Schneier on Security
A blog covering security and security technology.
« Quantum Computer Factors the Number 15 |
| Monopoly Sets for WWII POWs: More Information »
September 23, 2009
Eliminating Externalities in Financial Security
This is a good thing:
An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers' user name and password.
In February 2007, someone with a different IP address than the couple gained access to Marsha Shames-Yeakel's online banking account using her user name and password and initiated an electronic transfer of $26,500 from the couple's home equity line of credit to her business account. The money was then transferred through a bank in Hawaii to a bank in Austria.
The Austrian bank refused to return the money, and Citizens Financial insisted that the couple be liable for the funds and began billing them for it. When they refused to pay, the bank reported them as delinquent to the national credit reporting agencies and threatened to foreclose on their home.
The couple sued the bank, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, claiming, among other things, that the bank reported them as delinquent to credit reporting agencies without telling the agencies that the debt in question was under dispute and was the result of a third-party theft. The couple wrote 19 letters disputing the debt, but began making monthly payments to the bank for the stolen funds in late 2007 following the bank's foreclosure threats.
In addition to these claims, the plaintiffs also accused the bank of negligence under state law.
According to the plaintiffs, the bank had a common law duty to protect their account information from identity theft and failed to maintain state-of-the-art security standards. Specifically, the plaintiffs argued, the bank used only single-factor authentication for customers logging into its server (a user name and password) instead of multi-factor authentication, such as combining the user name and password with a token the customer possesses that authenticates the customer's computer to the bank's server or dynamically generates a single-use password for logging in.
As I've previously written, this is the only way to mitigate this kind of fraud:
Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial institutions. That means that any solution can't involve the account holders. That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
They can't claim that the user must keep his password secure or his machine virus free. They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren't reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.
If you think this won't work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They're not hurting for business; and they're not drowning in fraud, either. They've developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They've pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.
It's an important security principle: ensure that the person who has the ability to mitigate the risk is responsible for the risk. In this case, the account holders had nothing to do with the security of their account. They could not audit it. They could not improve it. The bank, on the other hand, has the ability to improve security and mitigate the risk, but because they pass the cost on to their customers, they have no incentive to do so. Litigation like this has the potential to fix the externality and improve security.
Posted on September 23, 2009 at 7:13 AM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The only way I can see to truly prevent this sort of thing from happening, given that two-factor auth can be broken as well, is to not allow online banking. Period.
If a customer insists on it, then provide it, but make them sign a document laying out what the security provisions are, and who is responsible if the customer's authentication tokens are used fraudulently.
How true. Let's hope the couple wins and see how the banking world reacts.
Getting a loan in someone else name does not need to be done online. In fact as understand it is mainly done *offline*, as in someone goes into a bank and opens an account in someone else name and takes the cash.
I am surprised the Austrian bank didn't return the money. Since I am here and they are pretty quick to fix this sort of thing in accounts here...
"In this case, the account holders had nothing to do with the security of their account."
The account holders had no way to prevent their password from being obtained by criminals?
Also, this is not an externality. It is a cost arising from Ms. Shames-Yeakel banking with Citizens Financial. The liability for the cost will lie with either the consumer or the bank, or may be shared between them, depending on the outcome of the court case. But the cost (the $26,500 lost to fraud) of this transaction (Ms. Shames-Yeakel's decision to bank with Citizens Financial and the bank's decision to provide her with banking services) will be born by the parties to the transaction.
An externality is a cost born by others not party to a transaction. This is not an externality.
Why won't the bank's fraud insurance cover this?
Because this isn't an externality, Bruce's proposed solution ("make the banks liable so they'll fix security") is only partially correct. Whether the banks were liable or the consumers were liable, either way the banks would have an incentive to fix their security. If consumers were liable for losses due to fraud, banks would improve their security in order to better attract customers with assurances that they (the customers) would have less risk of fraud losses.
What's required is not that the banks be liable (although that might be the better of the two options). What's required is a clear assignment of liability. If it might be the banks, or might be the consumers, or might be both, but we don't really know, and it depends on each individual court case... then incentives to improve security are weakened. If it's clearly the banks, OR if it's clearly the consumers, OR if it's clearly split in some readily determined way... then in any of those cases, the incentives for banks to improve security will be present, clear, and strong.
@wiredog - I think Bruce lays out the other option, which is to authenticate the *transaction*, instead of the *individual*.
BTW, this is entirely doable. My bank was able to identify a series of transactions as fraudulent, and prevented someone from cleaning out my account (they had probably gotten hold of a check I wrote legitimately, and then had some checks written with my name and bank/account information, which they then passed off on various local merchants.)
