Friday, September 15, 2006

Who Should Bear the Cost of Phishing Attacks?

I came across a recent article from the Netcraft site that poses some interesting questions. Should Banks be responsible for monetary losses due to phishing schemes, or should customers be to blame for not protecting their information and using technology poorly?

Here is the article by Netcraft. Warning! There is a sales pitch here, I have not personally evaluated this product.

Bank, Customers Spar Over Phishing Losses

"Who should bear the cost of phishing losses: the bank or the customer? That question is at the heart of a recent dispute between the Bank of Ireland and a group of customers that fell victim to a phishing scam that drained 160,000 Euros ($202,000) from their accounts. The bank initially refused to cover the losses, but has since changed its mind and credited the accounts of nine victims, who had threatened to sue to recover their funds.

"The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to profilerate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases.

"The issue of responsibility has been most prominent in the UK. In late 2004, the UK trade association for banks, known as APACs, began warning that financial institutions may stop covering losses from customers who have ignored safety warnings. That stance is reflected in the group's statement on customer protection.

'Banks are committed to keeping their customers' money safe and will protect customers from Internet fraud as long as they have acted with reasonable care," APACS says on its Bank Safe Online web site. "Customers must also take sensible precautions however so that they are not vulnerable to the criminal. Each case of Internet fraud is different and you can be sure that the bank will make a full investigation in the unlikely event that money is withdrawn from your account.'

"The American Banking Association, the industry group for the U.S. banking industry, is more definitive in its reassurance to customers on phishing losses. "Consumers are protected against losses," the ABA says on its web site. "When a customer reports an unauthorized transaction, the bank will cover the loss and take measures to protect your account."

"But there have been exceptions. Last year Miami business owner Joe Lopez sued Bank of America after it refused to cover $90,000 in phishing losses. Lopez' computer was infected by a keylogging trojan, which captured his login details. His funds were soon transferred to a bank in Latvia. When Bank of America refused to cover the loss, Lopez sued for negligence, saying the bank failed to warn him about the trojan.

"Where will the line be drawn between the bank's responsibility and the customer's? The handful of existing cases leave the issue unsettled, but suggest that the quality of the banks' phishing defenses will be a key point in the debate, and that in practice banks will not be able to pass on the financial risk of phishing to its customers simply through careful writing of the customer agreement, as the customer has no direct influence over the anti-phishing measures the bank takes."

Here is the link to the original story:
Bank of Ireland to refund phishing victims

Technorati Tags:

Thursday, September 14, 2006

Biometrics: Use Capacitance Dummy

I get a lot of questions about biometrics and fingerprint scanners. Especially from the Bankers I normally work with as they are under a deadline this year.

The Federal Financial Institutions Examination Council (FFIEC) issued new guidance on the risk management controls necessary to authenticate the identity of customers accessing online financial services, and has stated that US banks will be expected to comply with the rules - which includes the introduction of multi-factor authentication - by the end of 2006!

The council is an inter-agency body representing the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

The guidance, which applies to all member banks, states that firms are expected to use enhanced authentication methods when verifying online customers and states that single-factor authentication, when used as the only control mechanism, is inadequate for high-risk transactions involving access to customer information or the movement of funds.

Even where risk assessments indicate that the use of single-factor authentication is inadequate, FFIEC says financial institutions should implement multifactor authentication.

The regulator also says that banks should ensure there are reliable methods of originating new customer accounts online - as required by the US Patriot Act - and implement fraud detection systems. Banks are also expected to educate customers about the dangers of ID theft.

FFIEC says financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.

So I get a lot of questions . . . .

Technorati Tags:

Say Goodbye Mr. Network Geek

I was intrigued by a recent blog post by Michael Farnum of An Information Security Place that laments yet another Microsoft vulnerability. Michael has decided to get out of his Infomation Security Manager role, and in my comment on his blog, I suggest we all do.

This led me to thinking a lot about security, and the "Three Legged Dog" of Confidentiality, Integrity and Availability. While these three "pillars" of information security must be understood and followed, the tasks within each of these practices have drastically changed in the last couple of years, and continues to do so at an alarming pace. While CIA defines the end goal, what we have really been doing lately is trying to stick our finger in a large dam that has already released its flood. We spend more time in defense of the corollary to CIA . . . DAD. We spend the majority of our time trying to prevent Disclosure, Alteration and Destruction. With almost 90% spent on Destruction.

Information Security workers have found themselves caught up in this wave of change. Originally, it was an important and vital job to track down the current virus threats, manage the Service Packs in [Pick your Windows flavor here], install the few hotfixes needed and call it a day. The rest of our time was spent on the important matters - defining the information we want to protect, striking the correct balance between 100% usable and 100% secure, gaining an in-depth knowledge of our environment and our user communities, training our communities on what was important and what was critical.

Remember the backlash that ensued when Microsoft reported that it would pool vulnerability information and release security announcements and fixes on the second Tuesday of every month? The big worry at that time was that there would be many more zero-day vulnerabilities to worry about, and that vulnerabilities could arise without the installed base being aware - leading to another Code Red or Sasser worm outbreak.

While that was a valid concern and continues to be true, what we really missed was how this single event changed the landscape of the typical information security worker's job. It also was one of the most brilliant marketing ploys ever foisted upon the public. While 1 or 2 vulnerabilites used to generate a firestorm of complaints and meaningful news, 8 new vulnerabilities released on Black Tuesday barely registers a blip on true news sources. If you eliminate all of the pseudo news, like vendor security blogs and patch management companies hocking their wares, the news is fairly light. Unless, of course, someone finds the vulnerability before Tuesday, or the patch itself causes further problems.

What does this mean for us? It means that X number of vulnerabilities are announced every 20 working days. Adding to the problem is that applying these patches to production systems has been problematic sometimes, and multiply that by trying to figure out which vulnerability affects which system and the job becomes full-time + a lot of hours * X. And this is only ONE software vendor.

Which leads me to the point of this article: We spend far too much time running down vulnerabilities from hardware and software vendors, and not enough time creating secure environments, understanding business needs, and finding the true security holes. Furthermore, its very difficult to convice the executive teams that this is where the money should be spent.

Lets face it, software these days contains millions of lines of code, its impossible to create without bugs, easy to break, and completely unpredictable. We have to face the future . . . these millions of lines of code do not belong on individual instances of millions of servers and PCs. What is the future? Largely, your servers will be moved to the cloud, core data will be aggregated to service providers, and network guys will be relegated to the black boxes they originally came from. Think about it, bandwidth will become large and cheaply available, and most of these services can be outsourced (Virus, Spam, Patch Management, etc.)

If there is a way to give the end user a better computing experience, reduce the cost of maintenance, and maintain or improve security, what is to keep companies from adopting this en masse?

Technorati Tags: