BOI refund customers - SANS email

harney

I just received this from a SANS email - missed the register article when it came out

TOP OF THE NEWS
--Bank of Ireland Will Refund Phishing Victims' Losses
(6 September 2006)
Bank of Ireland (BOI) has apparently had a change of heart, agreeing to
restore funds of nine customers bilked out of a total of 160,000 Euros
with phishing emails. The nine customers had threatened to sue the
bank after it initially said it would not refund the money that they
had lost. Some people have expressed concern that BOI's willingness
to refund the money will encourage other phishers to launch attacks
and cause other customers to expect the same compensation should
they fall victim to phishing attacks. Banks are likely to begin
implementing more stringent security measures for online banking,
including placing some of the onus of protecting account details on
the customers' shoulders.
http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.html
[Editor' Note (Pescatore): Many banks have been refunding customer
losses from these type of attacks. The banking industry has definitely
seen that customers will take their money elsewhere (what's left of
it, anyway) after identity theft attacks.
(Ullrich): The reason we put our money into bank accounts, instead
of keeping it underneath our mattresses is not our urge to pay high
banking fees. Instead, we hope banks will be better able to safeguard
all that money. Assuming financial responsibility for fraud is the
least one should expect in support of this promise.
(Grefer): This case sets a bad precedent. It sets ground rules for
how to put your competitor out of business by instigating phishing
attacks.]

Has anyone seen the email? Was it at least somewhat convincing? Do you think it has really set a precedent?

JohnK

I think it will set a precedent of muppets thinking that they have nothing to lose the next time the son of the former King of Nigeria wants to give them a $100,000,000 because they are such a nice person. Personally speaking, if someone falls for that crap they don't deserve to have the money in the first place :mad:. BOI should have held firm.

monkey tennis

JohnK wrote:

Personally speaking, if someone falls for that crap they don't deserve to have the money in the first place :mad:. BOI should have held firm.

I agree. This is Darwinism in action, folks, it shouldn't be interfered with.

Martyr

I think it will set a precedent of muppets thinking that they have nothing to lose the next time the son of the former King of Nigeria wants to give them a $100,000,000 because they are such a nice person. Personally speaking, if someone falls for that crap they don't deserve to have the money in the first place . BOI should have held firm.

i would have agreed with this way of thinking, until i had an accidental encounter with a 419 benefactor.

he lives & operates small businesses here in ireland & abroad(god knows what) almost on nothng..he's the kind of man who wants everything for nothing, literally.
lies so much, you end up laughing at him eventually, because he is so stupid, yet thinks he is so intelligent.

i don't like him at all, not because he's nigerian, but because he is a compulsive liar & nasty piece of work.
he uses about 6 different mobile phones, has a range of email addresses used to correspond with potentially duped victims.

i have seen documents with bank account numbers based in nigeria with & names/addresses from foreign countries..you will say "could be anything..you're paranoid" but believe me, you can bet it is something illegal, because everything else he does IS.

he arranges marriages between east european women & other men looking for EU citizenship (for a fee..of around 2500-3000 euro), drives around with no tax or insurance (gardai are aware) sells stolen property, passports, (cars+computers..somehow legally here in ireland)

it may appear that i'm being racist, but this is just the way things are..i'm not making any of this up either..evidence? i have some, but i see no point in forwarding it to say..fraud squad because they probably wouldn't follow it up for 7 or 8 months anyway, by that time he'll probably have moved on.

he has several different companies registered here in ireland & his friend was responsible for many other illegal activities in the waste industry, here & across the border in northern ireland.

what amazes me, is how they get away with it all..
so, i don't think anyone should be victim to these guys, somebody should stop them, or at best educate people more about whats going on around them.

according to statistics, 419 advance fee fraud is the 5th largest industry in nigeria..so, i guess if you get an email from some guy masquerading as a king or son of rich oil business man offering you $50,000,000 & you fall for it, you're to be pitied for being naive more than anything else.

i mean, you wouldn't give a stranger on the street your personal details, why should it be any different on the internet?

monkey tennis

Average Joe wrote:

if you get an email from some guy masquerading as a king or son of rich oil business man offering you $50,000,000 & you fall for it, you're to be pitied for being naive more than anything else.

You're very kind calling it naivete - I'd call it pig ignorance. You'd have to be living in a box for the past several years not to be very wary of anyone looking for bank details off you over the internet.

Next thing we'll have to do is stamp warnings on kitchen knives: "Warning! May be sharp".

Ruu_Old

JohnK wrote:

I think it will set a precedent of muppets thinking that they have nothing to lose the next time the son of the former King of Nigeria wants to give them a $100,000,000 because they are such a nice person. Personally speaking, if someone falls for that crap they don't deserve to have the money in the first place :mad:. BOI should have held firm.

Agreed, people must get clued in. Maybe banks need to do a little more but people need to listen and watch out for this stuff. It works both ways.

Martyr

Agreed, people must get clued in. Maybe banks need to do a little more but people need to listen and watch out for this stuff. It works both ways.

XXX could do something, like run a series of programmes on fraudulent crime happening here in ireland, (with Eddie Hobbs presenting, of course) identity theft, forging passports & utility bills to open bank accounts,ATM fraud, 419..etc
so as people are aware of what is actually possible, & what they can do to protect themselves.

OK OK, it may inspire the odd wide boy to go & have a go himself at the world of fraud.
But i'd say its better to educate people on the subject rather than pretend it doesn't go on at all.

sure..why not? it would make more interesting viewing than some of the rubbish on XXX at the moment ;-) (not that i own a t.v or anything)

As long as they don't sensationalise it too much & drag the word "hackers" into it, provide plenty of hard facts & evidence..i'd love to watch it.

then i'd pay my license

imagine the amount of crime that could go down once people get their SSIA?????

The Swordsman

I seem to have got a fair amount of these 'phishing' emails recently and it really pisses me off.:mad:

I wonder what would happen if you responded and gave out incorrect info e.g a made-up account number, pin number etc. Surely whoever is doing the phiishing would have to take the time to check out your (false) info.

If my theory is true, then if you could get thousands people to do the same (say an anti phishing campaign), you could really piss off the phishers.

What do you think? Would it work?

JohnK

Interesting idea... It could work but you're verifying to the spammers that your email address is active and that you're reading the emails. Thats half the battle won as far as they're concerned so they'd probably use it as a selling point to their clients.

Ruu_Old

I get 2 a day either from Barclays or Bank of Scotland in my main email address.

The Swordsman

JohnK wrote:

Interesting idea... It could work but you're verifying to the spammers that your email address is active and that you're reading the emails. Thats half the battle won as far as they're concerned so they'd probably use it as a selling point to their clients.

I may be wrong here, but the phishing email usually has a link to a website where you fill out all your details. You don't actually reply to the email. If an email address is required, you could give a false one.

JohnK

I thought they usually put unique IDs on those links like most marketing companies didn't they? Maybe I'm mistaken but if its just a normal link then it probably could work alright.

The Swordsman

JohnK wrote:

I thought they usually put unique IDs on those links like most marketing companies didn't they? Maybe I'm mistaken but if its just a normal link then it probably could work alright.

Right, when do we start?