mailings so meticulously crafted that at times they've made me take pause to examine the headers. URLs are obfuscated in ever more clever ways and at first glance I wouldn't think anything of it and I wouldn't expect a regular neophyte to comprehend the difference.

Now when a hapless user clicks on one of the links in the e-mail they're taken to an often SSL enabled site that looks exactly like the login site they use day in, day out, where they're asked to fill in a form confirming all of their details. When they finish the site says something trite like "Thanks, your details have been confirmed, your money is now safe!" so as far as the victim is concerned they've done their small part to PREVENT fraud!

Now my bank, bless its heart, has a disclaimer on its website right at the bottom (usually off the screen when I'm entering my login credentials) that informs me in regular sized text with no added fanfare that "{$bank} will never ask you to divulge personal information such as passwords, account numbers or challenge questions and answers by email, telephone or fax. We encourage you to take a moment to learn how to protect your accounts against email fraud and how to report fraudulent emails." sandwiched in between a long blurb about their new login system and their rewards program details. This, IME, is typical.

Re:One person's loss is another's gain (1)

gstoddart (321705) | more than 6 years ago | (#21754690)

No, it's just that people are THAT stupid. If you're stupid enough to follow these phishing deals, then you get what you deserve. It's akin to walking down to and asking people where you can buy a nice and handing them your wallet. If you don't know HOW to distinguish genuine emails from from a phishing attack, then you should put your credit card away, step away from the computer, get in your car, and go shopping at the mall like the olden days. To an extent, the banks and businesses can do a better job, but it falls on the consumer to act responsibly with their money and information.

You know, I see a fair amount of phishing scams in my spam folder. Sometimes I read them very closely, because they look quite real. Even though I know I don't deal with those financial institutions, it's amazing just how convincing those messages look at a cursory inspection. But, it's not until you know how to read ulrs, and mail headers, and status bars, and SSL certificates, and all sorts of stuff that it becomes apparent the domain is actually a .cn or somesuch.

The problem isn't that everyone is stupid -- that's the classic "everyone not as l337 as me is an idiot" response we see in tech. You know what? It's simply not true. The problem is, that the internet went from being something nobody has ever heard of, to being something that absolutely everyone has to get onto. The 'ease of use' has come along much faster than any form of safety.

It's gone from being off everyone's radar to something woven into people's every day lives; for many of them, they're still on the learning curve, and they simply don't know what to look for. Because, every time someone tries to explain to details, it's a bunch of tech jargon and mumbo jumbo.

I can almost guarantee you that if we took a hypothetical 'you' who had never seen computers or the intarweb before, and plunked you down with your first PC and e-mail account, that hypothetical 'you' would have a fairly high chance of getting suckered into these scams under the right circumstances. Your innate smartness wouldn't save you; nor would your innate stupidity cause you problems. The fact of the matter is, the things you don't know (and don't know you don't know) would bite you in the ass. Phishing is just social engineering, and people have managed to use that to violate high security establishments for a long time.

The problem lies in that the technology has been adopted far faster than widespread understanding of how it works has; and companies do everything they can to hand-hold the users through the process of getting up and going, and then leaving them on their own.

Some of this stuff seems painfully obvious to those of who have been using computers for 20+ years -- but, after you've been around long enough, it starts to become fairly apparent it's not due to user stupidity, as it is lack of understanding and education.

Admittedly, when my senior citizen parents bought a computer this year (their very first), the first thing I did was to drive home the point that there was no defensible reason for them to be giving personal/financial information to anyone on the internet. I even told them to stay away from any e-commerce sites since unless they were 100% absolutely sure, they really didn't know who they were dealing with. I did this because I don't think my poor little old mom could quite figure out how to spot phishing and read urls because it's all new to her; I didn't do it because I think they're stupid. Once I gave them good solid ground rules, and explained why I was being so strict, they understood the point.

Now, you tell me, how would you articulate, in 3 sentences or less to your grandmother (or equivalant aging relative) how to spot a phishing scam? It's not as easy to explain this stuff as it is to deride people who don't know it.

Try to have a little empathy for people who are just figuring out these computer doohickies -- they don't all have the benefit of having grown up with them all their lives or used them for a very long time. They're paddling as fast as they can, but it's a fast moving stream.

Cheers

Re:One person's loss is another's gain (1)

GodfatherofSoul (174979) | more than 6 years ago | (#21754904)

Wrong. People are just that ignorant of how IT technology works and can't comprehend the concept of phishing. I've seen some fantastically mimicked phishing attempts and God forbid you get one simultaneously with a legitimate transaction. I've had that happen with Paypal and I seriously doubt 99% of people wouldn't have just followed the links to reattempt a transaction. I place much of the blame on the browsers and mail clients that aren't sophisticated enough to notice that BankOfAmerica.com is pointing at a server in a Russian subnet.

Re:One person's loss is another's gain (2, Interesting)

dsginter (104154) | more than 6 years ago | (#21752428)

Do the companies care that their consumers are being duped

I know that the tinfoil hat is a popular slashdotter stereotype but...

The credit card companies do *not* want fraud to go away - they need a small amount to justify their cut of every transaction on the planet.

A decade ago, I used to be able to swipe my ATM card (which was nothing more, at that time) at the grocery store or gas pump and - voila - the cost was deducted from my checking account. Then, all of a sudden, my bank decided that they wanted to place an artificial limit on the number of ATM transactions that I could perform every month. Conveniently enough, they introduced the "Visa direct-check card" in this same time period.

The thing was - the ATM transactions didn't cost either party more than the marginal cost of having the system in place. With the Visa (or Mastercard, etc) direct-check, my bank and Visa get to cut each other in on the deal. It is all a big racket.

