[HN Gopher] Banks are not repaying victims of Zelle scams
___________________________________________________________________
Banks are not repaying victims of Zelle scams
Author : todsacerdoti
Score : 216 points
Date : 2022-10-07 18:54 UTC (4 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| kylehotchkiss wrote:
| Financial Security/responsibility is getting wayyy too complex
| for the layperson:
|
| * Find a decent bank with 2FA. None of the big banks are decent,
| they have minimum balances, piles of fees. Credit unions are
| good, but you want one that isn't too local, which can limit you
| to credit unions specific to military/veterans/families
|
| * Have multiple checking accounts. Only one of these checking
| accounts has a debit card attached, or exposed account number
| anywhere. Never ever hold a balance in this account. Keep the
| balance in the other account.
|
| * Never use that debit card for anything but the ATM and bank
| teller authentication. In fact, don't even carry it with you, in
| case you lose your wallet or somebody tries to take it. Not every
| bank makes it easy to turn debit card off.
|
| * Only use ACH for rent and loan payments. Never hold a balance
| in the account used for this. Many rent companies and loan
| providers are not properly securing that number. Your account
| number can't easily be changed.
|
| * Keep the bank you use a secret from everybody including friends
| and family. Only the few payees and your payroll provider need to
| know.
|
| * For sending money to friends if everybody has iPhones, Apple's
| Cash functionality is good enough.
|
| * Get a respectable credit card with zero fraud liability. Use it
| for everything. Have a backup at home. Now your bank is insulated
| from the outside world. If somebody tries to take your wallet,
| just give it to them. It's easier to get a card reissued and
| transactions overturned in that scenario than it is to get
| drivers licence replaced.
|
| * Don't move outside the country or do a USPS address change to a
| PO Box. Banks have been known to just shut people's accounts down
| and mail the balance as a check in these scenarios. Patriot act
| something something.
|
| This is banking in USA. It was designed for a trust-based society
| 70 years ago that's still mostly trustful but needs to consider
| the culture has changed a bit. If the Fed would require member
| banks implement secure 2FA and the option to disable external ACH
| from accounts upon request, we wouldn't need to do all this.
| commandlinefan wrote:
| > Never ever hold a balance in this account
|
| Impossible to _never_ hold a balance, since every employer
| wants to do direct deposit... your only hope is that you can
| get your money out of there before some scammer gets it. The
| chances of that happening are low, but not zero.
| sidewndr46 wrote:
| Different account for direct deposit from the account used
| for paying bills. Problem solved.
| [deleted]
| em-bee wrote:
| i have one bank account to receive my salary, one (or more)
| to make regular payments and one for day to day expenses. the
| latter has just enough balance to cover my average spending
| and gets refilled as needed.
| throw7 wrote:
| > if everybody has iPhones, Apple's Cash functionality is good
|
| and google pay? this may surprise you but in my immediate
| family only 1 (out of 6) has an iphone. we basically use zelle
| to transfer cash around. I personally will not use paypal or
| venmo, but I do use google pay.
| recursive wrote:
| What's the issue with paypal and venmo?
| judge2020 wrote:
| Probably due to the paypal horror stories; note that Paypal
| acquired Venmo in their Braintree acquisition:
| https://techcrunch.com/2014/02/19/venmo-now-lets-you-find-
| an...
| heliodor wrote:
| Venmo doesn't offer 2fa with an authenticator app. Only
| text message 2fa. Leaves you open to sim swap attacks,
| which are common and the carriers are doing nothing to
| prevent.
| pb7 wrote:
| PayPal has a long shiny history of screwing people over and
| Venmo is now not only owned by PayPal but the app is hot
| garbage and gets worse with every update (probably due to
| the aforementioned ownership).
| Maursault wrote:
| I use PayPal, not as heavily as I have in the past, but I
| have been scammed by about a dozen sellers, and in all
| cases, PayPal refunded my money. I've never heard of
| PayPal screwing over customers, only that it being owned
| by eBay is annoying because eBay gets two sets of fees on
| payments for sellers.
| judge2020 wrote:
| I also imagine FedNow might become apart of your workflow,
| depending on just how well it works (Releases May to July
| 2023) https://www.federalreserve.gov/paymentsystems/fednow_ab
| out.h....
| Maursault wrote:
| Not sure what your issue is with PayPal (philosophical
| objection to it seems to be popular), but at least PayPal
| _will refund your money_ if you are scammed. Zelle will not
| and never has, and I suspect that is why banks won 't cover
| Zelle scams. I personally consider Zelle itself a scam, and
| it boggles the mind why so many banks have partnerships with
| it. Automatic Zelle accounts when opening a bank account? Oh
| my God that is an astoundingly bad idea.
| snotrockets wrote:
| ACH is undoubtedly covered under regulation E. $50 (waived by
| many banks) and some time is the most that can be taken from
| you.
| cowtools wrote:
| Beyond 2FA, some type of chaumian cash like
| https://taler.net/en/ might help too.
|
| But the problem is really downgrade attacks. There are multiple
| payment systems (bank wire, check, credit card ) and if there
| is one insecure way to make payments, then the whole system is
| broken.
| bittercynic wrote:
| >...you want one that isn't too local...
|
| What's the problem with local credit unions?
| kylehotchkiss wrote:
| Limited support hours, lack of access when out of town,
| having to depend on ATM networks which can change (I guess
| these also apply to local banks too and not just credit
| unions)
| lukeschlather wrote:
| What do you mean by "ATM networks which can change?" I've
| never found it difficult to find a credit union that
| participates in shared branching with a public ATM (this
| basically means free ATM withdrawals in most cities in the
| US.)
| zippergz wrote:
| I don't know what parent meant, but my credit union a
| while back decided they no longer wanted to participate
| in whatever shared branch network they used to be part
| of, so the branch availability near me went to
| effectively zero.
| bombcar wrote:
| The US has five or six different ATM networks, and many
| banks are part of more than one of them, but a small
| credit union may be only part of one, and they may change
| which one that is.
|
| Depending on how they have it setup, it may mean that the
| ATM near you suddenly no longer works for you _for free_
| and you have to switch up with another one.
| bombcar wrote:
| Biggest issue is accessing your account if you move; I've
| never really had any other issue come up.
| lukeschlather wrote:
| In my experience accessing my account after moving has been
| a huge issue with conventional banks; I've never had a
| problem with my credit union accounts.
| bombcar wrote:
| Yeah, I should have been clear - accessing it at a local
| branch. Not that many people need to do that anymore; in
| fact it's so easy to do everything online you may forget
| to update addresses, etc. And with no paper statements,
| you might not even notice until one day your bank decides
| it needs to mail you something important.
| lukeschlather wrote:
| No, I can access my remote credit union account through
| most credit unions through shared branching. It's more
| convenient than banks which have less cooperation.
| smeej wrote:
| Even a tiny local credit union is great _if_ they 're part
| of the co-op.
|
| The vast majority of credit unions in the U.S. are, and you
| can use any co-op branch or ATMs just like your home credit
| union's branches or ATMs.
|
| It's brilliant, and in my experience, so much more
| accessible than the giant banks who are often regionally
| concentrated.
| a_t48 wrote:
| I had a local credit union - dropped them after it took
| multiple weeks to ship out a replacement debit card
| bombcar wrote:
| Mine is smallish and printed me a debit card right there in
| the branch; I'd never seen that before.
| a_t48 wrote:
| My credit union was in Seattle, I was living in SF. For
| most services I could go to an affiliated CU, for this I
| could not.
| lowercased wrote:
| Years ago, a largish bank (boa) had given me a pre-
| printed visa debit card for a new account I'd opened.
| They had a small stack of them, ready to activate against
| new accounts. Better than "we'll mail it to you in a
| week".
| bombcar wrote:
| Yeah, I was surprised on this one because it was a
| machine that just printed the front on a blank card - the
| name wasn't embossed, but otherwise it was a normal card.
|
| Still using it, it's how they do cards now; they never
| sent an "embossed" one.
| adabyron wrote:
| One advantage to smaller banks is the personal relationship
| when you need them. It's a trade-off for features. I've found
| significant value in having a small local bank where it's a
| bit harder to do anything digitally. They also may catch
| strange transactions. During Covid, having a relationship
| with a bank also meant it was easier to get assistance when
| other banks were putting you on hold or not responding.
| criddell wrote:
| They often won't process foreign transaction and either can't
| or won't sell you foreign currency (like Canadian dollars if
| you are planning a trip to Winnipeg).
| spaetzleesser wrote:
| It can be a problem when you are out of town and need banking
| services. My credit union is in CA but after my move to New
| Mexico I had to open an account at Chase just to get a
| special signature notarizing that only banks can do.
| bombcar wrote:
| The Medallion Signature(tm) - I had to abuse the fact I had
| a Chase credit card to get one of those once for Vanguard.
| hgsgm wrote:
| birdman3131 wrote:
| Your bank account number is by design semi public knowledge.
| Every check you have ever written has it at the bottom. It was
| never meant to be private.
| ev1 wrote:
| I have never received checks with any bank account I have
| opened in my life. Are they even offered anymore?
| zippergz wrote:
| You have to order them. They don't just give them to you.
| lotsofpulp wrote:
| Yes, they are used all the time in the US.
|
| The numbers on the bottom are the routing number and
| account number of the payer. Anyone can make and sell them,
| and anyone can buy them.
|
| https://www.costcochecks.com/home
| brewdad wrote:
| You have to pay for them but yes you can still get checks.
| My order of 80 checks should last me the rest of my life.
| Arrath wrote:
| Absolutely. I currently rent from an elderly couple and the
| simplest method of paying rent is the classic check.
| kylehotchkiss wrote:
| The fewer entities that have it, the better. Banks probably
| aren't giving it out freely. Any ACH charge attempted against
| it will deduct balance, and fraud liability repayments (if
| the bank agrees to help) will take as long as the bank takes
| to recover funds
| NovemberWhiskey wrote:
| > _fraud liability repayments (if the bank agrees to help)
| will take as long as the bank takes to recover funds_
|
| What's your source on that? As far as I know, Regulation E
| generally requires banks to make good on errors in
| electronic fund transfers (including ACH transfers for
| which the customer is not liable) within 10 days of being
| notified. That can be in the form of a provisional credit
| while an investigation is ongoing, though.
| kevin_thibedeau wrote:
| That's what makes this particularly galling since Zelle
| is just a frontend to ACH.
| hervature wrote:
| > Find a decent bank with 2FA. None of the big banks are
| decent, they have minimum balances, piles of fees.
|
| Can you clarify this. Are big banks not secure enough or are
| they not decent because of the minimum balance and "piles of
| fees"? I would rather pay something for security.
| [deleted]
| itake wrote:
| > * Never use that debit card for anything but the ATM and bank
| teller authentication. In fact, don't even carry it with you,
| in case you lose your wallet or somebody tries to take it. Not
| every bank makes it easy to turn debit card off.
|
| Some businesses only accept debit cards (like WinCo [0]). :-/ I
| guess you can just not do business with them.
|
| > * For sending money to friends if everybody has iPhones,
| Apple's Cash functionality is good enough.
|
| I wish... but how do you transfer money internationally? I
| don't think Apple Cash is adopted abroad yet.
|
| [0] - https://www.wincofoods.com/customer-service/faqs/
| nilespotter wrote:
| They take cash.
| zippergz wrote:
| Yes, I specifically do not do business at stores and gas
| stations that only take debit cards.
| kylehotchkiss wrote:
| > I wish... but how do you transfer money internationally?
|
| Wise.com. I lived abroad for a bit and relied entirely on
| Wise (well, they were called transferwise then). Could send
| money abroad faster than I could send funds to anybody in
| USA.
|
| Of course, any international financial service is very KYC
| heavy and can suspend access to you/lock your funds at any
| time so always have a backup plan ready as wire transfers are
| really scary (foreign banks don't want to release funds? no
| recourse for you!)
| doubled112 wrote:
| Banking in Canada is rough too.
|
| TD Canada Trust didn't let me use more than 8 alphanumeric
| characters in my password until about 2015. The only let you
| use call or SMS for 2FA to this day.
|
| They are charging $16.95/mo for a chequing account right now.
|
| This is pretty standard across the big banks.
| spaetzleesser wrote:
| Is there any reason why they limit the length of passwords or
| don't allow certain characters? It makes no sense to me.
| freeone3000 wrote:
| It's so you can enter your password over a touch-tone
| phone.
| WorldMaker wrote:
| As fun general rules of thumb:
|
| Hard 8 character limits are often a side-effect of old
| COBOL "databases" in the backend somewhere.
|
| Hard 16 character limits are sometimes a side-effect of old
| versions of Active Directory in the backend somewhere or
| new versions of Active Directory in certain backward
| compatibility operation modes/certain group policies.
|
| Hard character limits in general are often a sign that
| someone is storing the plaintext somewhere they shouldn't
| be.
|
| (Soft character limits today are mostly to avoid possible
| hash function DDoS.)
| EvanAnderson wrote:
| The 14 character password limit in some versions of
| Windows is a side effect of using LM and NTLM (original
| "flavor", not NTLMv2) hashes used in Windows NT domains
| and maintaining compatibility therewith. It's not related
| to Active Directory, per se.
|
| Nobody should be using LM or NTLM hashes anymore today,
| for all that that means... >sigh<
| auxym wrote:
| I believe Scotia/Tangerine are still _6-digits only_ for
| passwords. Really. And I have yet to see any Canadian
| financial institution (whether bank, brokerage, credit union,
| etc) that supports anything else than SMS for 2FA.
|
| The situation is quite rough indeed.
| angst_ridden wrote:
| RBC allows use of their mobile app as 2FA. I don't believe
| it uses SMS under the hood.
|
| I'm not arguing it's necessarily more secure. I haven't
| audited it or looked into how it works.
| kwesthaus wrote:
| Don't forget about preemptive security freezes at credit
| bureaus, which you have to do for each one individually.
| /r/personalfinance recommends 7 by default [0], but there are
| many more [1].
|
| [0]:
| https://www.reddit.com/r/personalfinance/wiki/identity_theft...
|
| [1]:
| https://files.consumerfinance.gov/f/documents/cfpb_consumer-...
| nilespotter wrote:
| Great info, I had a freeze on 6/7 of these. What are the
| ramifications of freezing LexisNexis?
| yamtaddle wrote:
| When I did it, all it meant was anyone offering a line of
| credit to me if I'm not present right in front of them is
| supposed to call me to verify I want it. It's not even really
| any inconvenience to have "frozen" credit.
|
| Why the everloving fuck that's not the default, but something
| you have to request, I have no idea.
| agloeregrets wrote:
| > Credit unions are good, but you want one that isn't too
| local, which can limit you to credit unions specific to
| military/veterans/families
|
| Having seen a bit of the inside: Local credit unions are
| generally pure trash at security. Hell, a local one had an
| internal meltdown from the HR person looking up prior
| employee's personal account to harass them with a LIST OF THEIR
| PERSONAL PURCHASES. (WTAF)
| spaetzleesser wrote:
| The same happens in health care. The system is full of traps
| that a customer/patient can't reasonably navigate.
| Arrath wrote:
| > * Never use that debit card for anything but the ATM and bank
| teller authentication. In fact, don't even carry it with you,
| in case you lose your wallet or somebody tries to take it. Not
| every bank makes it easy to turn debit card off.
|
| I take this one a step farther and don't even have a debit
| card, just an atm/cash card. It cannot be used to make
| purchases anywhere, only to get cash from an ATM. Any and all
| purchases I make are either cash, or with a credit card.
|
| Some banks may look at you weird when you request such a card,
| or act like they don't do them (anymore), but my credit unions
| have accommodated me.
| tristor wrote:
| > I take this one a step farther and don't even have a debit
| card, just an atm/cash card
|
| I did this too, unfortunately I went through multiple banks
| as they rolled out debit cards for all accounts and stopped
| offering ATM cards, until now I unfortunately have a debit
| card. It seems this isn't really an option anymore.
| hey2022 wrote:
| I keep my debit card locked. If I need to use it--which
| happens once or twice a year--I unlock it and then
| immediately lock back again.
| kome wrote:
| why banking in Europe is much much better?
| diordiderot wrote:
| Because we don't have freedom like America /s
| cityzen wrote:
| Same banks that make, literally, billions off overdraft and other
| fees? Shocking.
| loeg wrote:
| The article and headline are somewhat in disagreement. Or at
| least, the headline is an over simplification. From the article,
| most rejected fraud claims are for cases where the victim was
| deceived (social engineering) into sending a Zelle transfer to a
| fraudster, rather than in cases of account takeover. In fact, the
| majority of the article is about Zelle, rather than takeovers.
| hgsgm wrote:
| bombcar wrote:
| Banks should obviously do their best to prevent and revert
| fraudulent behavior, but there are points past which they can't
| do anything without just refunding out of the goodness of their
| (perhaps cold and small) hearts.
|
| If I convince you to withdraw thousands of dollars in cash and
| then skip town with it, do we expect the bank to make you
| whole?
| wewtyflakes wrote:
| I would expect the banks to talk to each other in good faith
| and reverse the transaction.
| NovemberWhiskey wrote:
| Please re-read the hypothetical - there is no second bank;
| it involves giving cash to a fraudster.
| snotrockets wrote:
| Yes.
|
| Banks are given a monopoly over an unavoidable, and very
| lucrative, aspect of modern life. No reason to give them that
| for free.
| guntab-dan wrote:
| Exactly - we can't expect banks to pay when their customers
| get themselves scammed.
|
| I think the solution is escrow. I am biased, because I work
| for an escrow company, but I've never seen a more effective
| approach. Hold the money until the buyer has what they paid
| for, and only then release the money to the seller. (To be
| fair, escrow does tend to be more expensive than simple money
| transfer, so it's not all upside.)
| bombcar wrote:
| Yeah, and we do escrow for large value things (houses).
| Other than that, since it's not well known, people don't
| bother with it for smaller things. Would you trust me if I
| told you I was the "escrow account" manager, heh?
| gtowey wrote:
| I think the issue is that without regulations forcing banks
| to serve customers better, they will simply abandon all
| responsibility completely because it's cheaper for them. And
| since we see that with Zelle, banks will collude to all hose
| customers in the same way, the free market is not a solution.
|
| It would be trivial for banks to give customers better fraud
| protection tools and enable better recovery, but they clearly
| don't care. * For one, since you can't have a bank account
| anonymously the receiving bank knows exactly who stole the
| money. They should at least be able to refer them for
| criminal investigation. * Two, since they own the machinery
| of transferring the money, yes they can easily reverse
| fraudulent transactions -- the bank doesn't have to take a
| loss since the fraudster has to have an account with them.
| They know who to take it back from. * The fraudster withdrew
| the money and ran? ACH transfers have always taken up to 15
| days to "clear" -- banks wouldn't let you withdraw money you
| just deposited exactly for this reason, to verify that the
| sending bank actually has the funds and there are no issues.
| Why can't Zelle let the sender specify a "hold" period so
| there is time to dispute the transfer and the funds can be
| recovered?
|
| Basically is seems to me that a modern digital payment
| systems _must_ have a kind of escrow service built in. IMHO
| this is what we need the law to require banks to do. In
| combination there needs to be a payment dispute resolution
| system which would probably take the form of a kind of
| arbitration system not unlike the role small claims court
| plays. This is something the banks should lobby the
| government to provide since doing it themselves would clearly
| get complicated and expensive.
| bombcar wrote:
| Deep down you have the dichotomy between "instant payment"
| and "refundable payment".
|
| If I'm selling you a car, I don't want a Zelle transfer for
| the money that I know you could claim was fraud and claw
| back from me - then I'm out the money AND the car; I'll
| demand cash in that case.
| gtowey wrote:
| Right, which is why you can't do this without impartial
| arbitration.
|
| Essentially each transaction that is "refundable" is an
| implied contract between parties and it should be
| verifiable. Such as in the case of a car sale it is
| pretty easy for a third party to check if the car was
| received.
|
| Or somehow have a notary to witness and verify the
| transaction.
|
| This is the basic problem is that you can't have instant
| transfers with fraud prevention. It's impossible to claim
| that banks don't understand this and IMHO it should be
| considered criminal negligence that they pushed this
| product on consumers knowing that it just exposes them to
| easy fraud.
| [deleted]
| toomuchtodo wrote:
| Chase at least is popping up a bold social engineering warning
| whenever you're attempting to send a Zelle payment to a new
| contact, or the underlying account has changed for an existing
| contact.
|
| There are table stakes (security and financial controls,
| prudent IAM and MFA, etc), and then there are folks who will
| fail even with the most robust guardrails attempting to protect
| them.
| amerkhalid wrote:
| A lot of people (and small businesses) share their Zelle
| accounts and different name shows up when sending money.
| Whenever I am sending a big amount via Zelle, I send $1 first.
| Then check with recipient to verify.
| tialaramex wrote:
| The "Zelle transfer" examples seem to be a US equivalent of
| Push Fraud, which was big in the UK. In the UK's Push Fraud
| there's no third party (Zelle) involved, victims are persuaded
| they should send money from their account to an account
| controlled by the bad guys, using Faster Payments, which just
| moves money (up to PS1M) from one UK bank account to another UK
| bank account, in theory within one business day in practice
| typically instantly.
|
| Push Fraud was significantly hampered (~solved?) by requiring
| that the recipient name field, rather than just being for your
| own note of who you sent money to (so e.g. "Jenny birthday" or
| "Fucking Landlord") must closely match the recipient's account
| name, which as a result of Know Your Customer checks should be
| a legal name of some sort.
|
| There's a back-and-forth mechanism, so it was at first
| (presumably got better with practice) harder to pay companies
| with hard to spell or weirdly punctuated names, but hey, better
| I can't send money to "Pat Smith" (nope, his name is _Matthew_
| and that 's Smythe not Smith) than that my PS800 000 for a
| house goes to a crook who sent me an email pretending to be
| from my lawyers.
|
| Because Faster Payments was a legal requirement, operated by a
| regulated entity that's ultimately paid for by the banks, it
| was presumably easier to write a law saying how it needs to be
| secured, whereas Zelle is a third party unrelated to the banks.
| loeg wrote:
| Zelle is essentially the same as Faster Payments here; the
| legal structure of it being a third party seems more or less
| irrelevant. I don't think regulating it will be a problem for
| the CFPB or other US regulators.
| arrosenberg wrote:
| The company that owns Zelle is owned by a cartel of the
| biggest banks and Navy Federal CU.
| rr808 wrote:
| Yeah its fascinating that quick payments probably is more of
| a problem than a benefit.
| tialaramex wrote:
| Do you think? What I see is that it's a useful way to move
| money and, as expected, crooks wanted to use it to steal
| money.
|
| It's more remarkable when we invent things that move money
| and _don 't_ get used for crime.
|
| For example the UK's Direct Debit turns out to be almost
| useless for crime, because it can be unwound, so, if you
| use it to steal money you run into two closely related
| problems:
|
| 1. When the victim realises they just undo the transaction,
| and get their money back
|
| 2. Because the bank doesn't want to be on the hook for
| that, their capital requirements to allow Direct Debit are
| eye watering. Out of reach of ordinary crooks.
| bombcar wrote:
| What's the defense against abuse of #1 - that's the usual
| problem we see with perfectly reversible transactions.
| c3534l wrote:
| Yeah, its not like the bank gave access to your account to the
| wrong person and now they're not paying you back. You did
| something with stuff you legitimately own and control and now
| you regret it. That's a big difference to me.
| [deleted]
| trothamel wrote:
| I've always found the Mitchell and Webb take on identity
| theft/bank robbery to be a very interesting take on who's
| responsible:
|
| https://www.youtube.com/watch?v=CS9ptA3Ya9E
| spaetzleesser wrote:
| It's a stroke of genius how the banks managed to make the
| victims of bad security practice at banks responsible for these
| problems.
| shadowgovt wrote:
| Yes. We really let creditors hoodwink us when we let them
| invent the idea of "identity theft" instead of what it is: "You
| trusted some fraudster's claim they were who they said they
| were."
|
| One puts the onus on the defrauded company to fix their house;
| the other puts it on a third-party with no involvement in the
| transaction to... Make it harder? For strangers to lie and tell
| other strangers they are the person with the "stolen identity?"
|
| We could have drastically changed the landscape on this if the
| first time a company came after someone whose identity was
| stolen for money not paid the government had responded with not
| only a "no" but a fine for using the law to harass a stranger.
| factsarelolz wrote:
| >We really let creditors hoodwink us when we let them invent
| the idea of "identity theft" instead of what it is: "You
| trusted some fraudster's claim they were who they said they
| were."
|
| This pissed me off so much. Victim blaming and they get away
| with it.
| drdec wrote:
| It's not victim blaming. They (the creditors) are the
| victims and they expect you to make them whole.
| shadowgovt wrote:
| They expect strangers unrelated to the actual fraudulent
| transaction to make them whole.
| boole1854 wrote:
| To be fair, from the creditor's perspective it is often
| unclear whether the transaction was really illegitimate.
| Fraud in which the consumer falsely claims they were the
| victim of identity theft is a real phenomenon, in the
| same way that there is real insurance fraud where
| consumers falsely claim to be victims of physical theft.
| sidewndr46 wrote:
| That is because creditor's have every incentive to make
| sure they only barely perform identity verification. It's
| not at all uncommon to find out about people who discover
| someone else took out a loan in their name, but is
| actually making payments on it. It happens when someone
| is wanted for criminal investigations, an illegal
| immigrant, or just has crap credit.
|
| Crappy identity verification basically widens their
| customer base.
| boole1854 wrote:
| As someone who works in a consumer loan-related field, I
| know from experience that this is not correct. With very
| few exceptions, creditors do _not_ have incentives to
| barely perform identity verification. Even if 90% of
| identity thieves paid back their loans, the losses on the
| remaining 10% would swamp any profits -- and of course
| far fewer than 90% of identity thieves pay back their
| loans. Industry losses due to incorrect identity
| verification are in the tens of billions annually. There
| are many vendors that financial institutions pay big
| bucks to in order to improve their ability to correctly
| perform identity verification. However, like everything
| else, there are tradeoffs involved, and it is rarely if
| ever optimal to try to push identity fraud to nil.
| overthemoon wrote:
| Maybe I'm naive but I've never thought about it this way.
| invalidOrTaken wrote:
| It is absolutely insane.
|
| If the bank lends me money and I lose it, they expect to be
| paid back.
|
| But if I lend _them_ money, and _they_ lose it, this is...my
| fault?
| Animats wrote:
| This is why, in the US, you want to use a credit card, not Zelle,
| for anything which might require reversal. The terms for credit
| cards are set by Federal law, and they favor the cardholder.
| Terms for debit systems such as Zelle are more like handing cash
| to someone.
| jcadam wrote:
| I have an Amex Platinum card and the few times I've disputed a
| charge they've usually found in favor of the merchant
| (particularly if the merchant is a large company).
|
| The one notable time they actually found in my favor and
| refunded me was a recurring charge I'd repeatedly tried to
| cancel with the merchant and eventually I threatened to close
| my account with Amex.
|
| "Oh, really? Alright, I want to close my account."
|
| "Oh, hold on sir, let me try again..."
|
| Effing $800/year in annual fees for this crap.
| silisili wrote:
| Amex went down the tubes about 10 or so years ago. Their CS
| is terrible now. Prices went up, perks went down. The only
| card even worth entertaining is their blue cash, for 6%
| grocery.
| snotrockets wrote:
| Zelle is also covered by federal regulation (Reg E). Banks just
| would very much like you to ignore that.
| silexia wrote:
| Frauds and scams should be solved with heavy jail time or death
| and policing across borders.
| kelthuzad wrote:
| > When U.S. consumers have their online bank accounts hijacked
| and plundered by hackers, U.S. financial institutions are legally
| obligated to reverse any unauthorized transactions as long as the
| victim reports the fraud in a timely manner. But new data
| released this week suggests that for some of the nation's largest
| banks, reimbursing account takeover victims has become more the
| exception than the rule.
|
| I always knew that some of the pro arguments for centralized
| systems were suspect, but it's good to have some evidence for it
| now.
|
| Now I wonder how many other cases that are touted as arguments
| for centralized systems don't hold up to any scrutiny.
| vore wrote:
| Even if the bank is not offering recourse, there is at least a
| mechanism for recourse. Decentralized banking just has no
| recourse at all, so it really just seems strictly worse here.
| datadata wrote:
| I would argue that a system claiming to have recourse that
| doesn't actually work (taking this article for its word), is
| slightly worse than a system without recourse that explicitly
| states there is not recourse. People will be much more
| reckless and thus likely to be victims of fraud if they are
| told fraud is reversible.
| notch656a wrote:
| Having crypto w/ absolutely no recourse has allowed me to
| save money on buying silver vs say a credit card and faster
| clearing than wire or ACH. Recourse means the seller has to
| bear a risk you may find a way to yank the money back, and at
| least with precious metals "yuh pay extra for dat."
|
| As a seller, or a buyer dealing with someone I trust,
| recourse is a serious hazard I want to avoid. For this reason
| I demand cash or crypto when selling items.
| vsareto wrote:
| This only seems like it started in 2021. Up until then, those
| arguments were sound. It's worth reconsideration if this is now
| the trend, but can you really defend the position that you
| thought those arguments were suspect because you knew banks
| were going to stop fraud corrections? While simultaneously
| preferring systems that never had it at all?
| kelthuzad wrote:
| I doubt that it only started in 2021, unless you have
| evidence for it.
|
| >but can you really defend the position that you thought
| those arguments were suspect because you knew banks were
| going to stop fraud corrections?
|
| I knew those arguments were suspect, because the very same
| thing that makes such an intervention possible is the very
| same thing that makes it unreliable: a central authority,
| that first and foremost acts in its own best interest and is
| prone to corruption, abuse of power and what have you.
|
| > While simultaneously preferring systems that never had it
| at all?
|
| You can still build such a system on top of a decentralized
| system and put your trust in random 3rd parties, if for
| whatever reason that happens to float your boat.
