Next Gen Phishing Improves on Simple Spam

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

Inaccurate Term?

[TripMaster Monkey]

Not to be pedantic here, but if a person gains access to users' passwords by hacking the actual site, rather than sending out bogus emails and/or setting up counterfeit web pages, can this activity really be called 'phishing'?

From TFA:

You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.

And from the 'phishing' entry in Wikipedia:

In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.

This attack does not consist of masquerading as a trusted party...it consists of compromising said trusted party. Thus, this activity cannot accurately be referred to as 'phishing'.

Re:

[Cocoronixx]

In the author's defense, If they called it black-hat hacking this would be a non-story. The addition of a 'Next-Gen' buzzword, as well as trying to somehow link Trojan writing with spam and phishing creates a much more exciting article.

In other news I have created a Next-Gen motorcycle that gets unlimited miles to the gallon, due to the addition of two levers that you operate with your feet that drive the rear wheel using a combination of chains and sprockets.

Re:

[stud9920]

Yes, but does IT require you to put a controlling rod in your anus ?

Re:

[Cocoronixx]

Yeah, I realized that after I posted that maybe some people would not realize I was talking about the nanocycle. Shoulda used preview.

Re:

[Cocoronixx]

Yeah, assuming someone is intelligent can sometimes backfire, and on slashdot it's a little bit more than sometimes.

Re:

[aplusjimages]

The author should have made a new buzzword for it, like "Fishing 2.0". By the way I am very interested in the next gen motorcycle that gets unlimited miles to the gallon. Do you have pictures and specs? This could revolutionize the world.

Re:

[MarkGriz]

The author should have made a new buzzword for it, like "Fishing 2.0".

Perhaps he tried but O'Reilly's lawyers gave him the C&D smackdown :-)

Re:Inaccurate Term?

[Fred_A]

The author should have made a new buzzword for it, like "Fishing 2.0".

I hereby propose pharming (to keep a logical progression of stupid buzzwords).

Re:

[discHead]

But I thought "pharming" was the word for growing crops genetically modified to produce pharmaceuticals.

Re:

[MadMidnightBomber]

I hereby propose pharming (to keep a logical progression of stupid buzzwords).

O ye of insufficient cynicism: pharming [wikipedia.org] is taken.

"Pharming is a hacker's attack aiming to redirect a website's traffic to another (bogus) website. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software."

Re:

[Fred_A]

Damn. Hunthing then ? Phunting ? Ah bah.

Re:

[MLease]

Did that "WHOOOOOOOOSH" sound make you duck?

-Mike

Re:

[Cocoronixx]

http://www.houseoftheorangemonkey.co.uk/monkey/mob ile/images/mbike02.jpg [houseofthe...nkey.co.uk]

Re:

[WhiplashII]

New phishing method of identity theft discovered! Thugs with guns run up and ask you what your name is!

Re:

[kfg]

. . .this activity cannot accurately be referred to as 'phishing'.

Maybe it's the next gen "having an ice cream cone," or the next gen "going to the movies."

At the very least calling it one of those would make just about as much sense as calling it "phishing."

KFG

It's even worse in TFA.

[khasim]

OK, so hacking into a 'trusted' Web site may not be all that easy. However, as people become more savvy about phishing scams and less people open unsolicited e-mails, fraudsters need to find alternative ways of stealing users' banking passwords.

So you could break into a bank and steal a backup tape with usernames/passwords and that would be "phishing".

Tom Chan, enterprise and client services manager for Messagelabs Asia Pacific, told me that because of more educated users and improved anti-spam engines, the

Re:

[cp.tar]

rapidshare.de/files/32691236/summertit_hang_2.ra r

Hmm... NexGen phising seems too... weak for that kind of thing...

Let's call it DyNaMiTe Phishing or something...

Re:Inaccurate Term?

[thewiz]

I think the new term would be "phucking" as that is what happens to the company and the customer.

Re:

[giorgosts]

well, the greek text doesn't show up correctly, but you should blame it on no unicode support on slashdot.

Re:

[Intron]

Some people fish with rod & reel, some with nets, and some with a stick of dynamite. It all depends on what works best.

Re:

[RyoShin]

I was going to reply with the same thing.