The down side: several of these fraudulent checks found their way into the collection agencies, who insist that *I* am responsible for them. This, despite the fact that I have a police report, with those specific check numbers enumerated, on file.
My credit union uses what seems to be a better form of two factor authentication that mitigates this risk quite well. I had to (once, and from a trusted IP address at home) design a series of three magic questions and answers. Any time I log in from an unknown IP address I have to answer those questions. I am then asked if I want to trust this IP address or not (e.g. my work computer or some internet cafe).
Man in the middle attacks are still possible, but it eliminates having my credentials borrowed and used elsewhere.
Also, this is a silly statement: "The bank, on the other hand, has the ability to improve security and mitigate the risk, but because they pass the cost on to their customers, they have no incentive to do so."
One: "because they pass the cost on to their customers". Banks pass all costs on to their customers. They pass on the cost of fraud; they also pass on the cost of security (since security isn't costless). Even if the banks were liable for all fraud, the losses from fraud would simply be spread among all their customers rather than allocated to those customers who had their passwords stolen.
Two: "they have no incentive to do so." All banks have incentives to reduce costs to customers, both those that are spread amongst all of their customers (bank-liable fraud) and those that fall on individual customers (consumer-liable fraud). Reducing costs to customers attracts more business, which increases profits. Which is incentive aplenty.
I hope those questions are better than the ones my bank offers, such as 'Last name of your favorite president' (not a large list of options and certainly several favorites) or 'Your zodiac sign' (only 12 options!)
"If consumers were liable for losses due to fraud, banks would improve their security in order to better attract customers with assurances that they (the customers) would have less risk of fraud losses."
That's the classic libertarian argument against regulation. As its crucial premise is perfect competition among infinitely many banks and perfect information available to consumers, it's also manifestly wrong, as well as empirically false.
What is empirically observed in bank behavior relating to fraud is a race to the bottom, not to the top. A business model in which fraud happens at a certain predictable -- and acceptable -- background rate, with substantial costs (financial and legal) shifted onto consumers, appears to be not only viable but actually a stable attractor of bank policies. Nobody has an incentive to deviate from this model, as nobody can prove that consumers will flock to better protection, rather than to higher interest rates or cooler-looking ATM cards.
Only a change in the regulatory environment can shift the business model. This happened decades ago with credit card fraud liability, and (as many here have observed) the result is a much more stringent security regime.
Nowadays, unfortunately, U.S., financial institutions have many members of Congress performing lap dances for their campaign contributions. The credit regulatory reform that seemed so urgent a year ago is already at risk. I'm pretty sure that legislative reform to make banks liable for deposit account fraud will go nowhere. Perhaps the courts can find a solution in common law, but I'm not holding my breath.
Credit card companies have sophisticated algorithms that flag "unusual" transactions. Eventually you might get a phone call asking you to authenticate the transaction.
It should be easy enough to apply the same algorihms to wire transfers. If one appears unusual (like a large transfer to an overseas bank for a customer that doesn't travel), the bank could contact you and, e.g., send a mail like "hey, we've just received this wire transfer request that our automated system has flagged as suspicious. If you want your life savings transferred to the Ukraine, don't do anything. Or call us within the next 24 hours to cancel the transfer."
Yes, there will be false positives and false negatives, and each will cost the bank. Credit card companies make that investment because it is still cheaper than not to. Banks don't have a similar incentive.
This has been a long time coming. Hopefully the plaintiffs will prevail and as a consequence online banking will become safe and secure within about 23.5 hours as a result.
My mom was hesitant to use online banking because of security concerns so I explained to her that since the bank had online banking, it didnt matter whether SHE used it or not, her account was vulnerable to attack. [possibly more so since any default passwords would be in place]
I recently turned down a lucrative checking account because their terms of service placed all liability squarely on me for any breach of security.
@andrew, randomly asking a secret question isn't really two-factor authentication, it's just a secondary password. It doesn't add the requirement of something that you have, or someone that you are, just that you know another thing. It does raise the security bar, but only slightly.
"The account holders had no way to prevent their password from being obtained by criminals?"
Indeed, they do not. They can be vigilant within reasonable expectations but that has the effect of slightly decreasing the probability of theft, not preventing it outright.
Division of labor is a concept that needs to be considered.
We could (conceivably) all be totally self-sufficient: growing our own food, making our own wagon wheels, purifying our own water. However this is inefficient; having a wheelwright focus on making wheels means the wheels get made more efficiently, and society advances because some folks are freed up to do things other than bare survival tasks.