| asdfasgasdgasdg wrote:
| The banks aren't going to make you whole when withdraw a
| thousand bucks from the ATM and send it to someone. These
| denied refunds follow the same principle. There are warnings
| all over every zelle implementation I've used saying that using
| zelle is like using cash, don't send it to someone you don't
| know, etc. But people still do it anyways.
|
| Btw crypto is worse on this in every way and there is no system
| that actually solves this problem. I wonder if it is even
| possible to solve.
| twblalock wrote:
| For large transactions this is somewhat solved by escrow
| companies.
|
| In the end it all has to come down to trust. If all
| transactions were easy to reverse, we would see the opposite
| problem: scammers who pay people money and the. demand it
| back, claiming fraud.
| asdfasgasdgasdg wrote:
| Yep. Happens in the credit card world all the time. Porn is
| a good example of a business that has a lot of trouble
| functioning due to fraudulent chargebacks.
| twblalock wrote:
| That is in fact the real reason some credit card
| companies won't let you pay for porn. Amex was preventing
| it for years before it was a PR/wokeness issue.
|
| The scenario is, someone pays for porn, their spouse sees
| it on the bill and gets really angry, and the other
| person says it wasn't me, it must have been fraud! So
| they file a chargeback.
| livueta wrote:
| > Btw crypto is worse on this in every way
|
| In a technical sense you're correct; in both cases the
| transactions are effectively irreversible. That said, I think
| there is an important difference:
|
| Everyone (well, kinda) knows that a crypto transaction is
| irreversible; that's basically the point. Because of this, it
| is expected and normal to layer on extra systems to cope with
| the risk of not having an authority to dispute stuff to.
| Consider darknet markets: they use escrow and reputation
| systems to protect both parties.
|
| But everyone (well, kinda, in the same sense as the above)
| also knows traditional financial institutions are "safe" and
| that transactions are reversible. That false sense of
| security means other security/resolution methods aren't
| considered, so when the centralized authority has a bad day
| the end user is out of luck.
|
| But isn't an escrow system just another centralized
| authority? Sure, but at least I can choose what escrow system
| I want to interact with. The banking cartel behind Zelle
| doesn't afford me the same degree of choice, and using small
| credit unions isn't a panacea either because they farm out
| everything complicated to one or another of the payment
| cartels. Quality of escrow system is an important
| discriminator when choosing a DNM; I wish I could assess
| various traditional financial institutions' likeliness to rip
| me off as effectively.
|
| If centralized financial institutions want to act like crypto
| in terms of irreversibility, fine, but I think the scale of
| the problem described in TFA indicates that some "are you
| suuuuuuuuuuuuure you want to send money to Joe Blow" popups
| in the app aren't enough to overcome that aegis of "this is a
| safe institution" floating around in the public
| consciousness. I see it as more a problem of false
| advertising than anything else, really. Copy from the landing
| page of their site:
|
| > Zelle(r) works between U.S.-based banks. Which means, even
| if you bank somewhere different than your friends and family
| do,1 you can still use Zelle(r) to safely send and receive
| money straight from your banking app.
|
| > safely
|
| Obviously it's not a legal doc or anything, but I'd argue the
| service is both explicitly and implicitly casting itself as
| akin to a bank-provided service like a credit card, not
| something as wild west as cash.
| criddell wrote:
| Is Zelle really like using cash? It seems closer to an
| electronic transfer than withdrawing dollar bills. With cash
| they have no way to know what I'm doing with the money but
| with a transfer, they know a little bit more and so they have
| more responsibilities (IMHO).
| asdfasgasdgasdg wrote:
| It is the intentional decision of zelle to be like using
| cash in terms of rollback guarantees. This is so that
| payees can accept it like cash. There's no way to balance
| the scales -- the payment system that can be rolled back
| has its own issues.
| brigade wrote:
| That decision is as exactly as legally binding as the
| signs on trucks disavowing liability for falling debris.
|
| Banks might be trying to pretend Zelle isn't covered by
| Regulation E, but I haven't heard any good argument for
| why it doesn't apply, other than arguments similar to
| yours that they simply don't want it to.
| NovemberWhiskey wrote:
| Banks are not arguing that Zelle isn't covered by
| Regulation E.
|
| Regulation E talks about liability for "unauthorized
| transactions". Those are transfers "from a consumer's
| account initiated by a person other than the consumer
| without actual authority to initiate the transfer".
|
| If you initiated the transfer but were misled into doing
| so or provided the wrong payment information or whatever,
| it's still an authorized transaction from Regulation E's
| perspective; so you are still liable for it. The only
| exception is if you were induced by force to initiate the
| transfer.
| brigade wrote:
| Authorization isn't "I authorize my account to be debited
| $X", it's "I authorize my account to be debited $X by
| Party Y"
|
| Errors under Reg E include any instance where Party Y is
| not who receives the funds, including wrong payment info.
| NovemberWhiskey wrote:
| That is not what the law says; what's your basis for it?
| asdfasgasdgasdg wrote:
| People are welcome to challenge the banks in court. It
| will be no skin off my back if they win. But I guess the
| banks have good reason that believe that they can defend
| their practices successfully. If not it will be the end
| of Venmo, cash app, and zelle -- or at least the free
| transfer features of those apps.
| brigade wrote:
| The "good reason" is that it's an extension of how banks
| have always treated fraudulent debits until you show
| knowledge of the Reg E dispute process, so it makes it
| outside of first-level customer support.
|
| And it won't be the end of free electronic transfers,
| it'll just mean acknowledging that those transfers aren't
| any more final than writing a check.
| criddell wrote:
| If they can't rollback the transaction, Zelle should
| reimburse customers itself.
| SpicyLemonZest wrote:
| We have other payment systems like credit cards which
| work that way. The inevitable consequences are that
| permissions to receive payments are tightly locked down,
| and the network charges fees to help cover the cost of
| fraudulent transactions.
| hayst4ck wrote:
| For any of the types of people who are against taxes and
| regulation, that type of policy results in a world where outcomes
| of disputes are able to be dictated solely on the basis of who
| has more power or resources.
|
| I'd rather live in a world where banks are solely responsible for
| fraudulent withdrawals than one where banks can shirk
| responsibility to their patrons. That is only possible through
| regulation.
|
| That's why it's important to vote for people who aren't afraid to
| create regulations, and that's why it's important to question
| people who claim that "the free market will eventually result in
| reasonable outcomes."
| smeej wrote:
| Here's the thing about fraud, though: It's next to impossible
| to prove.
|
| There is NO visible difference between "I sent my new friend
| thousands of dollars because she's trying to start a new
| business and I'm investing...but now the business has gone
| under and I regret investing so I'm just going to tell the bank
| it was unauthorized," and, "I just sent my new friend thousands
| of dollars because she's trying to start a business and I'm
| investing...but now I've realized she was really a liar and
| there was no business."
|
| Proving account takeover (ATO) is easier. There's some new IP
| (unless you gave someone remote access to your own device), new
| mouse behavior (yes this is a thing some institutions track),
| whatever.
|
| But when you're the one who signed into your own bank account
| and sent your own money, _you have every right to do that,_
| even if you 're sending it somewhere stupid that you later
| regret.
|
| It's not up to the bank to protect you from your own stupidity.
| They just hold the money for you that you want to keep. Telling
| you that you can't send it somewhere you explicitly want to
| send it because they don't think it's a good idea isn't their
| job.
|
| That's what they're calling "fraud" or "scams" here, and
| there's no reason your bank should be on the hook because you
| did something dumb with your own money.
| bombcar wrote:
| Exactly, as systems get more secure, indirect/third-party
| fraud decreases and direct fraud becomes caught more.
|
| How many people "chargeback" porn that they actually paid for
| because they got "caught"? As systems get better and better
| at preventing fraud, those chargebacks become harder and
| harder to believe.
| brigade wrote:
| > It's not up to the bank to protect you from your own
| stupidity.
|
| It is their legal obligation to reverse illegitimate
| transfers. Explicitly for ACH, and there's no good reason
| they should be exempt from this obligation just because the
| transfer was via Zelle instead of ACH. Which _includes_ a
| mistaken recipient or amount, even without any fraud.
| NovemberWhiskey wrote:
| > _Which includes a mistaken recipient or amount, even
| without any fraud._
|
| You keep saying that; but that's not what Regulation E
| says.
| hayst4ck wrote:
| > It's next to impossible to prove.
|
| Is it impossible to prevent?
|
| What types of entities are in a position to be most able to
| prevent fraud?
|
| What kinds of interventions can mitigate fraud?
|
| > That's what they're calling "fraud" or "scams" here, and
| there's no reason your bank should be on the hook because you
| did something dumb with your own money.
|
| On this point we disagree. My viewpoint is one of "what
| entity has the most ability to do something about the
| problem". Yours is one of individual responsibility.
|
| I would prefer the bank do something to protect my vulnerable
| grandma from doing something wrong to one where her mental
| decline and therefore her inability to comprehend her
| impending mistake is her responsibility.
| robswc wrote:
| Regulations aren't some magic want that don't come with side
| effects, though. IMO, they tend to not address the root
| problems and only add layers of abstraction.
|
| One of the best examples of this is how Sweden irrevocably
| killed their financial markets by trying to just squeeze out a
| bit more tax revenue and limit speculation. The cost of that
| mistake has to be in the billions and IMO, we'll see the end of
| Sweden as a nation before we see it "recover" its markets.
| cowtools wrote:
| >I'd rather live in a world where banks are solely responsible
| for fraudulent withdrawals than one where banks can shirk
| responsibility to their patrons. That is only possible through
| regulation.
|
| I'd rather live in a world in which effective security measures
| prevent fraud than a world in which there are weak security
| measures and endless debates as to who should be blamed when
| they fail. Regardless of your political stance, I think we can
| agree that the system is more technicially-broken than it is
| socially-broken.
|
| I think understanding the problem in solely in terms of
| more/less regulation is a bone-headed thing to do.
|
| I think what we have isn't a free market but a duopoly of
| mastercard/visa each with control over their respective domain.
