{Slightly ot} Responding to bank phishing requests?

[Matthew Pemble]

C R Ritson wrote:

>Three of us here were commenting on the increasing fidelity of purported
>re-validation requests that attempt to get you to divulge bank details
>to criminal third parties.
>
>Would there be any point in poisoning the hacker's list of target
>accounts?
>  
>
Yes - both dilution (fake numbers) and spot targeting can be used.  The 
important things are to have a proper process that does not allow the 
fraudsters to trivially strip out the dummy accounts and to know what 
you are going to do when the fraudster attempts to access the account.

>How sparse are bank account numbers?
>  
>
Not very - and the algorithms for generating the checksum are well known.

>How easily detected would the fakes be?
>  
>
This really depends how much effort you are prepared to put in.  If 
there is a "genuine" account behind the fake with false balance and a 
payments stop, then it will be quite difficult to detect (unless you 
make an error at the input end, i.e. entry from one of your own, or a 
known, IP address.)  You also need to watch out for unique codes in the 
phishing emails - I certainly saw these in some Barclays attacks in the 
past.

>Would the appearance (I presume) of bank transfer requests for funds
>from nonexistent accounts cause the perpetrator to attract unwelcome
>attention from officialdom any quicker than is normally the case?
>  
>
Not unless you count bank staff as officialdom :)

>If a set of bogus details happened to collide with someone else's bank
>account would I be liable?
>  
>
If you happened to guess their username and password you're a luckier 
man than me.  One for the lawyers, I suggest.  Maybe it would be similar 
to trade secret rules - if you can show that you had no duty of 
confidentiality and came across accidentally or by parallel invention - 
as opposed to patents.

Matthew