Skip to main content

Is everything we know about password stealing wrong?

Posted by malcolm on Monday, January 6th, 2014 at 15:15

A paper from Microsoft Research argues that theft of banking passwords poses a much lower risk to consumers than previously thought thanks to consumer protection laws. The analysis suggests that when consumers are guaranteed reimbursement for fraudulent withdrawals from online banking accounts, the loss falls not on the bank but on the “mules” recruited by phishing fraudsters. Phishing fraudsters send the money they steal to mules for onward transmission via an untraceable, irreversible service like Western Union; the mule is allowed to deduct a “commission”, supposedly easy money. The service the mule provides the phisher is to convert a reversible banking transfer into an irreversible one; when the phished money is recovered by the bank, it is the mule that loses out.

“Mules” are recruited online by being promised easy money to “work from home”, and are told they are working for an import/export company. People who sign up to become mules are often of low education and limited financial means.

The research paper suggests that, having given protection to consumers (which is guaranteed by law in the USA, but not in the UK), and the banks having ensured they can charge-back fraudulent debits (which is already in place), the best way to reduce phishing fraud is to concentrate on reducing the supply of mules. This could be done by raising awareness that it is the mules, rather than the victims of password theft, who the phishing fraudsters are really scamming. This, it is suggested, would be much more effective than increasing protection for banking passwords, which actually only perform a relatively minor part of the security of the online banking system.

With over 770 members connecting from over 76 different countries worldwide, LINX members have access to direct routes from a large number of diverse international peering partners.

© London Internet Exchange, 2018 Registered office: London Internet Exchange Limited, 2nd Floor, Trinity Court, Trinity Street, Peterborough PE1 1DA United Kingdom . Registered in England, Number: 3137929
VAT Registration Number: GB 665 9580 82 Head office main telephone number Telephone: +44 (0)1733 207700 Fax: +44 (0)1733 207729

Web Design by Web Design by Bluestorm Design & Marketing

Leave Feedback


This site uses cookies to store information on your computer. Some of these cookies are essential to make our site work and have already been set. By using our site you accept the terms of our Privacy Policy.