[Dshield] ID theft ring hits 50 banks, firm says

Tony Earnshaw tonye at billy.demon.nl
Tue Aug 9 13:45:23 GMT 2005

tir, 09.08.2005 kl. 13.39 skrev Johannes B. Ullrich:

> > "For almost every bank that is listed (in the file), it's possible to get into the person's account," Sites said.
> The article implies that Sunbelt tested the usernames/passwords by
> logging into the affected users accounts. PLEASE PLEASE if you ever find
> a cache of data like that, don't do this! Contact the banks the data is
> from, or maybe call up the person.
> IANAL, but I think you may find yourself quickly in hot water if you are
>  using the data to retrieve other peoples financial data without their
> written permission.

It's perhaps worth repeating (I posted about this before) that just
about all Dutch (read "The Netherlands") banks (mine's ING Bank, which
is pretty big and internationally spread out throughout the world, so
UK, Belgian, US, who knows? residents could probably bank there too)
don't use passwords, they use a machine-based (I get a credit-card sized
but thicker "calculator", at no cost to me) one-time challenge/response
protocol over https for admission to Internet users' accounts and a
separate challenge/response, once "inside" that account, for any
transaction attempted.

No, I have no personal financial interest in my bank, it's just that (as
a Dutch bank customer) I'm continually left gawking at the lack of
attention paid to the *customers'* interests by both US, UK and
Scandinavian (no, "The Netherlands" is not part of Scandinavia") banks,
whose motto seems to be "How can we best rip off our customers, so that
we profit at every turn?". 


mail: tonye at billy.demon.nl

More information about the list mailing list