The invisible hand that is supposed to make banks voluntarily offer better security relies on customers having the time to investigate the matter. This idea requires consumers to become knowledgable in yet another area that likely has nothing to do with their primary area of expertise.
I tend toward being a libertarian, but some gov't regulation is necessary because there aren't enough hours in the day for me to figure out every financial trap, every food aditive risk, and every medical scam. The banks are the ones with the most related expertise, so it makes sense for them to deal with the problem.
The random secondary question is being used by banks trying to skirt their legal requirements. It most definitely is not two-factor since both are "something you know," but, to my knowledge, no one has been taken to task over it yet.
> All banks have incentives to reduce costs
> to customers, both those that are spread
> amongst all of their customers (bank-liable
> fraud) and those that fall on individual
> customers (consumer-liable fraud). Reducing
> costs to customers attracts more business,
> which increases profits. Which is incentive aplenty.
That explains why it's currently working so astonishingly well!
> If it's clearly the banks, OR if it's clearly
> the consumers, OR if it's clearly split in
> some readily determined way... then in
> any of those cases, the incentives for
> banks to improve security will be
> present, clear, and strong.
This doesn't make enough sense for me to buy it. If *all possible* distributions of responsibility still lead to "present, clear, and strong" incentives for banks to improve security, how does an ambiguous distribution of responsibility lead to poor security?
Given A, banks have an incentive to improve security. Given B, banks have an incentive to improve security. Given C, banks have an incentive to improve security. I agree, we don't know which is given, but we know there isn't any D, E, or so on.
In any case, banks have an incentive to improve security. And yet, they don't improve security.
Admittedly, since there is ambiguity, it may be hard for the bank to decide internally what is the best way to improve security, because people argue business cases. But this is obviously a problem in which the bank itself is a major player.
There's basically three options here.
1: Make it understood universally that consumers are completely liable for their fraud. Nobody will use a bank anymore, because any exploitation will lead to your financial ruin.
2: Make it understood universally that banks are completely liable for the fraud. The bank can now decide what terms they will use to deal with their customers (not offer internet banking, not offer cheap and easy credit, whatever). Market forces dictate what security steps the banks take in relation to their customers. No regulation needed, really. The bank can amortize its risk.
3. Build a regulatory framework. Declare standards of security for banks. Declare standards of liability for both parties. You'll get this at least partially wrong, of course, because you're trying to hit a moving target. You'll need to have a regulatory oversight body. You'll have to have a process for resolving disputes, because relationships will be complex. You'll have to revisit this periodically. When your regulatory framework is out of sync with the optimal goals because of unseen circumstances, some of the time you'll screw the banks (which can amortize their risk) and some of the time you'll screw the individuals (who, largely, can't).
I think Bruce is spot-on in choosing option #2.
Whilst many finance companies have specialist fraud departments, for many years they've spent most of their time looking for Nigerian 9's.
Given that credit card companies made the conscious decision not to put a photo of the holder on to credit cards - on the basis it was cheaper to have fraudulent use! - I think it's about time they were brought to task.
I don't understand the difference between credit card companies and banks? Almost all credit cards are issued BY banks?!
If I had a mortgage at Chase bank and a Mastercard at Chase bank, why would Chase bank act indifferently toward Home Equity fraud but accept Mastercard fraud as their responsibility?
Or does Mastercard itself take the hit? Are they (MC) the holder of all responsibility in that case?
@David: Because the following law, applying specifically to credit cards, has been on the books in the U.S. since 1978:
No comparable legal limitation of consumer liability applies to other financial services.
"The random secondary question is being used by banks trying to skirt their legal requirements. It most definitely is not two-factor since both are "something you know," but, to my knowledge, no one has been taken to task over it yet."
Interestingly, the FFIEC Guidance "Authentication in an Internet Banking Environment" issued in October of 2005, while it mentions muliti-factor authentication, only requires _layered security_.
As I recall, there was a lot of confusion and discussion on the difference between "layered security" and "two factor authentication" among financial institutions regarding the "minimum" requirements from the FFIEC (aka least expensive solution the banks need to implement to be compliant with the FFIEC Guidance).
This is why you saw many banks adding the _layered security_ solutions like the RSA Adaptive Authentication (aka Passmark), which provide user selected pictures presented by the bank server, browser side cookies, Flash objects, and challenge questions. These, along with server side PC "fingerprinting" (IP geo-address matching, configuration checking, etc.) coupled with backend fraud detection, all build upon a _layered security_ solution, but still don't provide multi-factor authentication.
