网络科技

    今日:498| 主题:244820
收藏本版
互联网、科技极客的综合动态。

[科技] Are banks promoting phishing?

[复制链接]
妳真的很倫敦 发表于 2016-10-6 00:27:57
156 15

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x

Are banks promoting phishing?-1 (suspicious,customers,Internet,password,recently)
      Jonathan Lister Crunch Network Contributor
    Jonathan Lister is CTO at online pension manager PensionBee .
   How to join the network    I’ve recently seen a few examples of services that ask customers to type in their online banking usernames and passwords so the service can access their bank accounts on their behalf. The applications are fairly broad and definitely useful — making payments, ID verification and analyzing data, for example.
  This is a security anti-pattern. This is bad news.
   Banks regularly email their customers to say they will never ask for your password in an email and that attempts to do so should be reported as phishing. I’m a Metro Bank customer and the footer of each of their emails says:
  We’ll never send you an email, text or a website link asking you to enter your Internet Banking or card details. If you’re suspicious […] contact us immediately and we’ll get our security team on the case.
   Phishing is a serious security issue for banks. Industry data suggests that losses from online banking fraud were up 64 percent to £133.5 million in 2015 from £81.4 million in 2014. A Google search for “bank phishing” turns up results from all the major high-street banks, with titles like “Recognising & Preventing Phishing” and “Phishing & email scams.” Barclays has even started producing videos on the subject . So if the industry is, rightly, concerned with educating people about the risks of phishing, why on earth are they happy for their customers to put their login details into any other website than their bank’s website?
  Unintended consequences of legislation

   I’ve spoken to the service providers about how they are able to offer this service to customers, as my first assumption was that it would be against the terms and conditions of the various online banking services. Having checked a few online banking terms and conditions, customers are not protected against fraud if they have not kept their passwords safe. Lloyds even references information “aggregators” explicitly — Lloyds can close your online banking account if you give your security details to the service provider.
  Be vocal in demanding safe and secure access to your bank account.
  The response from the service providers is interesting — and unnerving.
  All the service providers quoted “PSD2,” the revised Directive on Payment Services, a European law that came into force in November 2015. This is timetabled to pass into U.K. law in January 2018 (although Brexit…) and requires that banks open digital access to customers’ bank accounts to other companies. This is a huge deal. One of the people I spoke to about this said that the “banks could see the writing was on the wall with PSD2,” so they did not put up any objection to the service provider taking the username and password of the bank’s customer.
  But access is not the only thing PSD2 is meant to promote. Commissioner Jonathan Hill said at the launch of PSD2 that:
  European consumers want to know that their payments are safe when they shop or make a payment online. The new Payment Services Directive will ensure that electronic payments in Europe become more secure and more convenient for European shoppers.
  Of course, the arrival of PSD2 in early 2018 is providing a stimulus for companies to build services on bank accounts. If early adopters use a method of customer login that is indistinguishable from phishing, the problem that currently looks limited to a handful of services will burst into a million pieces when access to bank accounts is not only encouraged, but legislated for.
  Hang on, we’ve seen this before

   When Twitter first took off, it was not uncommon for a new website to ask for your Twitter username and password in order to, say, tweet on your behalf. Back in 2006, Blaine Cook , Twitter’s architect at the time, started working on an alternative that allowed you to grant access to certain information or capabilities, such as tweeting as you, without giving away the keys to your whole account.
   What Blaine and his collaborators worked on eventually became the OAuth standard and now powers all the “login with” Facebook/Twitter/LinkedIn/Google buttons you see on websites all over the internet.
     Related Articles

   Spear-Phishing Could Enable Cyberterrorism Attacks Against The U.S.   Regular Facebook Users Are More Likely To Fall For Phishing Scams     So why not OAuth for banks? The Open Bank Project advocates for OAuth, but, unfortunately for us U.K. customers, its adoption has been limited so far to German banks (however, this in itself is a great success). The U.K. government commissioned the Open Banking Working Group (OBWG) in late 2015, to explore the question of opening up data held by banks. The OBWG published their findings as the Open Banking Standard in August this year. Happily, they have also recommended the use of OAuth*. The only U.K. bank that has taken up the OAuth gauntlet so far is Monzo .
  So the outlook at this point is mixed. The Open Banking Standard is not expected to be implemented in its full glory until 2019, although initial services that only read information are expected in 2017. If you’re reading this as a consumer, be vocal in demanding safe and secure access to your bank account. If you are responsible for building an online product, make a point of not making poor choices for your customers. Between now and 2019, there is still plenty of time for keen fintech startups to open services that train bad habits into people and leave them vulnerable to fraud.
   * Technical caveat: There are some credible issues with their choice of the particular version of the standard — Teller.io is being particularly proactive in response.
   Featured Image: wk1003Mike / Shutterstock
友荐云推荐




上一篇:How One Government Agency is Using Social Media for Great Customer Service
下一篇:Google Fiber acquires Webpass to add wireless capability
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

得意的笑 发表于 2016-10-6 00:49:48
LZ敢整点更有创意的不?兄弟们等着围观捏~
回复 支持 反对

使用道具 举报

Wedrgzoy 发表于 2016-10-6 00:55:48
有钱,任性...
回复 支持 反对

使用道具 举报

tearss 发表于 2016-10-6 00:56:59
有钱任性
回复 支持 反对

使用道具 举报

qweeeerrghghy 发表于 2016-10-6 01:03:03
加关注!
回复 支持 反对

使用道具 举报

46939 发表于 2016-10-6 02:06:23
边撸边过
回复 支持 反对

使用道具 举报

姜陈 发表于 2016-10-6 02:08:43
这个星期四是肿么啦
回复 支持 反对

使用道具 举报

冯俊雄 发表于 2016-10-6 02:16:53
前排支持下
回复 支持 反对

使用道具 举报

雷震 发表于 2016-10-6 02:17:03
拿分 路过
回复 支持 反对

使用道具 举报

忘记过去_→ 发表于 2016-10-6 02:17:04
支持楼主,用户楼主,楼主英明呀!!!
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表