| You can't upgrade the security, privacy, or efficiency of the
| network because the big players benefit from the insecurity,
| surveilance, and inefficiency.
|
| Decreased regulation will probably increase their stranglehold
| on the industry, as you've noted. Increased regulation will
| cement current ineffective practices and make different
| buisness models impossible.
|
| People turn to cryptocurrency, not because it's more
| private/secure/etc but because it is the most
| private/secure/etc system that works without the permission of
| the big rent-seekers.
| ClumsyPilot wrote:
| You are missing the forest for the trees -> there will always
| be some fraud, and thus a devision must be made regarding who
| is responsible.
|
| Furthermore, if the bank don't suffer from faud, they have no
| incentive to fight it. So there will be no effective securiry
| cowtools wrote:
| You can just have a voluntary system wherein people decide
| beforehand how funds are distributed in the case of fraud.
|
| That doesn't necessarily require a third party like a bank
| to surveil and supervise every transaction.
| hayst4ck wrote:
| > I'd rather live in a world in which effective security
| measures prevent fraud than a world in which there are weak
| security measures and endless debates as to who should be
| blamed when they fail. Regardless of your political stance, I
| think we can agree that the system is more technicially-
| broken than it is socially-broken.
|
| But this _is_ a problem of responsibility. Customer
| responsibility is an O(people) security problem. Bank
| responsibility is an O(banks) problem. In terms of alignment
| to fraud mitigation, bank responsibility leads to better
| technical security because they become the implementers of it
| to protect their own interests.
|
| From an outcome based perspective banks must be accountable.
|
| > I think understanding the problem in solely in terms of
| more/less regulation is a bone-headed thing to do.
|
| I don't have a more/less regulation perspective. I have a
| correct/incorrect regulation perspective.
|
| > People turn to cryptocurrency, not because it's more
| private/secure/etc but because it is the most
| private/secure/etc system that works without the permission
| of the big rent-seekers.
|
| But it isn't. It might be more secure because the average
| crypto holder is more savvy, but in terms of security
| properties, I wouldn't let my mom have a crypto wallet, and
| without a direct wallet, I don't see how crypto has different
| properties than a bank (an entity making transactions on your
| behalf), the interface is the same, but the implementation
| details are different. No?
| DennisP wrote:
| I'd say that crypto personally held in a hardware wallet is
| less secure against the sort of frauds described in the
| article, where the victim personally authorizes a
| transaction, because there's nobody you can even ask for a
| refund.
|
| But hardware-secured crypto is much more secure against
| _unauthorized_ access (e.g. a SIM swap without the user 's
| involvement). After getting familiar with crypto, it
| boggles my mind that we handle so many payments by giving
| full credentials to the payee and just trusting them not to
| abuse it or be careless with it. Public keys have been
| around since the 1970s. Why don't we give retailers a
| digital signature authorizing a specific transaction? Why
| are we still using insecure 2FA and user-supplied passwords
| for bank website access?
|
| Ideally, we'd put secure elements and social recovery
| wallets in all our phones, and use them for everything.
| It's what we need for crypto, but we could use the same
| tech as access control for banking systems.
| cowtools wrote:
| >But it isn't. It might be more secure because the average
| crypto holder is more savvy, but in terms of security
| properties, I wouldn't let my mom have a crypto wallet, and
| without a direct wallet, I don't see how crypto has
| different properties than a bank (an entity making
| transactions on your behalf), the interface is the same,
| but the implementation details are different. No?
|
| It's true to some extent that crypto users are more savvy
| than most, but I think cryptocurrency also has obviously
| superior security properties to the conventional banking
| system, technically speaking. In the conventional banking
| system, there are no "savvy" users because everyone is
| equally insecure no matter what. In the conventional
| banking systems it's all based on trust. Trust that the
| bank obeys the law, trust that law enforcement is not
| corrupt, etc. The security mechanisms of cryptocurrency are
| at most a superset of what you can do with the conventional
| banking systems. If you want to have a third party
| supervising transactions, you use 2-of-3 multisig for
| example (https://en.bitcoinwiki.org/wiki/Multisignature).
| If don't trust your family member to authorize payments
| without you, you use 2-of-2 multisig. If you don't trust
| yourself to not lose your keys, you back them up. If you
| want to limit your risk, you keep a small amount of
| cryptocurrency in a "hot" wallet.
|
| Secondly, I don't think that the idea of a keypair is
| beyond the understanding of an average person. They
| effectively already know how to manage secrets in the
| current system: passwords, bank routing numbers, etc. It's
| just that the keypair is superior to these systems of
| authentication which often require you to reveal the secret
| itself to authenticate (credit card number), do not have
| enough entropy (4-digit-pin), are open source (E.g.
| security questions like "what's your mother's maiden
| name?"), or rely on other centralized systems (SMS-based
| 2FA). Even if you implemented some sort of "custodial
| keypair" that allowed you to transparently sign
| transactions without revealing your secret, that would be a
| major improvement over the current system which is based on
| (typically bad) secrets.
|
| In many ways, the conventional banking system is _more_
| complicated than cryptocurrency, because the failures of
| cryptocurrencies are "solid" and well-defined (e.g. 51%
| attacks, MITM attacks, etc.) while the failures of the
| conventional banking system are "soft and fuzzy". For
| example, I was reading about a scam the other day wherein
| the attacker sends the victim a fake check, and asks them
| to cash out the money- this scam works because banks
| generally accept checks before validating them, allowing
| you to spend money that hasn't been validated yet and then
| charging you later. You might think this is obvious as a
| boomer, but as a zoomer who has never cashed a check
| before, this is not obvious at all.
|
| And I'm not necessarily saying that cryptocurrency is the
| end-all-be-all of payment systems. There are superior
| systems like chaumian cash (https://taler.net/en/) but they
| require the permission of the existing banking system
| (which generally profits off providing services that
| surveil users and """fix""" the existing insecurity), so
| they haven't taken off.
|
| I get the impression that regulation will never fix this
| because the nuances at hand will go over the head of any
| lawmaker who has merely accepted the insecurity of the
| status quo. I think that even if you get some libertarian
| or pro-cryptocurrency person in office which doesn't accept
| the current system, I highly doubt that they would make the
| right decision needed- it's more likely that any pro-
| cryptocurrency candidate is just going act in a way that
| benefits cryptocurrency owners.
|
| Compare this to a topic like net neutrality. Even though I
| am a libertarian, I am more aligned with the democrats'
| views on net neutrality because of the obama
| administration's actions. Why? Not because the democrats
| are especially aligned to solve this problem, but merely
| they happened to have a good cabinet member or something
| that happened to understand the issue that election cycle
| and advise obama on that issue. It seems just as likely to
| me that the opposite might happen, albeit the democrats
| tend to be more pro-consumer in general. My point being
| that elected officials will not campaign on this because it
| is too nuanced, so solving this through politics is futile.
| It is better to just to improve cryptocurrency (or some
| other non-permissive technical solution) until it is
| competitive and forces the government/banking system to
| adapt (e.g. Project Hamilton).
|
| P.S. I don't understand what you mean by a "direct wallet"
| here. A hardware wallet?
| hayst4ck wrote:
| I am pretty crypto naive. My understanding is that a
| wallet is effectively a `private key => balance` and you
| can use the private key to sign transactions which are
| sent to a block chain where they are executed. So when I
| said "direct wallet" I meant the private key.
|
| My understanding is that many of the people who own
| crypto do so through a third party, so there is a layer
| of indirection. It's the difference between me having
| cash in hand (money in my pocket I can directly use) and
| me having cash in the bank (I tell my bank to send money
| to someone else and they execute the transaction on my
| behalf).
|
| My mom has downloaded ransomeware before, so from that
| perspective, I think crypto has worse security
| properties. If transactions are executed indirectly, the
| security properties are theoretically the same as
| executing transactions through a bank and you are back in
| a system of trust. Furthermore if a "cryptobank" gets
| hacked, that money is not retrievable, while
| theoretically in a system of pure fiat, the money might
| not be retrievable, but the value could be refunded at
| the cost of devaluing the currency as a whole.
|
| As far as behind the scenes implementation details go, a
| cryptographicly signed ledger with immutable history
| makes sense, but I also generally trust banks, much less
| so investment banks, and significantly less so the stock
| market.
| cowtools wrote:
| >My understanding is that many of the people who own
| crypto do so through a third party, so there is a layer
| of indirection. It's the difference between me having
| cash in hand (money in my pocket I can directly use) and
| me having cash in the bank (I tell my bank to send money
| to someone else and they execute the transaction on my
| behalf).
|
| This is quite true, and it is likely the largest problem
| facing cryptocurrency today is this custodial use of it
| (besides all of the get-rich-quick schemes). But at its
| worst like this, cryptocurrency is a non-proprietary
| inter-bank payment method that prevents double-spending
| between banks. It is still superior to something like
| zelle, paypal, or SWIFT so long as the fees are lower. If
| cryptocurrency was the primary means of inter-bank
| transfer, then it would be trivial for anyone to start a
| new bank that could inter-network with the rest of the
| banking system, so I expect banks would be a lot more
| competitive (including on matters of privacy and
| security).
|
| >My mom has downloaded ransomeware before, so from that
| perspective, I think crypto has worse security
| properties. If transactions are executed indirectly, the
| security properties are theoretically the same as
| executing transactions through a bank and you are back in
| a system of trust. Furthermore if a "cryptobank" gets
| hacked, that money is not retrievable, while
| theoretically in a system of pure fiat, the money might
| not be retrievable, but
|
| Hmm. yes this is sort of a complicated subject. But I'll
| just re-iterate a point here which I may not have made as
| clear earlier: that cryptocurrency allows you to
| establish different levels of trust/risk through the
| means by which you manage your keys. A lot of older
| cryptocurrency users who don't practice good opsec will
| use a hardware token to sign transactions. Another
| example of what you could do is use a multi-signature
| system that would make it so that multiple keys are
| needed to move your funds (for example, they would have
| to hack at least X of Y devices in order to move funds),
| or simply have multiple wallets and limit the amount that
| you have in each one.
|
| And secondly, there are non-cryptocurrency ways of
| implementing different levels of trust/risk that you
| could integrate into the existing banking system, like
| chaumian cash or even just using cryptographic keypairs
| to authenticate transactions.
