funsec mailing list archives
Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases
From: "Dennis Henderson" <hendomatic () gmail com>
Date: Wed, 27 Jun 2007 22:01:33 -0500
On 6/27/07, Rich Kulawiec <rsk () gsp org> wrote:
Three comments: 1. I wonder who they'll be willing to send out that's qualified to inspect my OpenBSD system for security issues. 2. I'll be happy to allow them to check out the inside of my systems provided they're willing to let me check out the inside of *theirs*. Seems fair to me, especially since I'm likely senior to everyone they have on their IT staff. 3. Fergie, you nailed it with: "once the consumer PC is compromised, all bets are off." I have had any number of fruitless arguments with people who don't grasp this rudimentary principle. (Of course, it could be argued that BY NOW maybe I should have learned that those arguments are gonna be pointless and avoid them.... ;-) )
Responding back onlist. The bombast is too entertaining... :) Fergie nailed it? Yes, once the consumer PC is compromised, all bets are off is true. Thats why I pondered about the possibility of actually performing a secure transaction while compromised. Peter did provide one solution. Any other ideas?
$bank makes you install $bankerprogram or plug in $read-only flash which is basically a terminal server client with entirely soft keyboard, nothing more than a mouse needed or allowed (not sure how disabled would use it though) That or: boot from this CD supplied by your bank
Peter: I love the idea. The customers hate it... Banking execs cower at the thought of losing ONE customer so they insist on doing what the customer wants without regard to the security implications. Can anyone explain how getting pnwed by a keylogger or a trojan is not their fault? Do we have to argue what "fault" is? I hope not, becuase that could take days... :) Does anyone have the balls to admit that they have been pwned thru no fault of their own? I would love to hear that story. No firewall and connected directly to the Internet? Who's fault? No Antivirus? Who's fault? No patching? Who's fault? Doing online banking at work where your IT/Security department has no clue and you have very little protection? I suppose that could work. Clicking on a link in a phishing email when you have been told countless times that your bank does NOT send these types of emails. Who's fault? Letting your child get your computer infected surfing pr0n? Who's fault? I suppose one-click-surfing-a-popular-website-0days qualify, but those vectors are not the major vector targetting online banking customers. The list goes on and on.... There are a myiad excuses, but perhaps those people that cant afford to protect themselves or dont take the time to understand the risks of the Internet and Internet Banking, should not do Internet Banking. Now there are banks and other financial institutions that do a terrible job of communicating with their customers and send them phishing emails once or more a month. Those banks deserve to lose money and their marketing and security people should find other jobs. Credit Unions are increasingly targeted because the OCC and FFIEC has no teeth there.. Until the NCUA wakes up, credit union customers will find themselves on the short side of the equation. But... There has to be some safe harbor for a company that offers a product where (adequate)security is provided, training is offered, the service generally is free to the customer, even though it costs the bank loads of money. Believe it or not, Banks do expect to and do lose lots of money,still mostly from fraudulent paper. But when you consider that the large majority of Internet fraud is highly preventable if the customer invests a little time and perhaps some money in protecting themselves the outcome is a win/win. This is assuming that their bank is operating a reasonably secure site and does everything the right way. After all online banking fraud is just the tip of the iceberg. It is clearly a gateway to identity theft, something where the customer potentially has far more to lose than just money from their banking account. But yet, the current FFIEC guidelines require absolutely nothing from the customer in terms of their responsibility towards online banking. How are these arguments pointless? The fact is that people *want* Internet banking. They *dont* want to be responsible for knowing how to avoid the pitfalls that come with Internet Banking. They dont read the information that the banks provide on how to avoid being scammed. They dont patch their machines. They click on links on phishing emails. They hate multifactor authentication. They hate hardware tokens. They cant remember simple basic things like a secret question. Since I work for a bank, you probably think I am making these comments from a management perspective. Not at all. I am a shareholder and get tired of banks having to roll over for customers that are ignorant of the risks of online banking. If the bank is found at fault, then it should be liable, but if it has a mature and agile development and security/awareness program that is tested and updated continuously, it shouldn't have to suffer wholesale at the hands of stupid customers. Fortunately still, most banks will quietly refund for fear of headlines and reputational damage. If I could spend all the money making my bank's online banking app as secure as I wanted, the bank would certainly spend more money on security than the loss due to Internet fraud. But banking executives see that expenditure as "certain" and compensating for customer fraud as only "possible". So they make choices on how to balance that spending. Fortunately(or unfortunately) regulations help drive the banks towards the "certain" side of security spending but the overall results can still be uncertain, largely due to the carelessness of the customer. This is once again assuming the bank is doing what it is supposed to be doing. As a shareholder, I dont want to see that money pissed into the sewer due to the carelessness of the customer. Banks should responsibility for their lack of security, but the customer should also have to do the same with their lack of awareness of the risks and responsibilities.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Fergie (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases B.K. DeLong (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Blue Boar (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Jim Murray (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Gadi Evron (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Nick FitzGerald (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Bill Weiss (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases B.K. DeLong (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dude VanWinkle (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 28)