Posted by:
admin
15 years, 11 months ago
Kudos to ETrade for offering a "zero liability" account. I suspect this is an attempt to foil my prediction that brokerage accounts will be increasingly targeted by phishers. (Though, to be honest, they were getting off to a good start in Q4.)
Brokerage accounts are tempting. Most people (if they have brokerage accounts) have more in their stock accounts than in their bank account or savings. It's probably harder to determine if a payment leaving the account is fraudulent. With bank accounts, phishers target a larger number of users for smaller dollars amounts. With brokerage accounts, phishers aim for bigger dollars. From the BusinessWeek article:
Arriving home from a five-week trip to Belgium and India on Aug. 14, a jet-lagged Korukonda L. Murty picked up his mail -- and got the shock of his life. Two monthly statements from online brokerage E*Trade Financial (ET) showed that securities worth $174,000 -- the bulk of his and his wife's savings -- had vanished.
It probably won't be long before the other online brokers (which, like banking is everyone) follow suit. Here's a clip from ETrade's disclosures:
2 Fraud Coverage: You should regularly check your Smart Alerts and monthly statements for accuracy. We may impose greater liability if we determine that an unauthorized transaction was caused by your fraudulent action or gross negligence - which may include any delay in reporting unauthorized transactions to us.
Related Party Fraud: We will not be responsible for withdrawn funds if you provide your User ID or password to anyone else.
Repeat Account Compromise: We may notify you that your personal computer systems have been compromised and require corrective actions such as hard drive clean-up, the need to change your User ID and password, or to install up-to-date anti-virus software. If you fail to take these corrective actions and your E*TRADE Securities or E*TRADE Bank accounts are compromised within one year of our notice, then E*TRADE Securities or E*TRADE Bank will not be responsible for any losses you sustain as a result of any subsequent identity theft or fraud.
So, the consumers have to take responsibility for their own computers and passwords and have to keep an eye on their balances. Emergent Chaos wonders if this will entice users a preference for weak passwords. Could be. I can't find any information about ETrade's password requirements. Collusion is also a possibility. It would be easy to set up a fake MITE attack and be able to prove that your computer was not compromised.
Because of the large dollar amounts and the infrequency of transactions, brokerages should investigate transaction authentication.
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)