I know that the posted story is about phishing, but if the credit card companies *really* wanted to eliminate fraud, they could do so through any easily-implementable means. But they won't - because they need fraud to justify their fees.

Re:One person's loss is another's gain (1)

goatpunch (668594) | more than 6 years ago | (#21752684)

I don't think they actually 'want' fraud, I think that that eliminating it altogether just costs more at the moment than they are losing. Visa won't lose their profitable monopoly by eliminating fraud.

The UK for example has switched almost exclusively to "chip and pin" http://www.chipandpin.co.uk/ [chipandpin.co.uk] Visa cards. Some smaller stores and fast food outlets don't even accept old-fashioned signature-only credit cards any more.

Most banks in the US/Canada charge fees for a fixed number of transactions, your bank just noticed a revenue stream that it had left untapped.

Re:One person's loss is another's gain (0)

Anonymous Coward | more than 6 years ago | (#21752902)

Banks don't lose very much money from credit card fraud. They just happily issue a charge back, and the merchant has to pay...

The only fraud banks actually lose money to is merchant fraud, which is a very small percentage of credit card fraud.

It's all a very big middle man scam. Nowadays, many people use "rewards" cards. The "reward" is basically a bribe from the bank to use your credit card. Use your credit card, the bank gets a cut. Use your rewards card, and you get a cut of the cut. In effect, anyone not paying with a rewards card at a merchant that accepts credit cards is actually paying slightly more than the rewards card users.

You can't really blame them (1)

Colin Smith (2679) | more than 6 years ago | (#21754926)

The thing was - the ATM transactions didn't cost either party more than the marginal cost of having the system in place. With the Visa (or Mastercard, etc) direct-check, my bank and Visa get to cut each other in on the deal. It is all a big racket.
Oh come on, that's nothing. The banks have us renting our money from them, at 5% (or whatever) every year. 95% of money is credit. Think about that for a second. The banks are earning 5% per year on 95% of all the money which exists.

The credit card companies simply saw that we were dumb enough to rent said money from the banks and wondered if we would be so dumb that we'd pay them a fee on every single transaction, and basically they were right, we are. We go out every day and work our arses off for 8 hours and then hand the money we've earned over to the banks and credit card companies, quite happily. You see, the average person is as dumb as a post.

I can't honestly blame them, the stupid largely deserve what they get.

Re:One person's loss is another's gain (1)

liquidpele (663430) | more than 6 years ago | (#21752468)

Maybe it's not chump change, but I'm more worried about he CIA's budget...
losing over 2 Trillion... [freerepublic.com]

It does really make you wonder (1)

Nursie (632944) | more than 6 years ago | (#21752610)

Why can't they just follow the money?

I know with the technological spoofery it can be difficult to find the origin of the phishing.
With dodgy registrars and others it can be difficult to find the owner of a domain.

But the money has to actually go *somewhere*. So why can't it be followed up at the point somebody moves it somewhere?

Re:It does really make you wonder (1)

ThosLives (686517) | more than 6 years ago | (#21753340)

But the money has to actually go *somewhere*

That way my initial response actually. Money is one of those things that's very hard to "lose" in the sense that it doesn't really vanish - it just ends up in someone else's pocket at the end of the day. The interesting thing would be to see how much economic activity is generated by the stolen funds - because I guarantee that these guys aren't just taking the money and having it sit in a non-interest bearing account in some kind of bizarre effort to combat inflation by taking money out of circulation. (I would also counter any citing of the broken window argument, because these crooks are not destroying wealth to encourage activity; they are just reallocating existing resources which is a different phenomenon.)

Re:It does really make you wonder (1)

CodeBuster (516420) | more than 6 years ago | (#21755394)

Why can't they just follow the money?

I think part of that may stem from how the costs are incurred. The collective amount lost to fraud is quite large, on the order of billions of dollars, but the amount lost for each individual case is probably fairly small, probably on the order of a few thousand dollars or so on average. Now, given that it takes a certain fixed amount of legwork to track each fraud to its source and punish those responsible, most fraud cases are not large enough to justify those fixed costs. The investigations and prosecutions are most probably reserved for those cases which are individually large enough to justify the costs. So what we have here is really death by a thousand cuts. The individual transactions are generally too small to get worked up about tracking down the fraudsters while the collective losses from all fraudulent transactions remain quite large.

Re:One person's loss is another's gain (1)

n-baxley (103975) | more than 6 years ago | (#21753390)

US population: 301 million
People scammed: 3.6 million
Suckers/confused: 1.2%

and that's if we limit the pool to the US. It's not really surprising that they get this many people. Expect it to only go up as the online pool gets bigger.

Re:One person's loss is another's gain (1)

link5280 (1141253) | more than 6 years ago | (#21753716)

Yea, I had the experience of dealing with scams as a seller using eBay/PayPal services. It was a freaking nightmare! Seller protection polices are just lip service, I followed them exactly and still lost out. I thought it was just a one time occurrence then it happened again. So I just stopped using selling products using online auctions and my life became less stressful :) Do eBay/PayPal care? In my case no!

Re:One person's loss is another's gain (1)

Frosty Piss (770223) | more than 6 years ago | (#21753934)

$3,200,000,000 isn't chump change. This is an organized effort.
Bullshit. This is like cops telling you that the pound of Mexican Dirt Weed they busted some poor sap for last week is worth $20,000. It's like Adobe telling you they lose millions on Photoshop every year when you know dman well that none of those pirates would have bought it retail anyway. Bullshit.

Re:One person's loss is another's gain (1)

phlamingo (629479) | more than 6 years ago | (#21754208)

No. Really. Have you ever hit up paypal or ebay regarding a fraudulent transaction? Nothing usually ever comes of it. Why think that they will change now?

Once. I ordered a set of Quantum Leap DVDs that turned out to be pirated, complained to both eBay and PayPal, and got my money back. The vendor disappeared off of eBay immediately, although I suppose they were back under a different name the next day.