This is a very interesting development but unfortunately, I'm certain that the greedy banks will push the costs of improved security and verification onto their customers.
I certainly don't claim any expertise in this matter, nor am I familiar with the specifics of this case, but I thought "Regulation E" provides at least some protection for consumers from this sort of fraud.
Everyone here appears to ignore the existence of this rule. Am I missing something?
We pretty much have a controlled experiment in whether putting liability on customers enables improved security. In great britain it used to be the case that banks, rather than being liable for hacking of a customer's account, could have customers prosecuted for fraud when they made complaints about unauthorized withdrawals. This did not, however, correlate with good account security.
It's fine if banks push the costs of authentication onto their customers, because the cost of the bank getting it right (millions of dollars a year) is less than the cost of the customers doing it right (infinity).
@eddie: Also, this is not an externality. It is a cost arising from Ms. Shames-Yeakel banking with Citizens Financial.
It is also a cost of the fraudster "banking" with Illinois bank, the Illinois bank's "banking" with the Austrian bank, the relationship between the Austrian and Hawaiian banks, and the Austrian banks customer who collected the funds.
In terms of what actually affects policy via profitability (and is universally so), is primarily all the non-Shames-Yeakel relationships. To those relationships, SY-Illinois IS an externality.
Libertarians always reducing complex networks of relationships to the sum of dual relationships. In finance, that's at about the level as calculating the energetics of a set of electrons by adding up the energetics of each dual interactions.
You won't pass Physics 102 that way!
@wiredog: The only way I can see to truly prevent this sort of thing from happening, given that two-factor auth can be broken as well, is to not allow online banking. Period.
No, actually it's not that much of a technical issue. This occurred with checks all the time, back in the long lost days of paper transactions and local banks (due to regulation) of which you were a major consumer.
Back in those days, if the amount on the check went beyond what the bank was willing to write off in order to assure customer loyalty, the bank would pick up the phone and call you.
My credit union still does that -- if they feel a transaction is iffy, they'll ask the person with the check to cool their heels in the lobby while they pick up the phone and call me.
It's not that hard -- but it is a cost that doesn't make sense for a mega-bank for whom any particular customer is just a number. And without regulatory boundaries, most folks will end up banking with a mega-bank despite the "screw you" factor that is well known.
This is ludicrous - in New Zealand, not only do most banks have 2-factor auth, but all of them promise to reimburse any innocent victims of fraud....
In the above case the bank would've fully paid up the full amount stolen, it keeps customers happy and puts the onus on the banks..
A mega-corp could machine-automate such phone calls trivially. But right now that's seen as an unnecessary expense. If the court cases go against them, that will change.
The chances of your password being stolen is highest when you sign into a computer that isn't your own. This is the same situation where you enter the answers to your secret questions. In the most likely information theft situation, passwords and secret answers will be stolen together.
Multi-channel authentication (password+sms verification WITH transaction details) has an astronomically higher level of security. Simple two-factor (eg password + RSA tag) carries much higher level security than your secret questions. In fact, secret questions only protect against the one threat that you can manage fairly well yourself: spyware on your own PC.
Once again we find people making the "it will all be passed onto the consumer" argument. Banking service prices are not based on cost. They are based on what the customer will pay. If you increase your price above that level, then you reduce your income. Please look up, for example, "sunk costs" on Google.
The people who pay for such fines are the shareholders in the bank. This is good because they are the people who could choose to influence the management.
I recently opened a line of credit for some home repairs. At the time I opened the line of credit, I very easily could've given some basic qualitative guidelines on the types of transactions I was planning to make - basic caps on the amounts I'd be paying to retailers, plus caps on the number and amounts of payments I'd be making to contractors. Essentially, both I and the bank could then take comfort that transactions which fit that mold were A-OK, and those which did not should be held up pending a personal communication (either in person or via a call to a pre-agreed-upon private phone #).
It seems like this type of arrangement would be much more the norm if the banks were liable for any transactions which I could prove I did not personally authorize.
"...I very easily could've given some basic qualitative guidelines on the types of transactions I was planning to make..."
There is no reason that an elderly person who lives in Ohio, and never travels, needs to have their debits cards or bank account accessible from Romania. For that matter, their financial account access and usage could even be restricted to the US only, by State, or even City.
As stated, the ability to establish a simple financial profile for an account, with well defined parameters for exceptions, would greatly reduce risk of fraud for those likely to be most vulnerable.