This is not phishing. This is cracking, pure and simple.

Phishing implies that they have to set out "bait" to get what they want, but hacking into a site to capture passwords involves no bait.

Besides, Phishing exploits can be uncovered by normal users with a little education. Cracking attempts are far harder for the basic user, or even an experience user, to recognize client-side unless the cracker is stupid and changes the layout and functionality of the website.

Re:

[zero1101]

You missed the point of TFA. The point is that attackers are using compromised web hosts as a delivery device for the standard malware, not that they are stealing user information for any particular site. The bad guys are counting on the fact that you, as an internet-savvy web surfer, "know" that files coming from www.trustedsite.com are safe.

Re:

[beh]

This attack does not consist of masquerading as a trusted party...it consists of compromising said trusted party. Thus, this activity cannot accurately be referred to as 'phishing'.

I don't agree with that.

Yes - this requires hacking the trusted party's site.
But what happens next?

A) The cracker breaks the internal databases and reads out all information from it. This clearly wouldn't be phishing. But - it's a very difficult thing; most DBs in those apps are locked down pretty well - and passwords etc. will

Need a new metaphor

[Moby Cock]

It seems to me that the 'fishing' metaphor is no longer apt in this case. Cracking web servers and installing key logger trojans is plain old balck hat hacking.

Re:

[aminal]

Social engineering like phishing is plain old black hat hacking too.

Re:

[Kamineko]

Do we use the word 'phalsiphying'?

Who hires these experts?

[3.5 stripes]

Their qualifications for describing new types of attacks (which are actually age old) seem pretty phishy. Hell, they could have called it a server side trojan. I can do a better job than them, and I'm some guy wasting my time browsing slashdot..

Even the well educated fall for it...

[Alkivar]

After working in bank security for a few months, I was always constantly amazed by how even the most educated of web users still falls for a phishing scam. I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?

Re:

[Colin Smith]

education != intelligence

Re:

[Anonymous Coward]

I was always constantly amazed

My personal experience is that I'm either sometimes constantly amazed, or I'm always occasionally amazed.

Re:Even the well educated fall for it...

[Billosaur]

I wonder if that has more to do with lack of education regarding bank/web security or have phishers just gotten that much better?

Phishers have gotten better, but the bottom line is: the average on-line banking customer is still pretty clueless. They subscribe to the theory, "if it walks like a duck and quacks like a duck and looks like a duck, it's a duck," which on the Internet is akin to measuring the speed of a bus by being hit by it and seeing how much it hurts.

My maxim has been: if it's actually from my bank, then I should be able to take a copy of the email to my local branch or call the bank and ask if the information in it is correct, i.e. have they lost all my data? The answer in 99.9% of cases will be no; of course there are increasingly less rare occasions where the bank has lost your data or let it get out into the wild. In those cases, the bank isn't generally going to admit it until some plucky person figures it out and makes them own up to it.

Re:

[jonwil]

Any good bank with an online banking system will use some kind of notification/messages in the online banking UI itself or will use physical mail instead of email (or in addition to the email).
Generally I ignore any emails claiming to come from my bank. If the information is that important, I will recieve a paper letter or I can read about it on the website/online banking.

Re:

[bogado]

My credit card (Mastercard citi in Brasil) has sent me, not one but two emails warning me that they have changed their website address. I know that they were not fraudulent because they did used the correct email that I used only with them and they also used the correct name. The email had all kind of red-flags in it, web-bugs to different servers (*), html-only, several diferent links to the same page (it had different "GET" params). I was stupified by the stupidity of receiving this email, and I imagine h

Re:

[Intron]

As someone once pointed out: If you were walking down the street and you saw an ATM machine, put in your card and PIN, and it gave you an error like "Out of Service", would you suspect that it was a phish scam just put there to collect your information? Would you call up your bank and report it?

Why should people on the internet be any smarter?

Re:

[mgblst]

If the "ATM machine" (sic) was in the middle of no where, on a small side street, no attached to a building, then I would be concerned. I have no evidence of this, but I think most people would be, but that maybe me thinking people are more intelligent than they are. If it was on the main street, attached to the bank or a supermarket, I would not be so concerned.

How does this translate to the online world? Not so easily. It is easier to get tricked by things like mail headers and URLs.