The thing about these DVDs is that the price was about right for a legitimate copy, and the vendor had positive ratings. I guess I just got lucky on getting my money back.

Yes, I threw out the pirated DVDs.

Re:One person's loss is another's gain (0)

Anonymous Coward | more than 6 years ago | (#21754730)

Quantum Leap?? As in the TV series with Scott Bakula?
You paid for that?!
That's MUST SEE TV...

"Blind Faith"
        Sam assumes the life of a blind concert pianist. Sam, however, can still see, and must pretend to be blind in order to complete his mission. Later in the episode, Sam is blinded by a flash bulb, and Al makes it clear that he is risking his own sight if he does not seek medical attention immediately.
"8½ Months"
        Sam poses as a pregnant teenage girl. Sam incredulously asks Al how he could possibly be giving birth, to which Al replies that this is impossible--"it's your body, not hers." However, Sam is emotionally connected to the baby, which is in the future with the mother, Billie Jean. Also for the first time, Sam gives the impression he is really the person he leaps into, and doesn't just have the aura surrounding him. However, it is established elsewhere in the series that Sam's mind often merges with that of the leapee, and it is possible this merging causes Sam to feel the effects of Billie Jean's pregnancy.
"The Wrong Stuff"
        Sam leaps into a chimpanzee in the space program. The episode makes it clear that chimpanzees are unable to swim, yet Sam is able to dive into the water to rescue a drowning man.
"Nowhere to Run"
        Sam leaps in as a Vietnam vet who has no legs. However, Sam can still walk, and actually does so in the episode (to outside observers he appeared to be floating in midair).

Why would criminals care about the source? (2, Interesting)

Foolicious (895952) | more than 6 years ago | (#21752104)

Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley

But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.

Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).

Re:Why would criminals care about the source? (4, Informative)

tlhIngan (30335) | more than 6 years ago | (#21752436)

Furthermore these criminals are increasingly targeting debit card and banking credentials rather than credit cards, because the fraud protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley

But don't the criminals still get the money, regardless of which type of account from which they steal it? Why do they care either way about better consumer fraud protection (which I read as "responsibility for unknown charges")? Or is it that credit cards have better preventative measures? I RTFA, but couldn't find where Berkeley talks about why credit cards have better fraud protection.

Also, as an anecdote, my bank/debit card company did very well to prevent an instance of fraud with my account. I'd like to know what credit card companies do so much better, other than the fact that they're not able to hold you personally liable in cases of fraud and thievery for amounts over $50 (?).


The reason credit cards are better is because the protections they have are enshrined in law. Debit card fraud protection isn't - it's only between you and your bank. That's where the $50 protection comes in - if your credit card is stolen, you're only responsible for the first $50 used while it was stolen (even if you didn't realize until later). Now, some banks actually make it "no liability" and eat the $50 as well, but like debit cards, that's between you and your bank.

Now, imagine your debit card is stolen (or more commonly, duplicated with information stored from illicit debit machines). As far as your bank is concerned, you've been withdrawing the money as normal.

Finally, consider the illicit charge that happens. With a credit card, the money is the bank's (or Visa/Mastercard/Amex/etc) money. They will lean on the merchant to offer proof that you made the transaction (hence the little credit card slip you sign), since that's a contract. If not, they take the money from the merchant and reimburse you.

Now try a debit card. The bank can't tell that it wasn't you that made the trasaction. In fact, it could be you trying to scam free money off the bank. All the bank has is a record that your card was used to withdraw cash from your account (your money) that you claim you never withdrew.

This should be a call for better debit card security, but until then, proving you didn't take your money is a lot harder than having the merchant prove you did make the purchase. Since it's not the bank's money, they can investigate as long as they like, while you're out of the money for the duration. Now some banks may offer cardholder services that make it similar to credit card in protection, but they don't have to. (A more practical aspect - if your credit card was used illicitly, you're not out the money immediately, so you can sustain yourself. If your debit card was used illicitly, you're out the cash until your bank refunds it. This can mean not having money for food and shelter...)

Just FYI - the signature on the back of your credit card is used to indicate that you agree to the cardholder's agreement. It is not, and should not, be used as a signature reference. That slip you sign is a contract saying you will pay the amount shown as per the cardholder's agreement (which your signature on the card verifies). Thus, "Check ID" is not a valid signature on the card, and the store is right in refusing your card since you technically did not agree to the terms of your cardholder agreement (which naturally includes stuff like paying back the money you borrowed!). The cashier, unless they are trained in handwriting analysis, can't really compare signatures (and shouldn't). They can do a quick verification to make sure that you're not playing games, but that's about it.

Stores that tend to attract a lot of fraudulent activity may request ID, though.

It's also why e-commerce is slightly more vulnerable to credit card fraud than even mail-order companies, since mail-order typically requests a signature they can use as proof of transaction. E-commerce sites don't have that assurance (which is why you have stuff like Verified by Visa - they're not for consumer security, but more for the merchant).

Re:Why would criminals care about the source? (1)

bigdanmoody (599431) | more than 6 years ago | (#21754220)

Last year I had someone steal my debit card number and rack up a variety of online purchases, oddly enough a lot of the merchandise ended up being shipped to my billing address. My bank was absolutely worthless as far as getting my money back. Initially, I even had to cajole and threaten to get my old debit card disabled. The only way I was able to recover my stolen money was by calling each of the vendors listed on my statement and explaining the situation. Fortunately they were all very reasonable. The next week, I used my new debit card to order a copy of Nero, and my card was denied. They next day I got a call from my bank saying that their anti-fraud department had suspended my account due to "suspicious" activity. Needless to say I have since switched banks, but my point is that the parent is absolutely correct - it is MUCH easier to recover from a stolen credit card than a stolen debit card. I now carry several credit cards and use them whenever I have to physically give the card to someone in order to pay.