First of all, regardless who wins this case, the fact remains that "49% of consumers across eight countries would consider switching or definitely switch banks if they or someone they knew was hit by card fraud" (Source: ACI Worldwide)
I'd say it's time for banks to ditch the username/password/20 questions game and start "genuinely" authenticating online banking sessions by requiring users to swipe their card and enter their PIN. (the same way their customers access cash at an ATM)
The current system benefits only the bad guys.
Banks cannot continue on their current path. Asking questions such as: What's your mother's maiden name, What's the make of your first car, What is the First Letter of the Middle Initial of your Second dog...all that kinda stuff, is not secure...it's either accessible at social networking sites or available by simple keylogging schemes.
But converting customers to Swiping vs. Typing, that's would be genuine authentication. HomeATM's PCI 2.x certified PED instantaneously encrypts the cardholder data. Financial institutions would enhance their image by providing their customers with an encryption enabled online banking log-in. There's proof of this. Look to Barclays who has already distributed well over a million of their PINSentry devices. Customer take-up was 30% higher than projected. Yesterday Todos announced that a bank in Romania has ordered another 140,000 of their smart card readers for online banking log-in. It's the way it's got to be and this particular court case emphasizes the immediate need to get such devices into the hands of online banking customers.
It's not a coincidence that Barclays bank was recently rated #1 for providing the most secure online banking application in the U.K. Why? Because they require their online banking customers to use their PINSentry device for two-factor authentication.
"Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session".
"HomeATM is far more useful than the PINSentry device. It provides not only two-factor authentication log-in, but it does it without generating one-time passwords which has been recently exposed as hackable.
Once the PINSentry device authenticates the user, it's usefulness is done until the next time the user logs in...whereas with HomeATM's device, logging in is only the beginning of what it enables the consumer to do.
The HomeATM device can be further utilized for online bill payments, (online bill payment customers increase bank profitability by 15%...google it) person to person money transfers (in real time) secure Internet End-to-End Encrypted Card Present transactions, peace of mind, loyalty, image and brand enhancement and so much more.
So the bottomline is: Would banks prefer risking the loss of 49% of their customers, or would they prefer to provide their customers with a free PCI 2.x Certified PED along with the peace of mind, safety and security of a 2FA 3DES E2EE PCI 2.x "certified" (not compliant, certified) solution which their customers can use in the privacy of their own home.
A recent survey by ACI Worldwide of consumers around the world found that one in five have been hit by debit or credit card fraud in past five years. The research, of more than 2,400 consumers across eight countries, also found that if an individual or someone they knew was hit by card fraud:
*22 per cent would change financial institutions, and a further
*27 per cent would "consider" changing financial institutions.
So where would the 49% go? To a bank that offers secure authentication. It's a no-brainer and it's as easy as 1-2-3:
1- Bank Issues card
2- Bank Issues PIN
3. Bank Issues Card Reader/PED
I agree with a comment in the previous article about ID theft being an oxymoron.
Unfortunately, the term "Identity Theft" has become burned into so many brains that people focus on preventing just what it says--preventing the stealing of the identifying information--that they neglect to address what is really being done: impersonation.
Until people understand that, the problem will be that much tougher to solve.
We also need to start addressing what is really occurring here - bank robbery.
Until people understand that, the problem will continue to be misdirected and confused by financial institutions looking for someone to pass their loss onto.
The bank has taken custody of your money, and has taken responsibility to provide sufficient protection for it. It doesn't matter if the bank robbers steal the bank's money by walking in the front door with guns drawn, break into the bank's vault after hours, or steal the bank's money using computers. In all cases, the bank is responsible for any loss, and the bank needs to provide appropriate security measures to protect their customer's money (whether physical sitting in their vault or virtual).
If a bank robber who broke into the bank's vault leaves a note which states "I stole John Smith's money", the bank doesn't get to pass their loss onto John Smith, any more than they should be able to pass the loss for a computer related bank robbery, just beause they happen to have a customers name.
Also, I read about someone comparing bank account security to that of automobile security (gotta love those car analogies :-) ). They are not even close!! In the case of an automobile, I own the car, I can decide if the manufacturer has provided sufficient security and I can easily add my own security (i.e. Alarm system, Club, Lojack, don't park in unsafe neighborhoods, etc.).
In the case of a bank being the custodian of my money, I am left with whatever protections the bank decides are sufficient.
The protections the bank provides for "electronic money" should be no less secure than the protections provided for "physical money".