Re:

[ahodgson]

People actually do very similar things. Overlays placed on ATM machines, and also completely fake ATM machines, have been used to collect numbers and PINs.

Re:

[ahodgson]

Banks don't help.

They use simple login/password forms with no IP restrictions. If they wanted security, they should issue you a client certificate and provide mandatory security training. But they don't want to pay for the tech support, so they design systems that are built to be exploited.

Using 3rd party marketing firms to send out supposedly legitimate email is also common practice. How is a customer supposed to know the different between a phish and a real message when the supposedly "real" messages ha

Re:

[bobkoure]

Banks seem to be setting thir customers up for phishing - at least phone phishing.
For instance, I just got an email from one of the banks that I hold a Visa with - their security department wanted to verify some charges. They asked me to call an 800 number - but not the one on the back of my card.
I called the number, wondering if it was a scam (and not ready to give any info). The automated voice system "sounded" right, but when it asked me to enter my card number, I hung up - called the service number on t

Re:

[foo074243]

bascily the technology changing faster everyday, same goes to the phishers who has a lot of new technology to help them to do their unethical work. we must alert with the new technologies to compete with phisher or cracker.

Next Gen?

[neonprimetime]

"One thing I think is noteworthy of calling out is the fact that these type of attacks can impact many people quickly, but they can also be halted in short order because they have a central chokepoint: the organisation hosting the Web site or Web service in question.

I'm still confused as to how this is Next Gen? This exists now.

Re:

[legoburner]

simple, if it does not sound buzzwordy enough, people wont talk about it much and it wont get much publicity. It is the next-gen of news stories.

Happened to us

[Exp315]

I'd call it hacking, not phishing, but this happened to us earlier this year. Our company web site at was hacked many times over a period of a month to insert code redirecting visitors to a Russian site that attempted to install a trojan. We knew that 's server was compromised because other users of the same server were also complaining about the same thing. 's reaction?: "We are aware of the problem and we are investigating". We abandoned our account there and moved to another web host after repairing our site every day (often several times per day) for a month.

Huh?

[Klaidas]

You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.

Wow, really? No kidding?? If someone takes over a server, your data can get compromised? o_O [/sarcasm]

Wait.

[JKConsult]

So they're hacking the servers and stealing passwords? Then that's not phishing.

Never fear, OSS is here.

[Anonymous Coward]

"They are trying to compromise poorly protected Web sites"

Fortunately as slashdot often reminds us. Apache is the number one server (over you know who), and the people who use Linux and Unix software are the most intelligent people on the planet (we're command line commandos).

Re:

[dm0527]

>> Fortunately as slashdot often reminds us. Apache is the number one server (over you know who)...

[implied]Because, as we all know, apache and linux/unix are completely impervious to hacking. Whew - good thing people who run apache/linux don't need to worry about hackers at all - they can blissfully go about their lives without a concern in the world - without needing to take any precautions...[/implied]

wow - talk about head in the sand

>> and the people who use Linux and Unix software are the

Hacking into webservers and insertin malicous code

[MrCool80s]

Gee, it's not phishing then, is it? It's cracking, infecting, eaves-dropping and theft.

Interesting theory but....

[Ash Vince]

The first thing to take into account is that this article seemed to be written by a "security expert" who skimped on a few key details.

The first is that no web site should ever be able to execute code on your PC without your express permission. If it can then the browser being used to access that site needs fixing.

Now there will still be cases where the user has to give permission to execute code locally in order for the site to work properly but these should be very very rare. Most code that is executed such as ActiveX or Javascript should be excuted in a sandbox environment where no access is given to local PC resources. If a local resource is needed it should be asked for specifically and the accepted or denied permission by the user.

What does need to happen is that users need to be educated into a state of mind where they deny everything and then only go back the accept permission to access a local resource if something doesnt work properly and it make sense for the web site to be accessing the resource in question. For instance, if a web site wants access to my /etc/passwd or /etc/shadow file under linux (poor examples as they are locked while linux is running) I would deny it.

These problems all seem to stem from most PC users being lazy and not wanting to know these things. What they want is to have everything complicated hidden from them and everything to "just work". This might be possible with a pencil or other simple device but with things as complicated as PC's or Motor Vehicles it will not. Ever.

