[slt2021]

No-one is actually breaking into a bank and stealing $$ from your account.

Virtually most of the fraud is happening due to customer's own fault, not strictly bank's fault:

1. installed malware and got all saved CC data stolen

2. website you ordered your widgets got hacked and your CC stolen

3. clicked phish linked and lost your online bank credentials

4. got scammed and sent zelle to a scammer

5. used shady website to order deeply discounted electronics / signed up for adult membership website - and gave your CC data right into hands of fraudsters

6. used shady third party ATM in tourist place like Cancun and got your card skimmed etc

7. used same user/pass credentials for online banking, as your email account, and your online bank got taken over

[ygjb]

So point by point: 1. Stealing a credit card number, ccv, expiry, and name shouldn't be game over. It is because businesses want to reduce friction for customer purchases. If card not present transactions required a second step of verification, for example, multi-factor authentication, it would drastically reduce this type of fraud. Unfortunately it would also increase friction for online purchases, which is why everyone in the card processing chain is looking to shift liability away from themselves.

2. That is not the customers fault. Full stop. Yes, some sites are more shady than others, but there is nothing a consumer can do to determine if a service provider will get hacked.

3. Yes. Unfortunately, phishing is really easy. Despite the prevalence of this attack, training users to effectively detect and avoid being a victim is almost impossible.

4. See #3.

5. See #2.

6. How is a customer supposed to validate the security of an ATM against modern skimming technology, many of which are virtually indistinguishable from normal bank machines.

7. Yep, not great. Why don't banks require 2FA? Because it creates friction and increases costs. Better to just externalize the risk.

Your entire blame the user argument is bunk that has been packaged up and recirculated by the finance community for almost 20 years (and I have been using these arguments against them for nearly that long, granted it's close to ~12 years since I worked in infosec at a bank).

[glitcher]

Now go and explain to anyone's grandmother how this list of items is her fault. Hard disagree on victim blaming being the answer.

Sure all of us can learn to be more careful with tech, but the way banks frame fraud against them as identity theft against you is slimy doublespeak.

[slt2021]

Answer is simple: if you cant use technology safely - dont use it! Problem is nobody is teaching effective fraud defense for consumers at scale.

Disable online banking, use checkbook and write checks everywhere or carry cash. I still see older people use checkbooks from time to time, even shopping groceries.

Problem solved.

We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.

So that you cannot blame the bank for your own fault.

Or migrate to something Apple Pay, but that also does not guarantee 100% fraud prevention

[glitcher]

Oh if the world could just be so simple. Can't protect yourself from getting mugged, stop going outside. Problem solved.

The reality of any non-trivial issue is that we have to consider potential improvements from all angles. I want to improve tech for grandma and for the bank, doesn't that seem like a goal worth working towards? And let's please not pretend that banks are infallible in all of this, they also have opportunities to improve.

[slt2021]

the actual protection from getting mugged is moving to a safe neighbourhood.

People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.

same with fraud - user will continue getting defrauded and scammed until user learns the lesson and either abandons tech he.she is unable to use securely, or adapt and learn how to use it

[autoexec]

> the actual protection from getting mugged is moving to a safe neighbourhood. People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.

It's almost cute how you think people living in places with high crime rates wouldn't jump at the chance to move to a nicer neighborhood with lower crime rates, and that the reason they don't is because they haven't "learned their lesson".

Everyone buying guns and then going around shooting criminals is not a solution to crime, but if you're convinced it's a good idea, why not try it for yourself and "learn your lesson"

[slt2021]

Everybody makes tradeoffs, if you cant move out - you cope.

I grew up in high crime third world country and all young with half a brain folks emigrated as soon as they could.

The rest had to adapt and cope, due to different life choices and trade offs.

Yes you can blame the government for being unable to fix high crime, and sit helplessly while waiting for the same government to fix the problem.

Or you can get matter in your own hands and solve it the way you can.

Fraud problem cannot be attributed to banks 100%, given that users are at fault

[Rygian]

So you are advocating for the vast majority of the internet population to stop using online banking.

Let's flip the omelette: no one forces banks to do business online; if a bank can't build secure online banking, they can default to checkbooks and cash. They have the means and motive to build solutions that are actually secure and usable, so they should bear the burden of dealing with fraud when their solutions fail to be secure.

[slt2021]

Most of the online banks are pretty secure for non-oblivious person.

I always used online banking and never got scammed. It is pretty secure for me.

Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.

User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.

These people need life lesson to learn how to operate technology safely.

Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.

[ygjb]

> Most of the online banks are pretty secure for non-oblivious person.

Ok, granted, I spent the last 23 years of my life working in IT security across consulting, government, finance, and tech companies, but this is just garbage. Banks only invest in security to the degree that: - they are legally required to - they have contractual obligations to - that the risk of loss for a specific class of incident exceeds their self-insurance threshold

That's not a hypothetical comment, that is something that was explained to me as an AppSec lead when running into walls trying to get some issues fixed at one of the largest banks in the world. For the record, the issues that I was trying to have remediated would have had to exceeded an annualized loss expectancy for the region I was operating in of 10 million dollars per year to be considered risky.

Your definition of a bank being pretty secure and mine are probably radically different.

> Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.

Sure, users should choose strong passwords. Banks should also require multi-factor authentication (real 2fa, not the SMS based weaksauce that a bunch use). But, that increases support and transaction costs. So, instead, blame the user! Beyond password selection, there is also the issue of how passwords are hashed, salted, stored, and brokered into a more reliable back-end credential that can be used, absolutely none of which the user has input into or control over, but sure, blame the user.

> User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.

sigh you really like banging that drum.

> These people need life lesson to learn how to operate technology safely. > Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.

There is absolutely no way to train average users to operate modern internet technologies safely because the average user has no effective control over the software and hardware they use (yes, Linux is a thing, and so is open source hardware, but users of those OS and hardware are not average users)

The primary reason the incidence of fraud is so high in the finance sector is because business has chosen to optimize for high transaction volume, and has accepted the risks of doing so. Stop trying to blame end users.

[ygjb]

> We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.

Sure. Why not start with an outline for what infosec101 should look like. Include estimates for how long the training should take, what the cadence for testing should be, and which agency should be responsible for validating that training. Do be sure to accurately communicate the degree to which an end user with a chip enabled bank or credit card has the ability to distinguish and disambiguate what constitutes a 'safe' or 'legitimate' online business. Also, include some details about how individuals who have been certified as completing this class and/or licensing scheme should procure insurance to protect themselves in case of an accidental data breach (for example, they leak their card info), and outline the process by which that same licensee can file an insurance claim against the insured party downstream of the physical point of payment or online payment portal that allowed a breach to happen. After all - if we are going to require online safety training, and licensing, then we should create another insurance scheme to facilitate resolution of those claims and resolve the costs.

It is really easy to point the fingers at a customer and say "problem exists between chair and keyboard", but the reality is that in the modern economy, the end user has almost no control over the security of their transactions, and little ability to influence how their purchase is handled beyond the question of "cash or card".

The only incentive that retailers, online stores, payment processors, and financial institutions have to resolve this is the simple fact that they own the liability for this, and it's only through the myth of the idiot user that they have been able to shift that liability, to varying degrees, back to the consumer.

[firefoxkekw]

8. Using android phones that haven't received any security updates in the last few years because the vendor stopped releasing updates a couple of years after the release.

[velavar]

So true and something I see everyday on my job! it's no wonder then that financial companies have to resort to using data from companies like Telesign to view these red flags and attempt to detect fraud.

[youngtaff]

They could offer decent 2FA i.e. not SMS, for starters