Is Everything We Know about Password Stealing Wrong?

US Federal Reserve Regulation E guarantees that consumers are made whole when their bank passwords are stolen. The implications lead to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Password-enabled transfers can always be repudiated, which explains the importance of mules who accept bad transfers and initiate good ones. This suggests that the mules´ accounts, rather than the victims´, are pillaged. Passwords are but one link in the cybercrime value chain. Despite appearances, password stealing is a bad business proposition.