So a question here would be, are the bank's computer security measures (i.e. username and password) the equivalent of their physical security measures (i.e. security guards with guns, alarm systems, and the bank's vault)?
As a follow-up to my previous post...
Someone walks into a bank branch with no personal identification (i.e. wearing a hoody, mask, gloves, etc.), then hands the teller a piece of paper with John Smith's username and password and a note saying that they want all JSmith's money.
What will the bank teller do? Ask if "JSmith" wants the money in $10s and $20s and proceeds to empty JSmith's bank account? Does the bank teller require some other form of identification? Or perhaps "JSmith" gets "taken down" for walking into the bank in a hoody and mask! :-)
"An externality is a cost born by others not party to a transaction. This is not an externality."
That's not the transaction I'm looking at. I'm looking at the bank's economic decision about how much security to buy/implement. To the bank, the cost of fraud to the customer is an externality.
"That's the classic libertarian argument against regulation. As its crucial premise is perfect competition among infinitely many banks and perfect information available to consumers, it's also manifestly wrong, as well as empirically false."
Agreed. At a conference this year -- either WEIS or SHB -- Jean Camp referred to it as the "happy libertarian market pony," which is about right.
Unless i am missing something, I have to disagree with Bruce's overall premise. His argument largely rests on the idea that credit card companies do a good job a stopping fraud. They don't. I have seen estimates that merchants lose close to a billion dollars a year in credit card fraud.
Why don't credit card companies do a good job at stopping fraud? Because there arent proper incentives for them to stop it. Merchants are responsible for fraudulent charges, not credit card companies.
Credit card companies do just enough fraud prevention so that consumers dont lose confidence in the platform.
Yes, in a sense, businesses try to pass on all costs to the customers. But they also try to reduce those costs. Both for the same reason: to maximize profits.
Meanwhile, I as a customer am rationally looking for good prices and good service, not for the bank (or drugstore, grocer, or clothier) that is best at maximizing its own profit. I am a human being with my own interests, and making some stranger or corporation rich isn't even in the top million on that list.
Your argument assumes that the laws of nature guarantee a bank at least a certain amount of profit, regardless of what it does. That's not physics, and it doesn't need to be (and often isn't) economics or policy. If a bank is run badly, it should expect to make less money than if it's run well. That's the oh-so-sacred market that keeps being invoked whenever someone suggests that laws or regulations should protect the consumer. In an actual market, where there were a significant number of banks competing for my business with genuinely different offers--X bank has a better interest rate, Y bank lets me talk to a teller even on weekends, Z bank offers the best security, and combinations thereof--they'd be constrained from passing the costs of bad security on to the customers, because most of the customers would respond by taking our money to a different bank.
The bank I use does not require 2-factor authentication to log in, but will send you a text message with a code you must enter when you first try to send money to any new account, or when you try and change your mobile number or security settings. So the worst thing a hacker can do is overpay your bills really. Of all the bank security systems I've used, this is my favourite.
"but will send you a text message with a code you must enter when you first try to send money to any new account, or when you try and change your mobile number or security settings."
In the UK we call that sort of account a "Personal Account". In the main rarely anything changes in such accounts.
If however you look instead at a "Small Business Account" then they could have many new "one off" payments to be made on a daily basis. The system you describe irrespective of how secure it was could just not cope with this sort of account.
Whatever system a bank rolls out it needs to cover the majority of it's accounts that do not require "special treatment". Therefore it would have to work from "Personal Accounts" through to medium sized "Business Accounts" to be effective.
High transaction volume is another reason why "mobile phone comms" are not going to be realisticaly part of a long term effective solution.
As a computer security professional, I wholeheartedly disagree with Bruce Schneier’s comment; “The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."”
I respect Bruce and his opinions, but I’m wondering where his common sense is with this comment. I’ve been in this business for over 25 years and this very attitude in my opinion is what has gone wrong or is going wrong with our society as a whole today. No one has to be accountable for their own actions regardless of how wrong they may be. Athletes blame steroids and performance enhancing drugs on competition and money. Murderers and criminals blame their actions on a poor upbringing, their parents attitudes and how they were raised. It is always becoming someone else fault that I’m a bad person. This sounds like the best defense for anyone wanting to steal money from anyone else is it isn’t their fault that someone else has money and they don’t, that just isn’t fair, I should be able to take some of it when I want to even things out!! I don’t think anyone will agree that is right.
Does that mean that Mr. Schneier is willing to be held liable for his comments when they result in additional costs, reduced flexibility for banks servicing their customer and impacts on our economy. What happens when they deny the customer access because they are too stupid to use the security features, are they liable for that too because they are discriminating against them?