|
| In other words, losses of cryptocurrency due to theft or
| fraud are not always all-or-nothing. The difference
| between cryptocurrency and the conventional banking
| system is that you can decide your level of trust/risk
| you want to take before you do a transaction, which
| includes the use of a "cryptobank" (which could be secure
| but have historically been very scammy compared to
| conventional banks, see Mt Gox, Celcius, etc.).
|
| >the value could be refunded at the cost of devaluing the
| currency as a whole.
|
| I am not sure that it's a desirable property that the
| rest of society can bail out banks like you're
| describing. I think in an ideal situation you would have
| some sort of free-market-ish sort of way to balance the
| risk vs reward of different security practices, whether
| that's users voting with their dollar or with a middleman
| like rating agencies or insurance. And those incentives
| basically require the bank and its customers to lose
| money when they get robbed (maybe through some middleman
| like insurance).
|
| If you look at serious cryptocurrency exchanges like
| Kraken or Binance, there is a massive gap between
| "cryptobank gets hacked and loses some of their funds"
| and "cryptobank gets hacked and loses everything". They
| keep a lot of their funds on separate, air-gapped,
| offline systems, with the keys distributed between
| multiple people. Those aren't funds that you can steal
| with a normal cyber-attack: it would take pretty
| persistent social engineering akin to widespread
| corruption.
| thewebcount wrote:
| > I think what we have isn't a free market but a duopoly of
| mastercard/visa each with control over their respective
| domain. You can't upgrade the security, privacy, or
| efficiency of the network because the big players benefit
| from the insecurity, surveilance, and inefficiency.
|
| What does that have to do with the article? Neither
| MasterCard nor Visa is involved with Zelle, are they? The
| article says it's controlled by a group of banks. Presumably
| they've set up a new system, so they could make it as secure
| as they'd like.
| cowtools wrote:
| It's just another proprietary network with its own
| gatekeepers. I don't see what the fundamental change is
| here over something like SWIFT.
|
| It may only be temporarily competitive as it tries to
| penetrate the market. Once it reaches a sufficient enough
| market share, they will be able to hike up fees and
| disregard users like the systems that came before it.
| bobkazamakis wrote:
| Correct but you've gotten off the subway at chud station and
| the MBAs are going to be seething
| rglover wrote:
| > that type of policy results in a world where outcomes of
| disputes are able to be dictated solely on the basis of who has
| more power or resources.
|
| We already live in that world. There's just an intermediary in
| the form of the state.
| throw10920 wrote:
| > For any of the types of people who are against taxes and
| regulation
|
| Please don't introduce this kind of barely-related, politically
| biased, emotionally-charged, tribalistic tangent into HN.
| Virtually _nobody_ here (either in this thread, or on HN in
| general) is arguing that taxes should be abolished or that
| financial stuff should be deregulated. You 're just invoking
| tribalism where there was none previously.
| lcnPylGDnU4H9OF wrote:
| > ... who has more power or resources.
|
| I imagine it's been said before but I recently had the thought
| that murder being illegal is a regulation of the market.
|
| The point being that even the most staunch proponent of "free
| markets" is probably going to draw the line somewhere that
| defines a "not completely free market" which opens the door to
| questioning where the line should be drawn. I think that's
| always been the case but then you'll encounter arguments that
| something should not be regulated because the market should be
| free.
| daveslash wrote:
| Killing someone is not illegal; it's just illegal for folks
| like you an I. There's a whole school of thought that asserts
| that _The State_ holds a _Monopoly on Violence_ [0] (which
| includes killing). It 's been discussed here on HN
| periodically. [1]. But you're totally right: it's a sort of
| regulation of the market.
|
| ( _Note: 'Murder' is killing someone WITHOUT legal
| justification. With legal justification, killing someone is
| not murder, by definition. By definition, something that is
| illegal is illegal_).
|
| [0] https://en.wikipedia.org/wiki/Monopoly_on_violence
|
| [1] https://hn.algolia.com/?dateRange=all&page=0&prefix=false
| &qu...
| [deleted]
| blowski wrote:
| "Nothing to excess." The Oracle at Delphi in Ancient Greece
| had wisdom that would help some of today's libertarians (and
| socialists).
| bee_rider wrote:
| It turns out that the organizations with a local monopoly on
| killing have managed to leverage their market position to
| gain a foothold in the regulation of basically every other
| market. We might call this anticompetitive, but looking at
| places where the market for killing-services is highly
| competitive, having a single entity responsible for this is
| probably in consumer interest.
| daveslash wrote:
| Yes. I agree. I grew up in a household that was extremely _"
| Free Market is the Best Market; Regulation is for commies and
| baddies"_. It's taken me a long time to heal from that. I still
| prefer as much free market as _is reasonable_ , but my sense
| for what is and is not reasonable has shifted a ton. I'm now a
| big advocate for sensible regulation. (Most is sensible in
| intent, but sometimes non-SME write huge swaths and it gets
| botched). These days, my biggest complaint about regulation is
| that the right people (SMEs) aren't consulted as much as they
| should be.
| hayst4ck wrote:
| "Some regulation is bad, therefore all regulation is bad." is
| what I grew up with too.
| factsarelolz wrote:
| I recently hired a contractor to do landscaping. We're talking
| multiple trees to take down, redoing multiple flower beds, mulch,
| rock and some sod. I was quoted at ~9k$. I paid half (4500$) via
| Square using my platinum credit card issued by my CU.
|
| I took a picture of his business license, insurance, and I ended
| up getting pics of trucks when I took before pictures.
|
| The crew came and worked one day. Maybe completed 30% of the
| work. For the next two weeks my calls and texts were
| dodged/unanswered/sent directly to voicemail.
|
| Finally I had enough. I called the police, did a police report.
| Called the CU explained what happened and was sent an email on
| how to open a fraud report. I submitted all the before pictures
| and the "after 30% of work" pictures. I sent the police report,
| and social media posts of people who claimed to have their money
| stolen by the same person / company.
|
| 3 weeks later I get an email that my claim was denied due to
| "lack of information." I spent a total of 31 hours on the phone
| attempting to get someone to tell me what information I needed to
| send them or what information they found lacking. I got
| absolutely no where. No answers. No one from fraud department. No
| one cared at all. Just denied.
|
| So I went the other route, filed a claim in small claims court. I
| provided the judge everything I sent to the credit union.
| Judgement was in my favor. Now he owes me the $4500. How do I
| collect? I probably will never see the money. I can't legally
| garnish any wages. So I'm out 4500. I couldn't really do anything
| else to protect myself more.
|
| Navy Federal Credit Union. I've been a member since 1991. 30
| years with a credit union. I am a military veteran. Hundreds of
| thousands of dollars worth of transactions have passed through my
| account. I've had multiple home, auto and personal loans.
|
| I'm still trying to get over it.
| NovemberWhiskey wrote:
| > _So I went the other route, filed a claim in small claims
| court. I provided the judge everything I sent to the credit
| union. Judgement was in my favor. Now he owes me the $4500. How
| do I collect? I can't legally garnish any wages._
|
| Where I live, after 30 days of the debtor failing to pay the
| judgment, you'd make an appointment with the sheriff, bring a
| check for $35 and they'd attempt to enforce it for you;
| including garnishing wages, seizing property (real or personal)
| etc etc.
|
| I'm not surprised you didn't get far with police reports and
| fraud filings: breach of contract is not necessarily fraud.
| vuln wrote:
| .
| [deleted]
| tdiggity wrote:
| A similar thing happened to me where a contractor bait and
| switched me. Put down a 50% deposit and he said it was non
| refundable. I wrote it off thinking I'd never get it back. I
| got extremely lucky though in that a detective in a nearby city
| emailed me and said this contractor had ripped off a lot of
| people and he was investigating. A few weeks later, they
| refunded my deposit.
|
| It seems like once the police got involved, they were willing
| to play ball. Somehow, you've got to find the contractor and
| get the police on your side. You've got his business addresses
| and even insurances, maybe the insurance company is your way
| in?
|
| Good luck.
| factsarelolz wrote:
| Sorry I forgot to mention the insurance part and I can no
| longer edit my post.
|
| When I looked at the insurance and took a picture the policy
| dates were valid.
|
| When I attempted to call the insurance company the policy was
| started then canceled due to lack of payment so he probably
| only made the first payment.
|
| Lesson learned is to call to verify on the spot. Never
| thought of it. The police just look at my slip of paper from
| the glovebox.
| flutas wrote:
| > The police just look at my slip of paper from the
| glovebox.
|
| They already know if you have insurance typically. Their
| in-car computers can typically reference insurance accounts
| (or at least in my technologically backwards state they
| can).
| factsarelolz wrote:
| I still get asked for it...
| breck wrote:
| Interesting. I once had a similar situation but spent $5 and
| had a beer with the contractor and we resolved it and became
| friends.
| factsarelolz wrote:
| Ummm okay. Guy won't even answer the phone or attempt to give
| me even a half decent excuse on why they never showed back
| up.
|
| If he does ever call or text I'll be sure to buy him a beer
| to see if we can resolve the situation.
| breck wrote:
| A sampler is good.
|
| In general I've found a good rule of thumb with people is:
| Flight or "flight".
| jcadam wrote:
| NFCU and USAA have both gone way down hill. They are coasting
| on their previously earned reputations but are no better than
| anyone else nowadays.
| factsarelolz wrote:
| I wholeheartedly agree. It's very very sad.
| 77pt77 wrote:
| > I can't legally garnish any wages.
|
| Why not?
|
| You have a judgment in your favor.
|
| Send it to collections.
| monkmartinez wrote:
| Are you in the USA? I just did some googling on this as I was
| unaware of laws regarding the garnishment of wages. I have
| subordinates that have wages garnished for Child Support every
| paycheck. At least in my state, you can most certainly garnish
| wages/property for a judgement in your favor. It will probably
| take a bit more time, but I would stick it out to get my money
| back. If the contractor has nice Stihl saws, I would remand
| some $$$ to get one of them from him. Possibly even the truck
| as the contractor has probably depreciated the asset for tax
| reasons.