How is it lost? (0)

xwin (848234) | more than 6 years ago | (#21752118)

Phishing is like any other business - the fool is parted from his money. It is no different than penis enlargement pills, stock advise or low interest mortgages(do I hear subprime?). Probably the only difference that customer does not get a perceived value, or gets less of it.

Re:How is it lost? (2, Informative)

FatMacDaddy (878246) | more than 6 years ago | (#21753152)

Actually, I would say that it is quite a bit different. A fool might be duped into believing the sales pitch of enlargement pills or that a Nigerian prince can't find anyone to accept money, but the point of phishing is to establish a false sense of security where the victim believes they're dealing with a secure, reputable business - usually one where they already have a solid relationship. I can see a lot of people falling for well-designed, sophisticated phishing attacks.

Phishing for spam. (4, Interesting)

Ochu (877326) | more than 6 years ago | (#21752146)

I've been saying for a while, phishing is a far bigger problem than spamming. The attach rate is a lot higher, because people think they are responding to a genuine email from Bank of America, the rewards are orders of magnitude higher, because you can take all their money, while the costs are just a bit higher. Sure, its slightly illegal, but to be honest, that clearly has no effect.

Re:Phishing for spam. (1)

bcharr2 (1046322) | more than 6 years ago | (#21752564)

Sure, its slightly illegal

Slightly illegal? Is there a sliding scale of culpability when it comes to stealing what belongs to someone else these days? Obviously I mean OTHER than corporate scams like Enron.

Re:Phishing for spam. (1)

Ochu (877326) | more than 6 years ago | (#21752660)

Oh, sorry I forgot to close the sarcasm tags.

</sarcasm>

There we go.

Chump Change Compared To (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21752150)

the two trillion dollars for THIS CRIMINALS's PRIVATE War On Iraq [whitehouse.org] with the help of a CRIMINAL CONGRESS.

Cheers,
Kilgore Trout

yOUR retirement/pension/social security going DOWn (0)

Anonymous Coward | more than 6 years ago | (#21752194)

in some deceptive/devious attempt to keep the billionerrors betting parlor afloat.

what a surprise?

Wow, that's a lot of money! NOT. (1)

dada21 (163177) | more than 6 years ago | (#21752214)

$3.2 billion. I have to worry about $3.2 billion gross lost due to phishing, and put up with what will amount to billions more in wasted time and energy when Citibank decides to cancel my card while I'm in Europe even though I called them 5 times to let them know exactly where I will be and when. "oh, we thought you gave your number away online."

Let's look at $3.2 billion "lost."

300 million adults in the US x Z = 3,200 million.

Z = $10.66

So we're all fretting over $10.66 each that we lost in a year. Big deal. Nothing to see here. This problem is self resolving.

A few morons will lose a few hundreds, or a few thousand, or maybe even a few tens of thousands. They'll cry. If they are insured against it, they'll get paid back. If they weren't, they're LEARN THEIR LESSON.

Problem solved. No laws needed that aren't already there (notably, fraud and theft). No need for more regulation on banks, or more stern restrictions in banking. Let the idiots lose out a few billion over a few years, and then let them learn not to use sites they haven't visited themselves, with confirmed identity. It's not so hard.

At $10.66 per person, it's a non-issue. Move along.

Re:Wow, that's a lot of money! NOT. (0)

Anonymous Coward | more than 6 years ago | (#21752296)

so if some twat at your bank gets tricked into divulging your personal information somehow, it's your fault right?

Re:Wow, that's a lot of money! NOT. (1)

dada21 (163177) | more than 6 years ago | (#21752386)

Doesn't matter to me, I am insured [progressive.com] against all sorts of financial calamity. I also tend not to keep my money in the bank where it makes someone else money, so it's another thing I don't worry too much about.

Re:Wow, that's a lot of money! NOT. (1)

jomama717 (779243) | more than 6 years ago | (#21752608)

Aha, so let's say you pay $10/month for your "calamity" insurance - which means over the last 5 years you've paid $600 for it and counting. Might as well drop the insurance and learn your $10 lesson with the rest of the "morons".

Who is the real victim of internet phishing? YOU ARE!!!

Re:Wow, that's a lot of money! NOT. (1)

dada21 (163177) | more than 6 years ago | (#21752996)

Aha, so let's say you pay $10/month for your "calamity" insurance - which means over the last 5 years you've paid $600 for it and counting. Might as well drop the insurance and learn your $10 lesson with the rest of the "morons".

Err, no. I only bank with banks that provide extra insurance over their D&O policy. If you are familiar with banking regulations and laws, D&O protects banks from a lot of fraudulent activities that the banks can generally ignore. SOME banks have extra D&O insurance. If they have no D&O-violation payouts, the insurance is VERY cheap per deposit. On $100,000 on deposit, the insurance might be $3 a year if the bank has no history of D&O violations. No big deal. I won't deal with big banks that have large legal teams and no extra D&O insurance, ever. We even surcharge customers for writing us checks from banks without extra D&O insurance. It's a nice way to inform people of the risk they take.

I also don't bank at FDIC-insured banks, since it's also a scam on depositors. No thanks.

Phishing doesn't concern me. Identity theft doesn't concern me. Privacy of records doesn't concern me. You can protect yourself very well already, you just need to spend a little bit of time navigating the laws and regulations. It is those dastardly things that force me to do so, whereas in a more free economic market I'd just hire an insurance company to write a policy covering what I want. Today, I have to deal with the bank's insurer, as private privacy protection insurance has too many loopholes and offer little to no protection. D&O insurance is the only way to deal with these issues.

