October 07, 2005
Blaming the Banks won't work
Bruce Schneier outlines some of the factors behind phishing and then tries to stick it on the banks. Sorry, won't work - the Banks are victims in this too, and what's more they are not in the direct loop.
Make Banks Responsible for Phishers
Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses.
If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work.
You can't push all of the responsibility onto the FIs. Here's why:
1. Phishing is an attack on the user primarily and only secondarily on the FI. Consider what happens: the phisher sends a request (by email) to the user to have her send her details to him (using her browser). The parts in parentheses are optional but key: phishing is an attack on the browser using email to deliver the phish. We can more or less change the email to chat or SMS for example, but it is harder to change the browser component.
What's constant about all those issues is that the banks aren't in that primary loop as yet. So even if they have all the responsibility they are strictly limited in how they tell the user to "not do that."
2. FIs aren't the only target of phishing. Amazon and eBay are both big targets. So any attempt to stick it to the banks is just going to shift the attention to all sorts of other areas. Expect Amazon and every other merchant to prefer not to have that happen.
3. If you want to stick it to anyone, go looking for where this came from. The banks picked up this security model from somewhere. Here's where: the browser security model that was built on a miscast threat analysis, the server security model that was subject to big company's agendas, and the client security model which is simply best described as "Insecurity by Microsoft." All of these elements are broken, in the security jargon.
If you want someone to blame for phishing in the wider sense, look to who pushed the tech (Microsoft, three times over. RSADSI, Verisign, Netscape for the browser security model. For server side, Sun, IBM, and thousands of security experts who said that as long as you buy our firewall you'll be OK. And don't forget whoever audited these systems and said they were secure. Yes, you four, or is it three... you know who I'm talking about.)
Ask this long list of beneficiaries how much liability *they* have for a breach. The answer may surprise: Nix, zip, nada, zilch. Zero in all currencies. So if you stick it to the banks, guess who's next on the list?
4. Taking a risk truism and extending it to a particular case is dangerous. It may be that security works best when those in the best position take on responsibility for those risks they can best mitigate. And it's clear that the banks are the larger party here and well capable of doing something to address phishing.
But if you put *all* the responsibility onto one party, not only do you have a measurement problem, you'll also have a moral hazard problem. Users will then shop and hook with gay abandon. How are banks supposed to keep up with attacks by both users and phishers? Turn off online banking is the only answer I can think of.
Posted by iang at October 7, 2005 11:37 AM
What Bruce suggests is a desirable idea, as are iang's objections. But ultimately the bank's sole role in the economy is to distinguish good and bad transactions/credits. If banks do not take responsibility for the security of their accounts, it's hard to say how they're providing any real service to their retail depositors.
Banks are going to have to adopt a risk management approach to on-line transactions, just as Visa and PayPal have. Big deals will mean turning up at a branch and micro-payments will take a click.
Their real problem is that they cannot currently distinguish a hacked customer [customer's fault], a defrauded customer [customer's fault and their worry], and a fraudulent customer [needs black-listing and prosecuting]. At the moment they're treating everyone as having been defrauded - which is slightly mean if they insist on using e-mail as an 'official' point of contact.
When the first bank detail stealing worms start ripping through the un-patched Win95 boxes of the world, this is going to become genuine survival issue for people like egg.com and First Direct.
iang is right. In the long-term we will *have* to turn off pure on-line banking. [Possibly on-line stock brokering as well...] Everything will have to be confirmed by phone/fax. That doesn't mean that the web couldn't still be used to arrange these things. It's just that any substantial movement of money will need confirmation over a verifiable channel.
If that banks don't do it - someone else will !
(P.S. Given how much money banks make from personal and mortgage lending, you have to wonder how much more expensive their charges might get when the current debt boom snaps.)
Hi Thomas, thanks for your comments - returning your bite here :)
Banks do take a risk management approach, and one could argue that they are the only ones who do - they are certainly the experts at it, alongside the acturial skills of the insurance companies.
But in this case what they have done is reduced their risks to near-zero at the expense of risks to users. Banks adopted a flawed security approach and carefully removing risks to themselves. As they also aggressively pushed it out to customers as if it were secure, they may well have exposed themselves to liabilities, but that's not really relevent to the big systemic picture.
Even if we were to reverse the Bank's low-risk model by applying liability to them, we'd only be scratching the surface. See Lopez v. Bank of America, where the user got raided for using his Microsoft operating system (your example of worms is reality, for about 12-18 months now).
How are banks to deal with that? As I see it, there are problems at every leg, and while Bruce is right to point the finger at the banks, we need a lot more fingers than one, and really, what we need is for people to stand up and say "Whoops! We sure got that wrong ... now let's see about fixing it."
About the only person who's come close to saying that is Bill Gates, with his 2001 memo. Even he couldn't shift his company and source base far enough though. So if Bill Gates' attempts at security focus are the best we can do, then we'd better bed down for a long hard cold winter of net crime.
I am glad to see Iang's comments, they make a lot of sense to me. In his article Bruce proposed nothing specific and did not address any of the complexities or questions associated with his proposal. At the same time, getting the banks to have "more skin in the game" is desirable so it is good to see Bruce poking them with his stick.
The basic inability to establish an online trusted path between consumers and businesses can be seen as a hardware, OS, and browser issue. As I think Iang is pointing out, there are a number of stake holders involved in solving this issue (certainly including but not limited to the banks).
As for the social engineering aspects, I am not sure what to think about that or how you would assign blame. If a user responds to a phisher's "Acme Bank" email and provides his SS# and CC# even though he is not even a customer of "Acme Bank," would bruce propose to hold "Acme Bank" responsible for that?
If I may make some comments regarding liability and banking: I partially agree that banks should play a strong role in the problem of phishing, but even if this happened, it does not mean that banks would stop phishing. Phishing is a numbers game, and it's a difficult problem to solve. There are pre-emptive techniques that can be put into action (I personally have developed some, but that is beside the point) by the institutions themselves, but they have to understand the problem first, and so far, to this day, most of them do not even know where to go. The vendors aren't helping much, due to the fact that they are in it to make a lot of cash, which is really where the center of the problem lies in the first place. Slightly annoying paradigm to deal with.
Perhaps I should have opened with something milder than "bite" :-)
I've taken a look at Lopez v. Bank of America, it's bit worrying this sort of thing can happen, but I suppose it is inevitable.
The really horrible decision there was the bank deciding to connect a customer's account to an international wire transfer system, and then not monitor or control this facility in any way.
Perhaps if the two-factor authentication actually authenticated the transaction rather than the user - I think this is done with SMS in Europe.
MR CUSTOMER. TRANS ID 12345556. WIRE $90k 2 LTVIA. RPL 2 CONFIRM. UR BANK.
That sort of thing? Then the instruction and the confirmation would run through the telecoms provider's systems, leaving a 3rd party record. (Yes, and violating your privacy, but most people don't care.)
It's interesting how you might tie a restricted secure channel, to a rich compelling and hopelessly insure one. In the investment banking world they throw billions through things like SwapsWire with web services, but it's all [IIRC] ultimately confirmed through faxed account statements.
Perhaps it would be appropriate for some commercial bank transactions to start running on a 24-hour confirmation basis. We're always going to have the ambiguity of intentions [did he mean that], so I suppose it's a matter of managing down the 'window of doubt'.