Ned Slider wrote: > It's never going to happen. We can't even get half the banks to > implement measures like SPF or DKIM, and they are getting the hell > phished out of them and are exactly the type of sector you'd expect to > be using such measures to prevent spoofing and making it easier for > their clients to spot forgeries.
Unfortunately, it's never that simple. I notice you also appear to be in the UK. I wonder if the same observations about SPF and DKIM apply in the US and elsewhere. The main issue for banks has always been that of liability. In the US, banks are governed by 'Regulation E' which places liability with the bank. If a customer disputes something, it's up to the bank to prove otherwise. Hence, US banks have a good incentive to implement security measures. In the UK, there's only a voluntary code using vague terms such as 'reasonable care'. The introduction of Chip and Pin cards have has the effect of shifting liability onto the customer as it's far easier for the bank to argue that if someone else used your PIN, then you failed to take reasonable care to protect it. Before, the burden of liability might have been on the merchant or bank, for failing to spot a faked signature. The introduction of Chip and Pin cards has done far more to protect the banks than it has the consumer. See [1]. Regardless of whether you're in the UK or US, it's pretty easy to argue that if you fell for a phishing attack, it was your fault for being taken in and so banks have very little reason to refund you. Don't expect banks to make any effort to protect their own customers unless it directly benefits them. Francis [1] "Chip and Spin", Anderson, Bond, Murdoch