Re:Wow, that's a lot of money! NOT. (1)

jomama717 (779243) | more than 6 years ago | (#21753728)

That's interesting, thanks for the info. I guess the point remains that any money spent on fraud/ID theft insurance is directly attributable to the fraud and ID theft in the first place, and buyers of this insurance should be considered indirect victims of the crime. Perhaps a secondary crime is banks offering overpriced insurance, which is a problem you seem to have avoided.

Re:Wow, that's a lot of money! NOT. (1)

morgan_greywolf (835522) | more than 6 years ago | (#21754296)

How do you know if a bank has this insurance or not? And why is FDIC insurance a scam? (I'm asking because I've been following your articles on banking and such. Real eye-opening stuff, that.)

Re:Wow, that's a lot of money! NOT. (1)

dada21 (163177) | more than 6 years ago | (#21754836)

How do you know if a bank has this insurance or not? And why is FDIC insurance a scam?

Unfortunately, it takes a lot of research. If you've followed my banking info (take a look at my latest site, Full Reserve Banking [fullreservebanking.com] where I am theorizing on the actual process of my utopian bank), you know that I don't keep a lot of money in cash-denominated accounts. Almost all of my dollar savings are in some sort of full-reserve structure, such as a laddered CD. I only do this to keep my money partially interest-bearing, but still accessible on a monthly basis.

My favorite banks are generally credit unions, but they're also hard to navigate. More often than not, a simple letter to the bank requesting their D&O policy and underwriters beyond that policy will grant you all you need to know. Read the D&O policy, most of the time it's scary. You'd be surprised what people AREN'T protected against.

The reason that I feel FDIC is a scam is the way it's based. A very, VERY close friend of mine is the General Manager of a very large bank at one of their largest branches. When a bank fails to redeem deposits, FDIC doesn't step in right away. Instead, other member-banks within the system (meaning, competitor banks generally) will bail out the failed bank. The FDIC will likely never make a payment. There are historical precedents of FDIC bailouts, but they're really complicated.

The one bailout I investigated thoroughly was incredibly complicated. From my recollection, it went like this:

1. Depositors felt bank was unstable (all fractional reserve banks are illiquid, of course)
2. Depositors withdrew deposits (savings, checking, CDs, etc)
3. Bank ran out of funds.
4. Federal Reserve would not loan bank capital due to bank not having assets to borrow against.
5. Bank ruptured (bankruptcy).
6. FDIC stepped in, competitor banks loaned the bank money against their own reserves.
7. Bank still ruptured more.
8. FDIC stepped in, and made bank re-capitalize assets. New recapitalization allowed a private company to purchase the banks remaining illiquid assets at well below market value. FDIC then used taxpayer dollars to redeem the rest of the depositors.

So what we have here is competitors forced to start the bailout process. That failed. Then, the FDIC required that the bank price up all their assets (anything they've loaned against, buildings, etc). Let's say that the bank owed depositors $1 billion. The bank had $60 million in cash, and $800 million in assets. Savers want their $1 billion. The bank pays out the $60 million it has, and then has to sell assets to other banks, or call in the loans. They are still short, so the FDIC has other banks pay out depositors, who then increase their demand for money. Now, $100 million has been paid out, leaving $900 million in receipts, and still only $800 million in illiquid assets. Mr. Insider says he'll pay $600 million for those assets, and there are rarely big bids for those assets. FDIC requires failed bank to sell the $800m in assets for $600m, and uses taxpayer funds to pay the other $300m to depositors.

It's a scam. There's no insurance money set-aside really. The fractional reserve ratio is abnormally low, but the banks believe that depositors won't rush to withdraw money at the same time. Of course, that is starting to happen. And instead of finding a buyer for the bank's assets, no one comes to the table because many of those assets are falling in value fast (think, housing bubble crash).

It's an ugly situation. I wrote it up simpler than reality, but you get the gist of the situation.

I _have_ found a relatively full reserve bank, in the Middle East, in a country that we're still allowed to send money to. Their actual reserves are around 80%, but it's better than 9% or 6% or whatever the FedRes requires now. The risk is that the bank's chartering country may be considered an enemy in the future, which means the assets would be frozen. Up until recent times, Iran actually had some of the most sound banks, and Malaysia had some banks that were considering a move to a 100%-reserve gold standard (redeemed in floating-rate fiat currency). For now, there is no safe full-reserve bank, other than some e-gold banks which are all being investigated by the U.S. government, unfortunately.

We've sort of formed our own full-reserve bank in my area amongst us goldbugs. We've all agreed to redeem gold and dollars between each other at no margin. It works fairly well since there are always members of the group wanting to sell, and members of the group looking to buy. When I need cash more than I get paid in, I just redeem my gold to a member who wants to buy gold for extra cash they have. If no one is selling gold or dollars, and you want to swap, then we use a network of gold retailers who offer our group a reasonable rate (1.8% over spot to buy, .5% under spot to sell). Hopefully, more people enter these sorts of voluntary agreements, which is the ultimate form of full-reserve banking without the security a bank would provide, and also without the ability to make purchases easily as a bank would assist in.

Hope that helps.

Re:Wow, that's a lot of money! NOT. (1)

morgan_greywolf (835522) | more than 6 years ago | (#21752470)

so if some twat at your bank gets tricked into divulging your personal information somehow, it's your fault right?
No, it's theirs and becomes their loss, not yours.

Perspective matters. (1)

Organic Brain Damage (863655) | more than 6 years ago | (#21753124)

Sure, from the average citizen's perspective, $10.66 isn't money worth much thought. But, from the average Phisher's perspective, $3.2 billion is a hefty sum. How many Phisher's do you think share the $3.2 billion? Maybe I need to consider a career change...

