Here is a very fast written translation of the second interview in Norwegian... It might not be 100% correct English, but you get the idea...
-Assume that the customers are idiots
Safety-guru Bruce Schneier says the things the online-banks are to afraid to.
-Give up safety if fraud is cheaper!
Bruce Schneier is the closest you come to a rock star in IT-security.
Technology chief in BT Counterpane is mostly known as a free speaking blogger, and is getting much respect for his insight in safety.
The "to-the-point formulations come close as he speaks, and recently he was
in Oslo on Ciscos safety conference to talk about the only thing he thinks
can save IT-security - pure self interest.
Dagensit.no met him just before the conference, to talk about
Norwegian online-banks has the last year been shook by a series of frauds.
It hasn't been too many cases yet, but the business fears what is to come.
- It isn't getting better, it's getting worse, thinks Schneier.
Impossible to secure the customers
The attacks in Norway have been directed against the customer’s computers.
-The hackers are going for results, and of course, they are going for the
weakest link - the user, says Schneier.
Norwegian banks invite customers to secure their computers, and some banks
are to distribute free security software to them.
- Can this solve the problems?
-No, the customers don’t have the chance to know if they are hacked, and
they can't fix it, says Schneier.
By breaking in to the customers computers the hackers can take what they need of information to pretend to be the customer. Schneier’s doesn't think this can be solved by using better security software.
-No, they have not solved the problem as long as the safety is depending of
what goes on in the user’s computer, he says.
The problem is already solved
Defenseless customers and increasing fraud does not sound good, but
Schneier is still not worried for the future of the online banking. He
compares online fraud with other, very old problems of society.
-Murder isn’t gone, but society works great, and we don’t wear bulletproof
wests. The point is for it to work and that doesn’t mean it’s perfect.
If hackers can pretend to be customers, it’s easy to visualize online
banking frauds to gallop out of control.
-Is it possible to eliminate the customer as a security problem?
-Yes, just look towards the credit card companies. They assume you’re
acting like an idiot. And they stop fraud all the time, even if nobody
verifies it’s the right person, that the signature matches or if the card
is a fake, says Schneier.
-But credit cards is being fraud every day?
-Yes, it isn’t perfect. But you have to look for a good business model,
where the fraud is low enough for the model to be profitable. That’s what
you always look for, he says.
Schneier says it took the credit card companies some years to work out the
model, and that the only possible solution has been to exclude the customer
as a part of the security chain. They doesn’t base the security on the
users ID to be correct, but if the transaction is suspicious. He has self
experienced that it works.
-My card was copied when I had lunch. VISA stopped the fraud already at the
second attempt to use the card. I’m still impressed. The most important
part of the security is what happens in the backrooms in the banks systems,
In the USA the banks try to push the responsibility of fraud over on the
customer. That can be the death of online banking, he says.
Schneiers solution to the problem is about self interest, that the
responsibility must be placed with the ones who can do things about the
matter, that is; the banks.
The tools are the same when you are to deal with other problems, like
pollution: Regulation, criminal liability and economical responsibility.
-It’s about incentives. Do that right, and then the capitalism will work.
If you can’t place them right the safety issue will never be solved
Must prove fraud
The Norwegian banks do today cover the customer’s losses of fraud. The only
unclarified question is where the boundary for negligence is, which gives
the customer the responsibility.
There are plenty of examples of people giving credit cards to others for
them to swindle the bank. It the same thing happens to online banks, the
bank can’t be responsible can it?
-No, but they have to prove that the customer is swindling them. If
opposite the banks will sit on all the information and will win all the
cases. The banks have the expertise, the possibilities to do something, and
must have the responsibility.
They accept rat droppings in food.
That the banks take the entire risk doesn’t mean that the safety bar has
to be sky high, says Schneier.
-Give up security if it is cheaper to accept fraud, he says.
It's not likely for the banks to say that?
-The maximum allowed amount of rat droppings in cereals aren’t zero
in the rules from the government. They accept fraud and live with it. They
don’t talk that way about it, but that is the way they think.
It’s nonsense to deny a break-in.
The problem with security is that it is difficult to calculate if it pays
of, because most of the break-ins are concealed by the companies hit.
-That’s why it’s hard to make the economy work, says Schneier .
The banks claims to be less secure if they talk about their security
systems, and refuses to comment if they’ve been hacked.
-Yes, and it is nonsense. The point is that is makes bad press. That
vulnerability is known is a bigger problem for them than the money they
lose to hackers. It can lead to them losing customers, thinks Schneier.
The same banks claim to have huge security systems that are hidden for the
user. Schneier doubts this.
-They’ll sayit like that and hope that the journalists write it so that the
customers and hackers believe it.
Is it possible to calculate if investments in security are profitable?
-No, not really – the ones who say so is making it up.
But if decisions shall be taken based on economic incentives, then what do
You do the best you can – it isn’t about perfection, but what is most right.