Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases

["Dennis Henderson" <hendomatic () gmail com>]

On 6/27/07, Rich Kulawiec <rsk () gsp org> wrote:
> Three comments:
>
> 1. I wonder who they'll be willing to send out that's qualified
> to inspect my OpenBSD system for security issues.
>
> 2. I'll be happy to allow them to check out the inside of my
> systems provided they're willing to let me check out the inside
> of *theirs*.  Seems fair to me, especially since I'm likely
> senior to everyone they have on their IT staff.
>
> 3. Fergie, you nailed it with:
>
>        "once the consumer PC is compromised, all bets are off."
>
> I have had any number of fruitless arguments with people who
> don't grasp this rudimentary principle.  (Of course, it could
> be argued that BY NOW maybe I should have learned that those
> arguments are gonna be pointless and avoid them.... ;-) )



Responding back onlist. The bombast is too entertaining...  :)



Fergie nailed it? Yes, once the consumer PC is compromised, all bets are off
is true. Thats why I pondered about the possibility of actually performing a
secure transaction while compromised. Peter did provide one solution. Any
other ideas?



> $bank makes you install $bankerprogram or plug in $read-only flash
>      which is basically a terminal server client
>       with entirely soft keyboard, nothing more than a mouse needed or
>      allowed (not sure how disabled would use it though)
>
>       That or: boot from this CD supplied by your bank

Peter: I love the idea. The customers hate it...  Banking execs cower at the
thought of losing ONE customer so they insist on doing what the customer
wants without regard to the security implications.

Can anyone explain how getting pnwed by a keylogger or a trojan is not their
fault? Do we have to argue what "fault" is? I hope not, becuase that could
take days... :)

Does anyone have the balls to admit that they have been pwned thru no fault
of their own? I would love to hear that story.

No firewall and connected directly to the Internet? Who's fault?
No Antivirus?  Who's fault?
No patching?  Who's fault?
Doing online banking at work where your IT/Security department has no clue
and you have very little protection? I suppose that could work.
Clicking on a link in a phishing email when you have been told countless
times that your bank does NOT send these types of emails. Who's fault?
Letting your child get your computer infected surfing pr0n? Who's fault?
I suppose one-click-surfing-a-popular-website-0days qualify, but those
vectors are not the major vector targetting online banking customers.
The list goes on and on....


There are a myiad excuses, but perhaps those people that cant afford to
protect themselves or dont take the time to understand the risks of the
Internet and Internet Banking, should not do Internet Banking.


Now there are banks and other financial institutions that do a terrible job
of communicating with their customers and send them phishing emails once or
more a month. Those banks deserve to lose money and their marketing and
security people should find other jobs. Credit Unions are increasingly
targeted because the OCC and FFIEC has no teeth there.. Until the NCUA wakes
up, credit union customers will find themselves on the short side of the
equation.

But...

There has to be some safe harbor for a company that offers a product where
(adequate)security is provided, training is offered, the service generally
is free to the customer, even though it costs the bank loads of money.

Believe it or not, Banks do expect to and do lose lots of money,still mostly
from fraudulent paper. But when you consider that the large majority of
Internet fraud is highly preventable if the customer invests a little time
and perhaps some money in protecting themselves the outcome is a win/win.
This is assuming that their bank is operating a reasonably secure site and
does everything the right way.

After all online banking fraud is just the tip of the iceberg. It is clearly
a gateway to identity theft, something where the customer potentially has
far more to lose than just money from their banking account.

But yet, the current FFIEC guidelines require absolutely nothing from the
customer in terms of their responsibility towards online banking.

How are these arguments pointless?

The fact is that people *want* Internet banking. They *dont* want to be
responsible for knowing how to avoid the pitfalls that come with Internet
Banking. They dont read the information that the banks provide on how to
avoid being scammed. They dont patch their machines. They click on links on
phishing emails. They hate multifactor authentication. They hate hardware
tokens. They cant remember simple basic things like a secret question.

Since I work for a bank, you probably  think I am making these comments from
a management perspective. Not at all. I am a shareholder and get tired of
banks having to roll over for customers that are ignorant of the risks of
online banking. If the bank is found at fault, then it should be liable, but
if it has a mature and agile development and security/awareness program that
is tested and updated continuously, it shouldn't have to suffer wholesale at
the hands of stupid customers. Fortunately still, most banks will quietly
refund for fear of headlines and reputational damage.

If I could spend all the money making my bank's online banking app as secure
as I wanted, the bank would certainly spend more money on security than the
loss due to Internet fraud. But banking executives see that expenditure as
"certain" and compensating for customer fraud as only "possible". So they
make choices on how to balance that spending.

Fortunately(or unfortunately) regulations help drive the banks towards the
"certain" side of security spending but the overall results can still
be uncertain, largely due to the carelessness of the customer. This is once
again assuming the bank is doing what it is supposed to be doing.

As a shareholder, I dont want to see that money pissed into the sewer due to
the carelessness of the customer. Banks should responsibility for their lack
of security, but the customer should also have to do the same with their
lack of awareness of the risks and responsibilities.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.