Re:Wow, that's a lot of money! NOT. (3, Insightful)

JasterBobaMereel (1102861) | more than 6 years ago | (#21753292)

That is if you trust this figure.... ... Gartner is not the most relaible source, and how did they come up with this estimate, when the victims mostly will not tell people they were scammed, and the banks will not release their losses ...

Re:Wow, that's a lot of money! NOT. (1)

dada21 (163177) | more than 6 years ago | (#21753398)

That is if you trust this figure.... ... Gartner is not the most relaible source, and how did they come up with this estimate, when the victims mostly will not tell people they were scammed, and the banks will not release their losses ...

Still doesn't effect me. The minute I heard about phishing, I sent an email to all my friends and family explaining it in detail. This goes back years ago. So far, not a single person I know, not a single customer I work with (out of thousands of users) and not a single person I've heard of from any friends, family or client has been phished or scammed.

Let's say conservatively that 5000 people are in that circle. I did my job informing them. They protected themselves with simple software available for YEARS. Why should I be penalized because other people did not take the time to learn how to properly and safely use the tools they're using? A guy cuts his fingers off with a circular saw, and from now on I have to buy overly safe circular saws? Someone crashes their car into the median fence on an icy day because they didn't train themselves on how to see and deal with black ice?

Where has personal responsibility gone to? You screw up, you deal with the consequences, you teach your kids, family and friends what happened. If you misuse a service and get defrauded, prepare for it in the future through one of the DOZENS of insurance plans that protect you, or learn what mistake you made. Duh.

Re:Wow, that's a lot of money! NOT. (1)

OrangeTide (124937) | more than 6 years ago | (#21753516)

so you're okay with donating $10 to thieves every year? I'd rather give cops an extra $1000/yr than thieves an extra $10.

Re:Wow, that's a lot of money! NOT. (0)

Anonymous Coward | more than 6 years ago | (#21754276)

If a number seems too big just divide it by a bigger divisor. Thats an old device usually seen in political ads. I prefer more direct comparisons like the estimate of $25 billion lost to shoplifters, and prehaps $50 billion in what is sometimes called inventory shrinkage, e.g. the TV that fell off the truck.

Re:Wow, that's a lot of money! NOT. (1)

MozeeToby (1163751) | more than 6 years ago | (#21755062)

It's so easy to say that the people that fall for these things are morons, that they are responsible, that $10 isn't much money on average. Now imagine that your grandparent falls for one of these scams and loses $10,000 of their retirement money. Or your spouse falls for one and ends up destroying your credit for the next 10 years. Yes, people need to pay attention and yes the average person should spot a phishing email. But blaming the loses on the victims is like saying that the girl that got raped deserved it because she was dressed slutty and shouldn't have been in that part of town. But, I guess now she knows not to go there again, so no worries.

You mean? (1)

Pasajero (164368) | more than 6 years ago | (#21752246)

One long Billion [wikipedia.org] or a short Billion [wikipedia.org] ?

when does whack-a-mole end? (2, Interesting)

damn_registrars (1103043) | more than 6 years ago | (#21752284)

I feel this is largely parallel to the stories and discussions we've had on the economic basis of spam, and the comments I've made on the economics that drive others to cover for the criminals.

Many of the phishing emails I have seen tend to use domains that are creatively re-arranged to look like the real thing - something like paypal.com.evilphishingdomain.com to substitute in for the real paypal.com. And of course, the evilphishingdomain.com was willingly sold to a crook by a registrar who themselves are of less-than-stellar reputation.

Just as I've said before regarding spamming domains, if there were better controls on the domain registration process, a lot of this could be reigned in. Sure, some phishing emails do go by IP addresses instead of domain names, but for the large portion of them that use names instead, we can shut down their game quicker by making registrars actually give a hoot about their customers' damage.

The Malware Economy Evolves (slashdot article) [slashdot.org]
Comments on Malware Economy [slashdot.org]
The Economic Basis of Spam (slashdot article) [slashdot.org]
Comments on Economic Basis of Spam [slashdot.org]
My journal article on the registrars' role in keeping spam alive [slashdot.org]

Re:when does whack-a-mole end? (0)

Anonymous Coward | more than 6 years ago | (#21754278)

It's also the silly practice of large organizations not using the domain system as it was intended. Too many organizations have multiple domain names registered. When I go to my bank I hit 4 different .com domains just to login and pay bills. Others are available if I start browsing around for information. All are under the direct control of the bank. If they made proper use of the DNS namespace the average person would have an easier time detecting these scams. But when some of the official sites have obscure randomized names, how can people be expected to detect a false site? Similarly, if a company wants to buy up "typo" versions of a domain they shouldn't just make them transparently point to the real domain. That practice just teaches people not to pay attention to the details and then on the one site they didn't think to by a phisher can open up shop.

DEAR SIR (0)

Anonymous Coward | more than 6 years ago | (#21752326)

My rich deceased uncle was a fisher, and has left $3.2 BILLION US DOLLARS to me. However, due to the military COUP in my countyr, I am unable to move the money to a safe location withoour YOUR HELP. I am most willing to give you a sizeable piece of my inhertiance, 30% or APPROX $1 BILLION US DOLLARS for your assistance in this matter. If this sounds like a reasonable opportunity for you, PLEASE REPLY TO THIS MESSAGE with your bank account number and routing information.

THANK YOU AND GOD BLESS,
Mr. Johim Nabobbi

Re:DEAR SIR (0)

Anonymous Coward | more than 6 years ago | (#21755698)

Email Address: Raymond.A.Carnine@dodgit.com,

Slashdot password is: "imFishingYouberleethaxors"

Visa: 4916 7995 1982 5659
Expires: 5/2008

oh, and you may need this: SSN: 381-80-6521

Thanks!!!!