I really think that for people to expect to use a machine as complicated as a PC, they must understand the basics of how to operate it safely. This is no different to expecting drivers to undertake a test of competance. Without a driving licence I am not able to drive on the road although I can drive round my own back yard to my hearts content. Using a computer should ideally be the same where users are forced to undertake a basic competancy exam before they can allow their computer to interact with the web.

Until this happens you will always have users who allow their PC to be hijacked by malicious software and then carry on using it without calling for help. This is no different to forcing drivers not to drive with faulty breaks or severely worn tires.

Now how you would enforce this is a little complicated but it must still be possible with legislation. This is no different to a car salesman wanting to see a driving licence and proof of insurance before I buy a car. He wouldn't do that by choice (He would probably much rather make a sale regardless) but can be forced to by law.

Re:

[Anonymous Coward]

> This might be possible with a pencil or other simple device but with things as complicated as PC's or Motor Vehicles it will not. Ever.

while your PC point might be correct, your pencil and motor vehicle analogies are bad. a pencil is just dead simple and, in fact, hides nothing from the user as to how it works (i'll let you argue mechanical pencils might). it also requires the user to perform all maintenance with regards to keeping the pencil in working condition.

your car example is just as bad. but

Re:

[multisync]

This is no different to forcing drivers not to drive with faulty breaks or severely worn tires.

Except an unpatched windows box is unlikely to spin out of control and kill someone.

This is no different to a car salesman wanting to see a driving licence and proof of insurance before I buy a car.

Car salesman charged with ensuring motorists are licensed and insured? Where do you live?

Besides, why would I insure a car I don't own? Until the sale is complete, insurance is the car lot's problem. Once I own it, it's

Re:

[jonbryce]

I live in England, and car salesmen are required to make sure I'm licenced and insured before I drive the car.

Partly this is because you need to tax the car before you can drive it away, and you need this proof to get the tax disk.

Re:

[multisync]

So I take it it's the driver who is insured, as opposed to the vehicle? Interesting way of doing things. I can understand the need to make sure you are licensed before allowing you to drive it. In Canada, the dealer is able to put a temporary plate on a vehicle for the purpose of test drives. After the sale is complete, the owner must insure the car before he drives it away, but this has nothing to do with the saleman or dealership. Interesting to learn the way things are done in other places.

Thanks for the

Interesting Concept

[emil10001]

Hmm, I like the concept, and it might work in terms of security. ie - compramised boxes can infect other boxes, so if your box is compramised, you are responsible for making sure that your box does not infect others, and we know that you can be responsible to do this becuase that's what your 'internet license' says you are competent enough to do. It would be a good tool to hold people accountable for their actions online - defacing property, spreading virii, etc.

However, there seem to be several inherant p

Re:

[wordsnyc]

Oh yes, let's license internet users. Great idea. Especially since we live in Happy Fun Village and kindly Uncle Dick would never think of using that power for anything but goody-goodness.

Re:

[Archtech]

'These problems all seem to stem from most PC users being lazy and not wanting to know these things. What they want is to have everything complicated hidden from them and everything to "just work"'.

Exactly. The problem here is one that pervades the world of computing today, and will have to be resolved one way or another. Computers are unbelievably (almost infinitely) flexible devices, yet we have established an IT industry that sells them as consumer appliances. 99.99 percent of the computers sold are neve

Re:

[jonbryce]

One of the reasons computers are so cheap is that they are programmable, so you can build generic hardware and make it do whatever you want just by putting different programs on it.

If anything, things are moving in the other direction. Most phones these days are fairly powerful computers, certainly, as powerful as a PC from 5 years ago.

Re:

[Archtech]

"If anything, things are moving in the other direction".

Yes, they certainly have been doing so. But past performance does not necessarily predict future performance. Trends can change. My thesis is that the present confused situation is a function of the complexity and power of computers, the evolution of software, and the distribution of demand in the marketplace. As computer power grows rapidly, it will be possible to clump together massive amounts of embedded systems to perform almost any definable set o

What the article lacked...an example

[jnaujok]

For everyone screaming "If you hack the server..."