|
| [0]https://www.azcourts.gov/selfservicecenter/Garnishment/Garni
| ...
| danielmarkbruce wrote:
| Did you do a reference check?
| factsarelolz wrote:
| This part I could have been more thorough with. Facebook and
| Google business pages had high, aged reviews including
| pictures. Googling the company name didn't come up with any
| open BBB claims even though BBB is a joke.
|
| It wasn't until I started joining and searching through all
| of the local Facebook groups to find others swindled.
| danielmarkbruce wrote:
| Yeah, I guess that's about the optimal amount of checking
| for most things. I recently had some work done and did a
| decent amount of checking but it still felt like a 50/50
| chance of getting taken for a ride...
| Merad wrote:
| I'm not too surprised the fraud claim was denied. You
| definitely made the payment, you paid a [technically]
| legitimate business, and they completed some of the work, i.e.
| it's hard to say they accepted the payment with intent to
| defraud you. The fact that they didn't fully complete the
| agreed work isn't really a matter for the bank's fraud
| department to resolve. Dunno why NFCU couldn't just communicate
| that though. Sounds like a shamefully poor support experience
| on their part.
| ianai wrote:
| How far off of 50% of the work was the work they performed?
| Could it have been a simple case of they did about half the
| work for the pay you gave?
|
| Maybe that'd be how I'd square it with myself. (But still
| probably never working with people who ghost again.) You paid
| 50% and got less than 50% of the work done, but work was still
| done - somewhere between 25% and 50% it sounds like.
|
| It'd also help the personal re-framing if the next people I
| hired quoted less for the remaining work and it was done in a
| day. Granted, this is work with plants and things which
| change/increase in entropy by the day.
|
| The possible life lesson here is to not let perception or
| preconception sour an otherwise sort of alright outcome. And
| sometimes outright re-framing a sour situation can diminish the
| sting. (Along the lines of "breakups hurt, but enjoy the good
| times and memories for what they were.") There's also not
| letting sunk costs steer decisions towards still worse
| outcomes.
| [deleted]
| factsarelolz wrote:
| 1 tons of river rock, 1800 sqft of mulch, and 2 pallets of
| sod were never delivered or installed/spread. 2 of the 5
| trees were completely cut down and cut into pieces but not
| removed. Stumps were not ground down on the two trees that
| were taken down. Some of the branches were removed from the
| other trees and just left there. As soon as it hit 5pm the
| team gathered their tools and left. I was on the hook for
| clean up.
| ncallaway wrote:
| I'm not sure what state you're in, but when something similar
| happened to a friend I found that Connecticut has a Home
| Improvement Guaranty Fund (https://portal.ct.gov/DCP/Common-
| Elements/Consumer-Facts-and...) which exists to satisfy an
| unpaid judgment for up to $25,000. I don't know about most
| states, but I know at least Maryland has a similar fund.
|
| I'd recommend checking to see if your state has a similar
| program.
| [deleted]
| diebeforei485 wrote:
| I feel like screen-sharing apps on phones are a part of this
| problem.
|
| Apple goes out of their way to make sure you can't record video
| off the Netflix app or other apps that play copyrighted media.
| However, as far as I can tell, they do not make similar
| safeguards available (optionally) for financial apps.
| jabroni_salad wrote:
| isnt that more the app dev's responsibility? Neither of the
| banking apps on my phone permit screenshots or even show a
| preview in recents.
| thewebcount wrote:
| I actually sent a payment via Zelle yesterday and saw something
| new. This was a small payment to a family member that I send
| payments to regularly for some work they're doing for me. When I
| was choosing the recipient, it said something like "Money
| transfers that happen in seconds," implying they'd have the money
| almost instantly (and that does appear to have been the case in
| the past). After completing the transfer, it had a note below the
| resulting screen that said, "This transfer will take 1-3 days to
| complete." It did complete the next day, but it was the first
| time I've seen this sort of thing happen. I wonder if it was due
| to some new security check or something else? Anyone else see
| anything like this?
| maztaim wrote:
| I prefer NCUA insured credit unions. Banks have been historically
| bad in so many ways to me personally as a young person just
| starting out in life. I am sure there are many that hit the
| famous $25.00 service fee that magically gets charged the day
| your account goes to $30.00, causing subsequent charges to hit
| your "overdraft protection" that allows the bank to penalize you
| $25 for every transaction that drops you below a zero balance for
| that day. You now owe hundreds of dollars.
|
| I also had a horrible experience with Citizens Bank, of which
| they allowed $5000 to be fraudulently withdrawn from my account
| in two days. The second $5000 was withdrawn after I was told it
| shouldn't happen again. That day I learned an ACH hold request is
| just that. A request that takes 3 days. I should have been smart
| enough to know that the support agent really meant for me to drop
| everything and immediately get to a physical branch where they
| could put an all hold on my accounts instantly, because I cannot
| do that over the phone.
|
| I don't mean to say credit unions are always better, but I will
| say, I have been getting 2% interest earnings on my savings and
| 1.05% on my checking account. Most banks typically give you only
| a percentage of a percentage point in interest for either...
| baby wrote:
| But blockchain payments can't be reversed! /s
| commandlinefan wrote:
| Man I hate this. I'm terrified of Zelle (and, even worse, Venmo).
| There's no reason at all to use these things - except that
| everybody around me insists on using them. My kids Venmo with
| their friends all the time. My wife and her friends Venmo
| constantly. More and more services won't even take a check,
| they'll only take Zelle or Venmo. And every time I use these
| fragile services I'm opening myself to having my entire bank
| account wiped out with little recourse. (And, of course, the
| people I owe money to like the lienholder on my car and my
| mortgage broker will sure as hell still expect _their_ money).
| jpm_sd wrote:
| My sympathies. I am fortunate in that my wife and I are in
| agreement that we want to stay far away from Venmo, Zelle and
| similar services. Our kids deal in cash or nothing. As for
| services: cash, check, CC or GTFO.
|
| I also (so far) have been unwilling to trust Plaid. Plain old
| crappy wire or ACH transfers for me, thanks.
| teeray wrote:
| Would good opsec for these services be to open another checking
| account for them to limit the blast radius?
| solardev wrote:
| We use it to pay people we already know for transactions we've
| verified, like a beer here or there or splitting gas or
| whatever.
|
| No way I'd send a large sum of a money to a stranger / new
| company over Venmo.
|
| It's useful for replacing small change in your wallet, not for
| replacing credit card and proper purchase protections.
| bombcar wrote:
| One defense is to just have two banks, one for "real bills" and
| one for Zelle/Venmo "play money" bills.
|
| Then at worst you're out the play money. Make sure it's set so
| the real money can only push into the play money account.
| 5d8767c68926 wrote:
| How do I lock down my "real" account? For instance, I want to
| disable the ability for anybody to pull money, and I must
| manually push into a billing account which only maintains
| limited funds.
|
| I briefly looked into this at one point and as best as I
| could tell, Chase would only let you disable ACH on business
| accounts.
| bombcar wrote:
| You can'd directly disable ACH, though if you only have a
| _savigns_ account it may help.
|
| But ACH has much more defenses against someone pulling
| money than Zelle and friends do.
| loeg wrote:
| > And every time I use these fragile services I'm opening
| myself to having my entire bank account wiped out with little
| recourse.
|
| No. Sending money with Zelle does not expose you to having your
| account wiped out.
|
| Receiving money, there is a minute chance a transfer might be
| reversed. But that's all. Don't use Zelle to accept payment for
| goods/services.
| pb7 wrote:
| You should know that your entire account can be wiped out with
| the information that's on one of your checks. It's time to
| leave that archaic technology in the past like the rest of the
| world.
| esotericimpl wrote:
| crazygringo wrote:
| Huh? As long as you don't participate in a scam and use basic
| security, what are you worried about?
|
| I have no idea what you mean about the services being fragile
| or how your "entire bank account" would be wiped out.
|
| This article is talking almost entirely about scams. Presumably
| you're smart enough not to send your whole bank account's
| contents to a random person who calls you.
|
| And if you're not, well, it doesn't really matter if you're
| being scammed via Zelle/Venmo, or via paper check, or via wire
| transfer, or via ACH.
| commandlinefan wrote:
| > it doesn't really matter if you're being scammed via
| Zelle/Venmo, or via paper check, or via wire transfer, or via
| ACH.
|
| It does, though. If scammers scam via paper check, wire
| transfer or ACH, the full force of the government comes down
| on them and they actually get put in jail if they get caught.
| If they scam via Zelle or Venmo, too bad, so sad.
| NovemberWhiskey wrote:
| No; Zelle and ACH are _exactly the same_ from this point of
| view.
| marcinzm wrote:
| The article basically disagrees with your concerns. You're fine
| unless you yourself make a payment using Zelle to someone else.
| Which is no different than you mailing a check to a fraudster.
| Not sure why the bank should protect you from yourself to that
| degree.
| shadowgovt wrote:
| Oof, that's bad news.
|
| Banking access is not actually very particularly secure. The only
| thing that keeps banking practically secure is the banks
| reversing fraud when it's discovered and the government sending
| fraudsters to jail.
|
| If the banks don't hold up their end of the bargain, the system
| begins to collapse because they certainly aren't
| _technologically_ secure enough to guarantee security of
| customers ' money, which is one of the _primary functions of a
| bank._
| notch656a wrote:
| That's the story of society in general. You can easily walk
| into many (most) people's houses between 10a-3pm weekdays and
| just take their shit. I'm sure one could make 6 figures doing
| that. Of course most of us don't because we don't want to harm
| others, and because of the consequences.
|
| You really just have to make it enough of a hassle for thieves
| that they pick the next easier thing to do. Not create Ft.
| Knox.
| dahfizz wrote:
| I think it's strange HN sees cyber crime in the opposite way
| as real crime.
|
| It's not my fault if my house gets broken in. I have no
| obligation to meticulously lock all my doors and windows when
| I leave.
|
| But if I get hacked, it's my fault. The onus is on the
| individual / company to maintain law and order themselves
| when online.
|
| That feels wrong to me.
| ClumsyPilot wrote:
| There is a vital difference with companies getting hacked.