I do NOT for a moment feel that Banks and for that matter every organization must take responsibility and accountability to provide reasonable controls to protect the confidentiality, integrity and availability of the information that they gather, transmit or process, but they can’t be held accountable for the poor business practices of their customer unless they did not make an effort to help that customer protect themselves. As one of the Blue Collar Comedians states; “You can’t fix Stupid!”.
DISCLAIMER: The opinions stated above are my own and do not necessarily represent the viewpoint of my company or any other entity! I do not hold liable anyone else for my own statements.
"No one has to be accountable for their own actions regardless of how wrong they may be."
How true. This is applicable to the banks too. In this case, the bank has been robbed (via computer) and the bank is attempting to pass their loss onto their customer instead of being accountable for not providing adequate protection.
Banks are in the business of trust. When they take custody of their customer's money, the customer is trusting that the bank will be responsible and accountable and go to great lengths to protect that money (i.e. secure vault, alarm systems, guards with guns, trustworthy employees, computer systems with electronic controls no less secure than the physical controls, etc.).
The court document says the bank stood by its online banking disclaimer that exempts the bank from any liability: "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice."
Hrmm... I have to wonder - does this mean that every user who runs into such an EULA should, as a matter of course, warn the site that there may be 'possible unauthorized use' on their first access?
I struggle with Bruce's argument too. While alluring at first glance, I see parallells in other areas that rather uncomfortable.
The job should always go to he who is the closest to fixing the problem?
It might be correct in this case, and in other specific cases, where users or other "real owners of the problem" have little possibility to do the job themselves.
But as a general principle it is dangerous.
I've seen risk managers try that before. The end result is that the IT dept is expected to carry any and all IT related risk for all the other business units in their company. That's just wrong.
Also, doesn't this imply that telcos should be held responsible for what their broadband users do? After all, who is better positioned to censor Internet traffic than the carrier?
@All - Customer
You did not see me say at any point that the bank should not be held accountable for poor practices. I also am not necessarily addressing this specific case, if the bank used bad practices they should be held liable, if the customer did they should be. If the service has not good way to be adequately protected then customer beware and use at your own risk. People do still have a choice to bank online or not.
Most fraud is still committed internally not using Internet means. It is quickly switching, but more identity information is still stolen from purses, mailboxes and old fashioned means. Fast propagation of the theft of an identity after having the information uses the Internet or electronic means.
Hold accountable who is responsible. The problem is bigger than just this one bank, and those that believe Credit Card companies are doing things that "clearly works" are sadly mistaken. Does Heartland or others ring a bell, in most cases these companies were compliant to PCI standards yet breaches occurred.
There will always be fraud as long as we give those interested in committing it no fair share of liability for partaking in the event. There will remain bad guys as long as their are benefit to theft and risk of being caught remains reasonable or penalties minor.
Absolutely the bank that does not put in place adequate security practices should be accountable to their customers that have their data breached. Customers that use poor security practices should also be accountable to themselves for having their data breached.
Caveat emptor, bank customer beware, if you do business with a bank that implements poor security practices don't blame them for your stupidity when a data breach occurs. Bank beware, if you implement inadequate security practices, don't blame your customers when they suit your butt for not protecting their data in a reasonable way.
Good thing the US has so many lawyers to help us determine terms like: Reasonable, Adequate, Poor and Best.
Definition of a jury: 12 men/women (our peers) who determines who has the best lawyer. Bank arm yourself with enough accepted practices to reasonably protect your customers data and the evidence to arm yourself and arm your lawyer with the evidence they need to convince the jury. Bank customer, arm yourself with enough stupidity and maybe you can plead insanity for using a 3 character password to access your bank accounts.
In Germany the terms of business of most banks have changed lately, now makng the customer liable for fraudulent transactions done with his debit card until the moment he reports that his card was stolen.
So as you say Bruce, they now have no more incentive of keeping these systems safe.
Bill yes you are missing something. The Electronic Transfer Act (Regulation E) only applies to consumers and not small businesses.
Oh, I forgot to mention. While we agree that:
> Litigation like this has the potential
> to fix the externality and improve
we believe that legislation is what is needed. It took Congress just 377 words (in U.S. Code 1643) to move the liability for credit card fraud from the card holders to the issuers. The litigation of a single case like "PlainsCapital Bank vs. Hillary Machinery, Inc." will require the writing of something like three orders of magnitude more words and the reading of (including depositions, discovered documents, legal precedents, and federal laws and (worse) regulations), what? Five orders of magnitude? Six?