I've already seen this "next generation phishing" method used. I was on e-bay looking for a piece of autographed memorabilia. I noticed one auction and clicked on it. The E-Bay login screen popped up. I was about half-way through typing my password when it suddenly occured to me, "Wait a second, why do I have to enter my account to view an auction."

Careful review showed me that opening the auction had triggered some embedded javascript that opened a frame within the e-bay window that covered the whole base page, but presented a spoof of the e-bay login screen. The title bar still read as a legitimate e-bay address, the screen was a perfect dupe of the e-bay login screen. In short, it looked totally legitimate.

Now, they didn't have to hack e-bay's servers, nor did they have direct access to anything on e-bay's site. All they had to do was embed some javascript into an otherwise "secure" site.

I think that's what this article is talking about.

Oh, and I was running firefox with a javascript blocker, but since I've allowed scripts on e-bay (you can't even view most of the auctions without it) it happily ran the phishing script without even a warning.

Re:What the article lacked...an example

[aliendisaster]

E-Bay really did that to themselfs by allowing outside code on the auctions. I guess a prettier auction is more important than security for the millions of e-bay users.

Re:

[jnaujok]

Tell me about it. After I reported it, they took three days to take it down. I'm so glad they're right on top of things.

Isn't that XSS??

[3.5 stripes]

Ie, entering non standard code (often javascript) on a website to obtain credentials from other users?

Re:

[Basje]

Yes, but with the intent to trick the user into giving confidential information (phishing) as opposed to other uses.

Re:

[ifoxtrot]

Whilst I don't doubt that XSS can be used for other nefarious purposes, for XSS to work you have to "trick" someone into clicking a link with an embedded exploit in the URL.

I would say that this predisposes it very strongly towards the phishing crowd.

Out of interest, would you happen to know of any other types of attack that XSS might enable?

Re:

[egypt_jimbob]

would you happen to know of any other types of attack that XSS might enable?

Howabout the myspace worm [namb.la]?

Cross site scripting is really great for simple session hijacking. Php stores a cookie called PHPSESSID by default with your unique session identifier. All of the important bits of your session (username, password, whatever else they're storing) are stored on the server. If someone can guess (very difficult) or steal (with xss very easy) that identifier, they can impersonate you and have access to whatev

Welcome to the wonderful world of AJAX

[Colin Smith]

And client side code. The Web 2.0 and Security 2.0 where we have a generation of "web programmers" who have to learn all of the security lessons from scratch. Hmmm, I wonder when we'll see the first viruses.

 

Re:

[scharkalvin]

My guess would be that Ebay itself was not hijacked but that
the person who submitted the auction embedded a script into
his html auction page. (Ebay lets you upload your own html
pages to describe your auction). Seems they need to scan
all submitted auctions and bounce anything that has possible
trojan code in it. (and then CANCEL the submitters ebay
membership!).

Re:

[jonbryce]

Or just strip out tags?

protection

[Machtyn]

If you don't already know, use a credit card company that allows you to set up a virtual credit card number. The idea is that it is a number that is used only once. Therefore, if that number gets stolen, it is still useless, you've already used it once. (I could be wrong, but this is the general idea, a use once or low credit amount or an expiration date that ends in a month type of credit card number.)

Next Gen Phishing?

[MojoBox]

Sorry, but as a Nintendo fan, I can only accept New-Gen Phishing.

Vouchsafe

[Doc Ruby]

It's obvious that the current security practices we use on the Net are totally inadequate for our society. Most people have adopted some of us geeks' toys, like networks, email and multimedia - even custom T-shirts. But few of the normals have adopted some of the tools we geeks learned we needed to play with our toys without getting hurt. Geek posers are killing themselves, and dragging down our geek paradise with them.

The best solution to all this phishing, spam and other harvesting naive "normals" is the trust web. Everyone has a private key for signing assertions, and a contact list with trust levels. Every message is signed (or default untrusted) by the sender and vouchers. When enough vouchers sign a message, it is trustworthy. The Web contains vouching centers, including diverse security analysts signing messages (including each others' assertions). People subscribe to many vouch sources, as well as "vouchmasters" which publish formulas for securing transactions. This way, anyone who says a transaction is unsafe, and is vouched by someone else, makes that transaction at least subject to review, or blocked, depending on the person's policy. Which depends on whom they trust.

