
Is Everything We Know About Password-Stealing Wrong? [pdf] - thirsteh
http://research.microsoft.com/pubs/161829/EverythingWeKnow.pdf
======
quasque
Interesting excerpt about a bank's approach to physical robberies:

"In July 2009 a teller at a Key Bank branch in Seattle pursued a would-be
robber after a botched hold-up attempt (Seattle Times, Aug. 1, 2009). He leapt
over the counter, chased the man for several blocks, knocked him down, and
held him until the police arrived. Two days later Key Bank fired the teller.
He had violated long-standing bank policy to cooperate in every way and never
resist a robbery. The reason for this policy, we suggest, is that banks
understand a very simple principle: fear is bad for business. It is far better
to comply with the demand than to risk a brawl, or a gun fight in the bank
lobby. No bank wants the perception that they valued money more than customer
and employee safety. The $40 million that traditional bank robbers in the US
steal per year (FBI Bank Crime Statistics) is entirely manageable."

~~~
patio11
_No bank wants the perception..._

It's even simpler than that: no bank, and more importantly, no insurance
company which carries banks as clients, wants to defend or settle a lawsuit
alleging wrongful death through negligence of a would-be hero bank employee.
The predicted loss of a bank robbery is high four figures. A wrongful death
lawsuit would cost six or seven figures. This suggests a simple strategy which
works fine: invest in the low-hanging fruit for physical security, comply with
robbers, and pay for robberies out of the petty cash.

~~~
rdl
That works in places with relatively developed legal systems and enough police
and prosecution to eventually catch most bank robbers. Otherwise, there's an
endless stream of people coming in, grabbing $10k, and leaving.

In the third world, I've seen banks with military/police with automatic
weapons set up outside banks, or private security at the same level. (also, in
these places, liability in the event of wrongful death is lower (or, by
outsourcing to the government, you get to take advantage of sovereign
immunity), and there is more cash on-site)

~~~
MichaelGG
Correct - if you have adequate response, you need less prevention.

In Central America, my house is fully encased in steel bars (in addition to a
wall), so you'll need to spend a bit of time and noise getting in. And we have
24/7 armed guards on rotation, and the entire subdivision is walled off with
~15-20 foot gates.

A friend I know consulted on a few bank robbery cases and reviewed the
security videos. The firepower the criminals would bring in was astounding.
Big long machine gun (not rifle) type things. I believe I read reports of
grenades/RPG or something, too.

Whereas in the states, none of the places I've lived would take much more than
a pointed stick to get in.

~~~
DigitalJack
It's an interesting situation. I think I'd rather bank robbers had a stick
than an RPG. Of course, ideally there would be no bank robbers.

------
lifeisstillgood
An amazing article - really made my day.

What surprised me is at the end - that "hacking" (for want of a better term)
is less destructive socially when it is aimed at financial gain.

It is why society can handle bank robbers more easily than terrorists, and
worryingly gives an attack vector - buy 100,000 credentials (if they exist)
and just randomly move money around using scripts. The whole consumer banking
system would be DDOSd as they reversed transactions, sorted out fraud and
stopped people taking all their money out.

------
andrewcooke
i guess this is hoping too much, but does anyone know if there is an
equivalent regulation here in chile that limits liability when money is taken
from an account through fraud? banks aggressively sell "insurance" and i
frequently argue with my account manager, saying the bank is legally
responsible anyway, but i don't have any actual factual basis for that...

~~~
fduran
According to this
[http://www.camara.cl/prensa/noticias_detalle.aspx?prmid=5526...](http://www.camara.cl/prensa/noticias_detalle.aspx?prmid=55268)
the client is still responsible in the case of credit card cloning fraud and
they are introducing a law to change this, not sure about other types of
fraud.

I saw on TVN some months ago the news of a couple doing this credit card fraud
and the bank was returning the money, perhaps due to the public outcry.

------
taeric
My favorite quote: "Thus, using what might be consid- ered the lower bound in
terms of security, US banks offer the upper bound in protection: zero
liability." I love that passwords are just flat out considered about the
minimal you can do regarding security in such a quick sentence. Love it.

------
mazsa
[http://research.microsoft.com/pubs/161829/EverythingWeKnow.p...](http://research.microsoft.com/pubs/161829/EverythingWeKnow.pdf)

~~~
danielweber
What's the typesetting rule that causes a column every now and then to stray
over the typical right-hand margin? (Like the last non-footnote line on the
first page.) Or is it just a problem with my PDF reader?

~~~
Wintamute
It's not your PDF reader. It looks like this PDF has been generated with
LaTex. It's quite common for the typesetting to overhang a word into the
margin like that, I guess it's just to maintain the justification. If you can
be bothered you can add hints into the LaTex markup to force breaks and
hyphenation at certain points to alleviate it.

~~~
rlanday
Yeah, it’s called an “overfull h-box” and occurs when TeX can’t find an
acceptable way to justify the paragraph without stretching or shrinking the
“glue” between words more than an acceptable amount. This happens more often
in shorter lines, e.g. in narrow columns, because linebreaks are more frequent
and there’s less glue to play with. Sometimes you can fix it by telling it how
to hyphenate words it doesn’t know how to hyphenate by default. The rules are
kind of complicated; one important consideration is that you need to be able
to figure out how the part of the word before the hyphenation break is
pronounced before reading the second part. I think “financially” could
probably have been hyphenated on the first page to eliminate the overfull
h-box, but it’s already part of a hyphenated word pair, so there’s probably a
rule against that.

~~~
danielbarla
Minor rearrangement / rephrasing of the sentence is another common way to fix
the problem. E.g. in this case, changing "it is" to "it's" on the previous
line may have been enough to pull "stating" up a line, solving the immediate
issue. Of course, this may cause a number of other overfull h-boxes later on.

While I understand why the problem exists, it really is one of the most
perplexing issues with LaTeX, since it completely breaks through that layer of
encapsulation that's supposed to be provided for you (i.e. you now care about
specifics of the layout, which was supposed to be handled for you by the
system).