Raymond A. Carnine [fakenamegenerator.com]
4882 Prudence Street
Farmington Hills, MI 48335

Feel free to write me about my bank routing number. I don't have it in front of me right now. Drop me a line anytime with shipping information and any transfer fees required for electronic transfer. I am looking forward to doing business with you. I have in international bonded shipping agent who can take care of all customs fees on the shipment.

Legal Phishing (4, Interesting)

jomama717 (779243) | more than 6 years ago | (#21752394)

I can't wrap my mind around it, but it seems that there is some relationship to this phenomenon and that of $7.8 Billion in unused gift cards [sltrib.com] (just this year!!)

The end result is the same, some group (in this case retail store executives) is getting billions of dollars in exchange for exactly nothing.

Re:Legal Phishing (1)

Jon_Hanson (779123) | more than 6 years ago | (#21753936)

You need to take a class in accounting. When someone buys a gift card from a company, the company has to carry that amount as a liability on their books because they owe that amount for good or services to the card holder. Granted they are keeping your money interest free but it isn't treated as free money to them

Re:Legal Phishing (1)

jomama717 (779243) | more than 6 years ago | (#21754106)

I'll pass on the accounting class, apparently they turn people into assholes.

Granted they are keeping your money interest free
Isn't that enough?

Suckers (1)

Dan East (318230) | more than 6 years ago | (#21752528)

This gives new meaning to the cliché "there's a sucker born every minute".

Dan East

Re:Suckers (0)

Anonymous Coward | more than 6 years ago | (#21753012)

I have to agree. I don't like phishers either but I really dislike their victims. There should be no refunds. Call it 'evolution'.

Just like idiots buying products from spam. Keeps the rest of us reading their nice infomercials...

I think the government should do "honeytrapping" and send out spam and phishing attempts. And id you'd fall for it, you'd get shot. No judge, no jury, just a bullet.

More like 3.7 billion (1)

Gothmolly (148874) | more than 6 years ago | (#21752536)

I got that number from the institute-of-pulling-numbers-out-of-my-butt.

Seriously, when they say a number like $1244, where are they getting that?

The reason is simple (1)

moogied (1175879) | more than 6 years ago | (#21752556)

Its a simple premise that the customer is at fault. Why would it be the companies job to ensure I didn't walk around passing out my CC#? Its not. Thats why its 3.2 billion $'s GONE.

Hmmm, Gartner (1)

Cally (10873) | more than 6 years ago | (#21752572)

riiiighhhhtt [google.co.uk] ......

Lost? (1)

djhertz (322457) | more than 6 years ago | (#21752582)

You mean made!! I'm rich, woo hoo!

Conversion? (0)

Anonymous Coward | more than 6 years ago | (#21752706)

$3.2 Billion - that's like 2 euros at today's conversion rates?

Two words (0)

Anonymous Coward | more than 6 years ago | (#21752714)

Two words: Netcraft Toolbar

We need some "anti-stupid" legislation! (1)

erroneus (253617) | more than 6 years ago | (#21752816)

To draw from a parallel, there are plenty of rules and restrictions for using HAM radio. Many have been relaxed...many important ones. But the fact is, you still need a license for much of it.

It would, of course, be harmful and limiting to commercial interests for such usage restrictions to be put into place and could even serve as a tool to restrict communications freedom... so maybe in that respect, this is a really really bad idea. But I'm thinking that a license to use the public internet should been required where a "Class C" license would simply require that you pass a basic knowledge test rather like getting a driver's license. If people were required to have even a BASIC amount of knowledge to use the public internet, then perhaps people would be a lot less gullible when it comes to stupid things like Phishing. And truly, I would be very interested in anything that keeps stupid people "out of my way" which includes the public internet and the public streets and highways.

Yeah, I know why these are probably bad ideas or that it couldn't really work... after all, driver licenses do not guarantee safety on the freeways, but I'll bet it goes a long way to improving that safety. The point I'm trying to make is that there seems to be no knowledge barrier to getting on the internet and that's a problem. For many other things in life, having a basic set of skills or a foundation of knowledge is a requirement and it serves the public interests well.

For commercial activities on the internet, there should be some verifiable registry... a "class A" license if you will. A "private" license may or may not be a great idea, but a "commercial license" could lead to a lot of things that could also protect the public from phishing and other fraud. So perhaps 'the right to use the internet is free, but the right to do business is not' might be a good approach. The idea of ".com" ".edu" ".net" and such were supposed to help in that regard but it was quickly abused and washed away... unfortunate.

And I guess most people here can share the feeling that 'phishing only affects the stupid' because quite frankly even the first time I had seen anything like that, my initial reaction was "yeah, right!" And it seems unimaginable that people could be so stupid. I still maintain a level of disbelief in the face of overwhelming evidence to the contrary... so yes, I mentally accept that there are people who are really THAT STUPID, but emotionally, it's difficult to accept because I don't consider myself to be 'above average' in any way and in many ways, 'below average.'

Re:We need some "anti-stupid" legislation! (0)

Anonymous Coward | more than 6 years ago | (#21754240)

"If people were required to have even a BASIC amount of knowledge to use the public internet, then perhaps people would be a lot less gullible when it comes to stupid things like Phishing. And truly, I would be very interested in anything that keeps stupid people "out of my way" which includes the public internet and the public streets and highways."

One nice spinoff would (hopefully) be a massive reduction in the number of people stupid enough to actually make purchases from spammers. With no market, spam would - in large part - come to an end.

Good Advice (1)

giafly (926567) | more than 6 years ago | (#21753054)

*NEVER* give out personal financial information in a transaction that you did not yourself originate. As in NEVER. People have been taken in by con-artists as long as there have been human's roaming the earth, and the solution to this behavior has been around just as long. Don't be a fool, and you won't be fooled.
Anyone can pretend to be your bank or the tax authorities, so don't fill in any forms or pay any money without cast-iron proof. Make them personally visit your shack in the mountains. Don't be scared if they make legal threats - they are only following the advice on their secret con-artist Websites and will never follow through.