That is the kind of system I'd expect banks and governments to deploy for the public. They are the ones we are paying, and relying on, for security. There's so much efficiency to gain from security compared to the losses from insecurity that I expect a very diverse, competitive market of vouchers to thrive. The underlying tech, like PGP/GPG signing and other trustweb tools, already exists. There are already relatively informal vouchers, like CERT, DHS, and lots of independents.

What's needed are standards for trust degrees, and simple UIs for using the trust web without learning many new skills. UIs simpler than antiphishing techniques will win. UAs like Firefox and Outlook merely coloring buttons red to blue for degrees of trust, keeping personal info stored locally for standard submission to standard requests graded by risk and identified by trustworthyness would go very far. Onetime passwords for every transaction to prevent replay attacks would go even further. And local databases with audit trails of every transaction would make it even easier to use once a transaction is doubted.

All those features hook an automated trust web into many existing security practices already used by most people in person. A really secure regime would include privacy laws prohibiting transfer of personal info outside the transaction expressly required by the requester and expressly permitted by the sender. Putting personal info under copyright in detail, and a US Constitutional Amendment in general, would really lock our existing judicial/police/security system into a consistent defense of people as well as corporations.

The time is now. Why doesn't Novell's Evolution at least require PGP/GPG by default? Why doesn't Firefox keep personal info stored encrypted for form submissions with a separate log? Why don't banks issue onetime password credit "cards" for Web use? We've already gone far enough down the path that it's obvious Microsoft, the US government, Chase Bank aren't going to move first. Let's see some of the UIs start to make it easy, and force the backend of the trust web to catch up. I'm doing it in my own software. What are you doing?

Re:

[krack]

Please take my comments as constructive, they are intended as such.

I think these things are not well- and widely-implemented for the same reasons that caused the dichotomy of MS releasing a DRM patch in 3 days but yet a security patch we must wait for while it goes through the "rigorous" testing process ends up corrupting my data.

Many humans do not seem to view security as an advantage; they view it as a (potentially unnecessary in their perspective) hindrance. In other words, there is no percieved profit i

Re:

[Doc Ruby]

I agree, so it's easy to take your comments as constructive ;). FWIW, even if I didn't, they were perfectly reasonable :).

Security is certainly an investment. And along the way there's not just the investment cost, but also decreased access (the essential tradeoff for security). Access is equated to simplicity, which is by far the main selling point of any technology (except for geeks ;). But the infosystems we're currently using are far from simple already, even before insecurity breaches make things extre

Re:

[u38cg]

You are quite correct, but there is much more to say. Security commonly fails because of economic issues - this has become an area of academic interest in recent years - for example Ross Anderson [cam.ac.uk], whose paper [cam.ac.uk] kicked off a lot of research into this area. BTW, his book is now also online, an excellent read.

Re:

[Beryllium Sphere(tm)]

Some people might think such an approach overcomplicated, incomprehensible, and unworkable.

Those people would be wrong, because what you describe is exactly parallel to what humans do in the real world. Centers of trust are the equivalent of "community leaders".

Re:

[Doc Ruby]

That's why I prioritize a simple UI. A new UI that includes trust web security among the integrated apps like email/voicemail/IM/blogging/eCommerce would appear even simpler than the insecure array of independent services we currently use. Simplifying the simultaneous multitasking along with the sequential insecurity/breach/recovery cycles into automated privacy scopes will win the whole game.

I like the new features!

[courtarro]

Quit being so negative. I like Slashdot's new PayPal monitoring service!

Re:

[cwis42]

Parent is being funny, not offtopic.
*I* am offtopic.

Don't waste your time

[ajs318]

On-line banking isn't worth it. I know exactly how much money goes into my bank account each month, because I know how much I get paid each month, and how much I might have paid in through the hole-in-the-wall machine. No money gets into my account any other way except a negligible amount of interest. I know exactly how much money comes out of my bank each month, because I stand right there at the HITW and transfer it to my wallet every time I make a withdrawal, I know what cheques I have signed, and no money comes out any other way. If I was really bothered, I could subtract the second subtotal from the first and keep a running total; but as long as it's always smaller, that's all that matters to me. My bank send me a statement as soon as I have performed enough transactions to fill a page, and the HITW has a button to check my balance if I am desperate to know while out and about. I don't really need to know exactly how much money is in the bank until I am ready to draw some out; and then I will have to go to the HITW anyway to do that, so I might as well check my balance right then. On-line banking can't print pound notes, nor can it scan cheques and pay them into my account. And since deposits and withdrawals are the only two reasons why I would ever have to go to a bank anyway, what's the point?