And this is for each and every case. There are many cases we know about, and probably some that we don't.
And, anyway, these cases are not ordinary "commercial disputes". The small- and medium-sized enterprises whose funds went to Eastern Europe and are not coming back were the victims of *crime*. As has been noted by any number of comment-ers on Mr. Schneier's post, better authentication techniques are readily available in the marketplace, the banks just don't employ them. Indeed, they have fudged on the FFIEC's guidance to use two factors of authentication by using two "Things You Know", both of which can be compromised by the same piece of readily-available malware.
Authentify's original position was that it does not really matter how much online account theft the banks allow, as long as they make good on the losses. However, concerns have arisen recently that some of the money stolen is going to finance terrorism, not just the lifestyles of members of the Russian Mafia. And even if the money were just going to the latter, higher "revenues" attract more criminals and also fund the development of ever-more-sophisticated malware. Thus, we will be taking this issue to members of Intelligence and Homeland Security committees, not just to committees that oversea financial services.
Bruce Schneier is correct about whether the banks or the consumers "should" be stuck with the losses when cyber-thieves succeed.
And, we predict, he is correct in this post not just about what "should" happen, but what *will* happen re: apportionment of the risks of online banking.
First of all, Mr. Schneier's proposed solution has already been half implemented. Federal Reserve Regulation E imposes it on the banks for consumer accounts, as BillB notes above.
Commercial accounts currently are governed by the Account Agreements between the parties and what a court would find the term "commercially reasonable" means under UCC-4A. But this needs to change, because there is no necessary difference between the information security knowledge of an individual and your typical Subchapter S corporation.
Congress needs to impose the liability on the banks just as Carlo Graziani notes in his comment that it imposed the liability for credit card fraud on them back in 1978. In his subsequent comment, Mr. Graziani says that he believes that the banking lobby will be able to stop this reform. Perhaps. But before they can stop this specific reform (extending Federal Reserve Regulation E to commercial accounts, at least the ones that are enabled for online access), someone would have to propose it!
From our meetings on the Hill a couple of weeks ago, it's clear that this problem has not even been brought to the attention of the Congress.
How could they possibly *not* know, you ask? Alas, America has more problems than any 100 people could even know exist. It's no more humanly possible for a given congressman to be on top of all the issues that concern his constituents than it's possible, say, to secure Microsoft Windows! (I used to think those of us in software startups worked long hours before I got to see how hard many of our public servants work.)
Unfortunately, the small- and medium-sized enterprises struck by our current epidemic of cyber-theft, whose plight has been so ably chronicled by Brian Krebs first at the Washington Post (http://voices.washingtonpost.com/securityfix/small_business_victims/) and now at http://www.krebsonsecurity.com/category/... are lucky if they can afford a lawyer to try their chances in court. Last week's victim, a small promotions company on Long Island, is going *bankrupt*. There is no way that victimized organizations could afford to hire a lobbyist. (To get some sense of what people who actually can get something done in DC cost these days, contemplate that the publicly-disclosed compensation for the retiring head of PhRMA was $4.9 million in 2008.)
But as for what Congress *would* do if this issue came before it, we commend the following "thought experiment" to one and all. Brian Krebs only writes of organizations who are victimized *twice*, once by cybercriminals and the second time by a bank that won't make good on losses that they would be forced to cover were the account protected by Regulation E. Furthermore, the loss must be big enough to sue over but not be so large that the organization does not survive it. Now imagine that the first two victims that Mr. Krebs wrote about this week (the week of the 2010 RSA Conference in San Francisco) were named:
"Christopher Dodd for Senate"
"Barney Frank for Congress".
So, OK, Mr. Dodd has decided not to stand for re-election, but you get the idea. The only reason that this is a theoretical question is that their is no bank so politically suicidal that they would stick either the Chairman of the Senate Banking Committee or the Chairman of the House Committee on Financial Services with a loss. (Or, at least we used to think--"PlainsCapital Bank vs. Hillary Machinery, Inc." (where a bank is suing the *victim* of the cybercrime permitted by its (PlainsCapital's) lack of up-front logon authentication and in-process fraud controls) certainly gives one pause!)
More important that Bruce Schneier's position being the correct one morally and economically, it's the correct one in the way of the most ultimate importance in deciding the issue--politically. Just compare the membership count of the American Bankers Association (ABA) and the American Federation of Independent Businesses (AFIB). And consider that while there is only one ABA, there are lots of lobby groups for other types of small- and medium-sized enterprises.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.