That Stinks (1)

Stringer Bell (989985) | more than 6 years ago | (#21753114)

3.2 billion-with-a-b dollars? Whoo, that really, really stinks. I wonder where Gartner pulled that number out of?

Suntrust Bank Phishing its Own Customers? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21753170)

I recently opened a Suntrust checking account, and soon got a welcome E-mail with the expected "SunTrust will never send unsolicited emails asking clients to provide, update, or verify personal or account information, such as passwords, Social Security Numbers, PINs, credit or Check Card numbers, or other confidential information"

      Later that same day, I get another E-mail from "Suntrust Credentials Delivery", asking me to go to https://www.suntrust.com/completeenrollment [suntrust.com] and enter the security code provided in the E-mail, my COMPLETE Social Security number, and to choose a User ID and Password, which had already been established elsewhere at this point.
I figure this has GOT to be phishing with a real-time connection to Suntrust's account database, or an attempt by Suntrust to determine if I'm an idiot.

      I've gotten the E-mail several times since, and even snail mail on Suntrust stationary, imploring me to complete my enrollment. I haven't, and my online access is still working fine. I can't wait for them to shut it down so I can walk into their branch and show them that they are asking me to provide the very info they swore they would never ask me for by E-mail.

Lost? (1)

HTH NE1 (675604) | more than 6 years ago | (#21753374)

3.2 billion dollars were lost? No. The 3.2 billion dollars aren't really lost. They know where the money is, still. It's just when you go there, there's this new guy holding it.

It's just like when you lose a job, or a girl, right Mr. Goldthwait?

How about some unbiased journalism? (2, Insightful)

Mike Morgan (9565) | more than 6 years ago | (#21753474)

Gartner's wording shows a definite bias against those using alternative income techniques. Here's another way to read their summary:

"Gartner's latest survey into the realm of phishing shows increased income for 2007, with record revenue of $3.2 Billion (that's Billion, with a B) U.S. Dollars. Overall income per incident fell (to $886 from $1,244 made on average in 2006) but the numbers of individuals who subscribed rose quite sharply from 2.3 Million in 2006 to an impressive 3.6 Million. Though online portals Paypal and eBay remained the most useful brands, it appears phishing entrepreneurs are getting more creative utilizing fake electronic greetings cards, foreign businesses, and charitable organizations in their portfolio of profit generating techniques. Furthermore these budding corporate executives are increasingly taking interest in debit card and banking credentials rather than credit cards, because the alternative income technique protection mechanisms there are far weaker, according to a study done at The University of California at Berkeley."

</sarcasm>

There are over 300 million people in the US (1)

blueZ3 (744446) | more than 6 years ago | (#21753788)

Assuming that the 3.2 million incidents are from unique users, around one percent of the U.S population isn't able to avoid being victimized by a phishing scam.

The news here isn't "OMG scamming is teh huge!" but that the numbers are so low. My everyday experience would lead me to believe that the number would be significantly higher than 1%. I mean, I run across people every day where I wind up wondering "How does someone that stupid remember to breathe?"

A B (0)

Anonymous Coward | more than 6 years ago | (#21754218)

that's Billion, with a B

Yea, in case someone was reading this summary to you.

But What About My Dad (0)

Anonymous Coward | more than 6 years ago | (#21754450)

. . . and that bootleg copy of "Leisure Suit Larry" I found on his Win98 machine last Sunday?

How much do I get for turning him in?

darwinian principles at work? (1)

v1 (525388) | more than 6 years ago | (#21754480)

If you have money, and are stupid, you are likely to get phished. While getting phished is unlikely to collectively benefit stupidkind, they DO now collectively have much less money. This should either make them a less attractive target, or at least mitigate the level of damage the phishers can do. I suppose you could say the internet is being "phished out". Pretty soon "a fool and his money are soon parted" will have been applied enough that few of the stupid people have anything left to be phished? Looks like a problem that is destined to take care of itself.

The major sites contributing to the problem (1)

Animats (122034) | more than 6 years ago | (#21754610)

From the article:

Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers.

In practice, only a small minority of "legitimate Web sites or services" are "infection point providers". We have a little list. [sitetruth.com] Right now, there are 166 major sites known to be providing material support to phishing attacks. There were 171 when The Register covered this last week [theregister.co.uk] , so publicity is having some effect. Most sites on the list only stay there for a few days, until somebody fixes the problem. A few sites stay on the list, and may need a clue stick applied.

These are exploits of open redirectors, DSL lines with zombies, sites that let hostile content be uploaded (uploading a hostile ".swf" file to Photobucket, for example), and out and out break-ins. These aren't sites that are cooperating with phishers; they're innocent, but often clueless, victims.

We blacklist the entire second-level domain if there's any phishing activity anywhere in the domain. This is far more effective than blacklisting by URL. Phishing sites change URLs and subdomains constantly now, so blacklisting by URL is as useless as virus scanning by signature. Yes, there's some collateral damage. It's all to sites on that list. We make the list public, and provide links to the actual phishing information (which is from PhishTank. [phishtank.com] ), so major sites can fix their problems.

This part of the problem can be fixed. It just takes a hard-line approach.

I don't believe it... (1)

Orig_Club_Soda (983823) | more than 6 years ago | (#21756128)

Not just because of Gartner's reputation, but losses are always grossly exaggerated and often based on intangibles like potential profit. Not to mention that this whole survey thing is a a guesstimate.

Your typical fear-mongering.

Not lost! (1)

Thaelon (250687) | more than 6 years ago | (#21756402)

All that money wasn't lost. It just got moved around!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?