I've written before about how a major milestone in phishing was reached when Lopez sued Bank of America in Florida, USA. If you don't see that, click and read this article. It is maybe not obvious on the outside, but for once, a press journalist has talked to some people in the banking world and discovered something new: Fear.
Regardless of what a judgement or settlement brings to the actual litigants, dotted-line association with the BofA case will likely cause financial institutions to spend at least some additional money on security to prevent fraud. And since North American banks already spend more than $1 billion per year on such technology, the notion that they're not spending it in the right place or in the right amount raises temperatures. "I just came from Washington, where I was at a meeting of 40 financial institutions, regulators and the government," says Ilieva Ageenko, director of emerging enterprise applications for Wachovia. "We all said there's a press euphoria [about on-line crime] and pretty much all institutions have a very well-defined risk management strategy that allows us to identify fraud."
Banks are scared of the Lopez case. What does that tell us? It tells us that banks know this is not a frivolous case and furthermore banks don't know what to do about it.
All the buzz is about 2 factor authentication tokens, but in their hearts, banking people know this isn't the answer to the problem. The reasons are several-fold: one is that they are expensive, and the banks likely will have to foot the bill - one hardware gizmo for every customer. A second reason is that the banks also suspect that the secure tokens being peddled by irresponsible companies are not a real answer to the problem, but are only a short term hack.
The banks suspect this but the peddlers aren't telling the truth. Security people have known for a long time that these tokens are subject to phishing; all they do is force the phisher to do a dynamic real time phish instead of doing the connection to the bank in their own sweet time.
Yes, ladies and gentlemen, the secure tokens guarantee that the user and the bank are talking together right now, but they don't guarantee someone isn't in the middle passing packets back and forth and listening happily to traffic! Spoofing - phishing - is a class of attack called man-in-the-middle (MITM) and these tokens .. fall to the MITM. Or will do when the phishers get around to it.
So what's the solution? FCers know the solution is in bringing the user and her browser back into the security model. Banks know they can't do that (alone), but they also know that at the end of the day, they are going to have to carry the can (also alone). Even if the Lopez case goes against them, all the posturing tells us one more thing: banks know the FDIC or whoever will eventually put the onus on them to solve the problem.
So who can solve the problem? Who do the poor phishing victims have to sue?
"Wachovia offers the standard 128-bit encryption and requires on-line customers to have user IDs and passwords."
Who told you that would secure your customers?
Some more snippets: Stats suggest that users (now, still) trust online banking more then branch banking. Yet corporate customers would change banks if they could get fraud controls from a new bank (sorry, PDF).Posted by iang at April 6, 2005 09:09 PM | TrackBack