HomeATM's Weapon of "Phish Destruction"...

There a lot of banking promotions cropping up designed to "lure" customers over.

Want to lure them over? Use phishing. Did I just say "use phishing" to lure them over? I did.

$100 isn't going to do it. When it comes to innovative marketing ideas, bribing a customer has never been near the top of the list. But...instead of customers being lured away from your bank by becoming a victim of phishing, "lure" them to your bank by using "phishing" as bait. It'll work hook, line and sinker.

Here's what I'm thinking. How about running an innovative promotion in which a bank guarantees their customer is 100% protected from phishing. If you lure them by protecting them from the bad guys (which would also protect the $1000's, not $100, of dollars in their bank account), you would attract more customers than $100 would attract AND, at the same time, enhance your bank's image. It's all about security. Here's proof:

HALF (49%) Would Consider Changing Banks Following Card Fraud...22% "Would" Change Banks!

Editors Note: Wow, if I was a financial institution offering "online banking"that headline would haunt me 24 hours a day until I figured out a wayto either change it or use it to create an opportunity for my onlinebank to flourish.

My first thought would be: "If 50% would consider "changing banks AFTER" they get hit by card fraud/onlinebanking/phishing fraud, how many would consider "changing banks" to"AVOID" getting hit?

And to which competitor would they go?

I'd conclude that if they "left because of insecurity" they would probably "come on board BECAUSE of security."

Soif I wanted to open a portal for dissatisfied online banking customers,I would use a uniquely positioned product to ensure my customerssecurity. I'm thinking Swipe vs. Type here. Then I would think...howmany potential customers could my bank procure by "guaranteeing" onlinesecurity? Research would determine if it was millions or only"Hundreds of Thousands." I think I made my point. If not, I challenge you to continue reading...

Banks have a "serious issue" with phishing and I am suggesting that there is a low-cost solution to completely eliminating this on-going threat.
Eliminate typing and you'll eliminate phishing. First a quick backgrounder...

The nature of this beast known as "phishing" is to lure these onlinebanking folks, with a sophisticated and genuine looking trap whichincludes genuine looking emails which provide links to genuine lookingsites. (a new "type" of bait and switch)

Once there, users are simply instructed to do what they've been programmed to do since day one with online banking. And therein lies the problem...

They are told to "type" in their username and password to log-in.

Problem is, once they "type" in their "username | password" they provide full access to their accounts to the phisheries.


Ifyou haven't figured it out already, (something phishy goin' on here) allow me to point out the majorflaw in this process...


If online banking customers had not beenoriginally programmed to "type" anything into a box the first place, then this type of phishing would not have cropped up in the second place. A simple case of "cause and effect."


Case in point: Imagine if you will, that when ATM's first came out, users were instructed to "make up" a username and password for whichwould have provided full access to ATM's? How smart would that havebeen?

Fortunately the banks were smarter than that and they required that their ATM customers insert their card into a built-in card reader AND enter their PIN. Two factor authentication 101. What you "have" (card) and what you "know" (PIN)

Why should it be any different for online banking log-in?

What has happened since then to make them believe "typing" is safer than "swiping?" Why are they suddenly dissin' the card?

Window of Opportunity

Instead of dissin' the card, I say "DISCARD" the antiquated username and password log-in process and instruct customers "USE THEIR CARD" (what they have) and their PIN (what they know) thereby replicatingthe exact same process these customers use gain access to an ATM.

True2FA. The only difference would be that authentication would be done inthe safety (no skimmers/no cameras) of the online banking customers own home...with a PCI 2.x certified (not compliant..."certified") personal PIN Entry Device. (providing 2FA 3DES E2EE DUKPT Security)

If the online banking community introduced their customers to a simple(not) new log-in process, one whereby they require that theironline banking customers log-in the "same way" they do at ATM's...by "swiping" with "THEIR CARD, and securely entering "THEIR PIN" they would greatlyenhance the security of their online banking sites.

This two factor secure log-in would eliminate the issues they arehaving with these phishing attacks altogether. A secure 2FA 3DES E2EE DUKPT log-in would also eliminate threats created by cloned bank websites, cloned cards, DNS Hijacking,etc. The data is never in the clear...so when it comes to becoming a victim of fraud, your customer is in the clear.

In effect, banks would be arming their online banking customers with aweapon of phish destruction, one that fights cybercrime and "empowers"them as mini-profit centers. Does anyone disagree with the statementthat "Bill Payments, Money Transfers, and secure online transactions"ALL make money for banks? (again, see previous post)

That said, I humbly suggest it's high time to "studythree key issues" more closely.

Let's look at "these issues" one at a time:

• Bank "ISSUES" the Card,
• Bank "ISSUES" the PIN,
• Banks ISSUES a $12 PCI 2.x Certified 2FA 3DES E2EE DUKPT Secure Card/PIN Reader

$12! Yes (in quantity)...banks could save $88 per customer (compared to Citi's offer above) and PROTECT their customer. Protect them from what? Did you know that the average phishing attack costs the bank and thebank customer $350. Want proof?

Okay, here it is from Gartner Research:

• Phishing attacks are costly:

According to research firm,Gartner, banks, online payment organizations and other financialinstitutions are bearing most of the financial cost of phishingattacks.

(A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)

The average loss was $352 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (sounds like the $100 bribe above is lost in the first phishing attack to me)

"The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner. (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)

Want to read more on this subject? Scroll down to the next post. I'll make it easy...click here.

Related articles

• Commonwealth Bank Of Australia Phony Phishing Email (loadofbullshit.com)
• The latest in phishing (clubtroppo.com.au)
• Commonwealth Bank Customer Satisfaction Survey Bullshit (loadofbullshit.com)
• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)
• Anti-Phishing with Two Factor Authentication (information-security-resources.com)
• Online Banking's Innate Security Flaws (information-security-resources.com)
• Privacy is Dead, Long Live the PIN (pindebit.blogspot.com)
• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)
• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)