|
| I know I might get robbed at any time, maybe I don't lock
| my door, thats why I put my money in a bank.
|
| The bank has one job - to keep my money safe. If they have
| no guards andleave the door open, yes, it is their fault.
|
| If you are not prepared to keep armed guards money safe,
| then you shouldn't be taking other people's money.
|
| Similarly, companies that cannot keep data safe shouldn't
| be storing my data in the first place.
| dahfizz wrote:
| It becomes a question of negligence / due diligence.
|
| If a bank has zero physical security measures and leaves
| the money out in the open, that is negligent.
|
| But, even if a bank has all the state of the art, "best
| practices" physical security measures, they can still be
| robbed. No bank is going to stop a nation-state army
| attacking them, for example.
|
| I think the same is true of cyber security. Nothing will
| ever be 100% secure. The question is whether the company
| has followed reasonable best practices and due diligence.
| Everything else is up to the government to maintain law
| and order.
|
| > companies that cannot keep data safe shouldn't be
| storing my data in the first place.
|
| If you're expecting absolute safety, either physically or
| electronically, there is nowhere in the universe you
| could deposit your money. Otherwise, the FDIC already has
| regulations in place to make sure banks are reasonably
| secure.
| rdtwo wrote:
| Most banks are borderline negligent in cyber security.
| Using 2fa via text is less secure in many ways than using
| a regular old password. At least it's my fault if I
| compromised my bank password. A Sim swap attack can't
| really be protected against
| bluGill wrote:
| Ever been to a bad neighborhood? Notice all the stores have
| iron bars on the windows?
|
| Sure it isn't your fault if your house gets broken in, but
| you should still lock your door. The more risk you are of
| your house being broken in the more precaution you should
| take.
|
| Right now odds are very high that someone will attempt some
| form of cyber crime against you. As such you should be
| taking precautions to prevent it. It won't be your fault if
| it happens, but it will still ruin you day, and may cost
| you a lot anyway.
| rdtwo wrote:
| Except with bank security it's like there is a local
| ordinance that you can't put bars on and must use a
| really weak door.
| tcmart14 wrote:
| Definitely, my experience and opinion doesn't boil down to
| all HN, but here is my take. A lot of hacks, the reports
| after suggest they were ignoring industry best practices
| that were relatively easy to implement and cheap. Here, I
| would point the blame. But for sure, if the hack was routed
| in some crazy new route to exploit software, you just can't
| protect against, so I wouldnt be so quick to assign blame.
| But I think another key different is, infrastructure is
| owned by companies who have engineers and IT whose job it
| is to run it securely. I think the proper equivalent for
| the home analogy is, you have an alarm system that was
| turned on, but didn't alarm when someone broke in. But then
| we would place the fault on ADT or Simplisafe or whoever.
| shadowgovt wrote:
| A lot of HN culture is old 'net culture.
|
| On the old 'net, people had to take personal responsibility
| for their own data-house because neither law nor
| enforcement had caught up yet to the notion of having a
| system intruded upon. Remember, we had to pass laws to make
| "unauthorized access" illegal in the same sense trespassing
| is; before that, it was just "some signals a stranger beeps
| at your machine could cause it to malfunction or to send
| signals back they could interpret as your bank account
| number. If you don't want that, harden your system against
| malfunction."
|
| Nowadays, society has caught up but some people with an
| old-guard mindset still see someone get their stuff stolen
| and go "Well, should have locked your doors; only way to
| guarantee your stuff is safe."
| jart wrote:
| These people aren't being hacked though. They're being
| scammed. They chose to give their money and mfa codes to a
| stranger who promised them nothing in exchange, and ended
| up regretting it. It makes things more of a grey area
| because banks should do what what we tell them to do with
| our money, and it's really not their job to take a
| paternalistic stance and judge if your authorized financial
| choices are stupid or not. How do you draw the line? What
| if someone wants to buy penny stocks? Should the bank
| reimburse them?
| nwiswell wrote:
| Prima facie it is wrong because it's victim blaming.
|
| But using weak and/or compromised passwords is a bad idea
| in exactly the same way that it's a bad idea to leave your
| front door unlocked.
|
| Legally, we do assign fault for negligence. If
| absentmindedly leave your kitchen tap open with the drain
| stopped and then go on vacation, your flood insurance is
| probably not going to pay for repairs, even if you didn't
| _deserve_ to have your house destroyed.
|
| From a policy perspective, I think the most appropriate
| thing would be a middle ground. It is good for everyone's
| peace of mind to be sure that your entire bank balance
| won't vanish without recourse, but if you leave your
| banking "front door" unlocked, the bank covers 90% of the
| actual unrecoverable loss, but you're on the hook for the
| other 10%. That eliminates perverse incentives to use weak
| passwords without being cruel to victims.
| to11mtm wrote:
| > But using weak and/or compromised passwords is a bad
| idea in exactly the same way that it's a bad idea to
| leave your front door unlocked.
|
| I'd argue it's not quite the same... using weak passwords
| is more like using a lock that can be 'raked'; your
| security is just lax.
|
| Re-using passwords is like using the same key for your
| front door, back door, garage, car... If someone finds it
| and makes a copy of it, they have full access.
|
| Compromised passwords, it's when you know a key is lost
| or stolen and you don't re-key.
|
| > From a policy perspective, I think the most appropriate
| thing would be a middle ground. It is good for everyone's
| peace of mind to be sure that your entire bank balance
| won't vanish without recourse, but if you leave your
| banking "front door" unlocked, the bank covers 90% of the
| actual unrecoverable loss, but you're on the hook for the
| other 10%. That eliminates perverse incentives to use
| weak passwords without being cruel to victims.
|
| Both of my main financial institutions have 'pretty dang
| good' security measures on one level or another. One, has
| forced password changes at 6 month intervals (not as good
| as 90 days, but better than many!) The other does not
| have forced password changes but I know their internal
| security is... pretty crazy. Losing your badge 3 times is
| enough to get you fired, and any contractors who do work
| must be under a very specific specification of video
| surveillance while working with their clients.
| clcaev wrote:
| > One, has forced password changes at 6 month intervals
| (not as good as 90 days, but better than many!)
|
| Forcing password changes reduces overall security,
| especially for infrequently accessed services. It only
| normalizes the reset workflow, and enables easier social
| engineering.
|
| The NIST standard (800-53?) was updated to reflect this
| reality, and it no longer requires periodic password
| rotation.
| secabeen wrote:
| > Legally, we do assign fault for negligence. If
| absentmindedly leave your kitchen tap open with the drain
| stopped and then go on vacation, your flood insurance is
| probably not going to pay for repairs, even if you didn't
| deserve to have your house destroyed.
|
| This is not generally true. Insurers are forbidden to pay
| out claims for intentional bad acts, or fraud, but
| ordinary negligence is usually covered:
|
| > The good thing is your homeowner's policy usually
| covers you and your family's negligent behavior no matter
| where it happens.
|
| https://www.nolo.com/legal-encyclopedia/does-my-
| homeowners-i...
| im3w1l wrote:
| We say it's your own fault because it would be so hard to
| lock up all the hackers. Can't just send a swat team to
| China, Russia, North Korea etc.
| robocat wrote:
| Jurisdiction.
|
| If everyone could wormhole between countries, first world
| houses would be ransacked pretty damn quickly.
| Retric wrote:
| I suspect it's hard to actually consistently make 500$/day
| breaking into peoples homes. Most used things aren't worth
| much and would be difficult to sell in bulk at anything close
| to what they cost.
|
| That's why people steal catalytic converters etc.
| ragona wrote:
| I bet it's easy to make $500/day briefly, and hard to
| sustain it. Catalytic converters have the benefit of not
| requiring you to break into someone's house where risk of
| being caught or harmed is way higher.
| bombcar wrote:
| The key is to make nothing for months and then make $90k
| in one go.
| to11mtm wrote:
| > I suspect it's hard to actually consistently make
| 500$/day breaking into peoples homes
|
| IMO the cheapening of technology has made a difference with
| this. When my (then not yet) ex-wife was burglarized, Just
| her laptop and a camera gave the criminal 900$ at a pawn
| shop [0].
|
| [0] - which BTW, fun thing about this, if your insurance
| covers 'replacement cost' you are better off not finding
| your items at a pawn shop. Most state laws are written such
| that as long as the pawn shop collects fingerprints/ID, the
| person who was stolen from can get their items back, but
| must pay the pawn shop back what they paid the thief for
| it. Insurance will happily pay that instead but still take
| your deductible out. (It worked out OK for me, the wedding
| ring was among the stolen items, never got pawned and that
| covered the deductible and then some... eventually helped
| pay for the lawyer lol)
| [deleted]
| bluGill wrote:
| You need to develop a market for things of course. There
| are plenty of things worth $500/day in everyone's house.
| Figure out where things sell and for how much. 50 keys toys
| for $10 each are easy to sell in most cities. The days of
| taking a 19 inch color TV are long gone (most of your are
| not old enough to remember when a 19 inch color TV was a
| big deal, but back then there was a market for them used),
| but there is plenty of other opportunities.
|
| This needs to be a full time job to make the $500/day
| though. Some houses are as you say now worth the bother,
| but others have things that can be sold. The key is you
| need to know what you can sell and for how much before you
| take it.
|
| As the other poster said, the hard part is not getting
| caught. The easy places to sell these things (pawn shops,
| scrap yards) tend to ask for id - and the ones that accept
| a fake id will only take so much before they have to
| recognize you.
| Retric wrote:
| Sure, I suspect you could clear 3k from picking the right
| house and taking a week to sell stuff. But what about the
| 50th hours?
|
| Without someone to take the risk and a sizable cut your
| best bet might be a few fake ID's and a multi city spree
| of pawn shops. Though if you have access to high quality
| fake ID's banks are probably a much better option.
| ChrisMarshallNY wrote:
| Unsurprising.
|
| This is _exactly_ why banks are so eager to come up with payment
| systems that go directly to /from bank accounts, as opposed to
| credit cards.
|
| It's also why I don't use Zelle or Venmo.
| [deleted]
___________________________________________________________________
(page generated 2022-10-07 23:01 UTC)