Re:

[jnaujok]

Clearly you are not married.

I used to be just like you. I could tell you the balance of my account to within 5 dollars just because I knew all the ins and outs.

Suddenly I'm married, and the word "Overdrawn" entered my vocabulary.

Imagine the dulcet tones of your wife saying, "How can we be overdrawn? I didn't spend that much when I was out shopping. Didn't I tell you I went shopping? What bills?"

All I know for certain is that since I got married, I've increased my earnings by a factor of 400%, and th

Re:

[scharkalvin]

"Honey we can't be overdrawn. There are still three checks left in
the checkbook!"

Re:

[Firefly1]

If you're generous: once is a mistake; any subsequent iterations spell the end of her access to that account.
On the other hand: I could ask why she even has access in the first place.

Re:

[jnaujok]

It's called marriage. Wedded Bliss, remember?

Just try to get married and tell your wife that she won't have access to your account, and that she should only get to spend the money she makes. I've seen gunfights that started that way...

Re:

[Firefly1]

Just try to get married and tell your wife that she won't have access to your account, and that she should only get to spend the money she makes.

Easily done; odds are these days she has her own career, and wouldn't think too much of you digging into her savings, so... just think of it as returning the favor.

Re:

[smoker2]

Don't do much with your money then, do you ?

I have 3 accounts, all linked, so I can keep the bare minimum in the main account and all the rest in a savings account. If I want to buy something online, I just transfer the right amount over from the savings and then go buy the item.

Another useful aspect is when you're travelling. they don't have HiTW machines outside the UK that can deal with Link, so when I was in australia and new zealand and the us, it was trivial to keep a check on things and move money, p

Re:

[ajs318]

Well, seeing as I have a mortgage, there's precious little point me having any savings. They would never, ever earn as much interest as I'm paying out on my mortgage -- it's how the whole banking system works. If I had any spare money, it would go straight into paying off the mortgage sooner. If I want to buy something online, I write a cheque or buy a postal order. This gives me some additional time to think carefully about the purchase. Do I really need it, or will I merely be contributing to the was

Re:

[slazzy]

I wish there were online banking which would only allow me to view my ballance, or pay bills (in full or part) which I've setup in advance at my local branch with my adviser. Get rid of all the online banking crap that allows transfer to other people/accounts... that is just asking for trouble and that is what checks are for. Then even if someone got my bank username/password, there wouldn't be much trouble they could cause with it.

This is ancient news

[miller60]

Phishing crews have been targeting web site vulnerabilities to deploy spoof sites for several years. In its year-end 2005 Phishing by the Numbers [netcraft.com] report, Netcraft noted that more than 600 phishing spoof sites were hosted on compromised forums and content management systems in 2005. In January hackers increased their targeting of PHP-based CMS and blogging apps [netcraft.com], and were able to distribute the Windows WMF malware through a customer support forum on AMD's web site [com.com]. There's nothing cutting edge at all about this.

No cookies, no Javascript, no Java.

[Anonymous Coward]

That is my solution. Cookies off, Javascript off, Java off.
Even less Flash or other even shadier active media.

Web designers with huge egos have no business running their often crappy programs on my box.

BTW, that is whi I'll always post here as Anonymous Coward:

No cookies, honey.

Re:

[AlgorithMan]

you can use whitelists in firefox... native for cookies, via the NoScript plugin for java and javascript

The name? That is not the POINT

[boyfaceddog]

Symantec is involved in this. My only questions were "What is Symantec trying to sell the public now?" and "How much hand-holding will I need to do to convince users that this is just more fear-mongering?".

I know Symantec is supposed to be a white-hat company, but as the guard at the door, they sure do spot a lot of invisible monsters.

So...

[EddyPearson]

So people are hacking into servers in order to steal people's information? Unheard of! Whatever next...

Slow news day Eds?