April 06, 2005

Lopez v. BoA leads to rising bank FUD, if not clues

I've written before about how a major milestone in phishing was reached when Lopez sued Bank of America in Florida, USA. If you don't see that, click and read this article. It is maybe not obvious on the outside, but for once, a press journalist has talked to some people in the banking world and discovered something new: Fear.

Regardless of what a judgement or settlement brings to the actual litigants, dotted-line association with the BofA case will likely cause financial institutions to spend at least some additional money on security to prevent fraud. And since North American banks already spend more than $1 billion per year on such technology, the notion that they're not spending it in the right place or in the right amount raises temperatures. "I just came from Washington, where I was at a meeting of 40 financial institutions, regulators and the government," says Ilieva Ageenko, director of emerging enterprise applications for Wachovia. "We all said there's a press euphoria [about on-line crime] and pretty much all institutions have a very well-defined risk management strategy that allows us to identify fraud."

Banks are scared of the Lopez case. What does that tell us? It tells us that banks know this is not a frivolous case and furthermore banks don't know what to do about it.

All the buzz is about 2 factor authentication tokens, but in their hearts, banking people know this isn't the answer to the problem. The reasons are several-fold: one is that they are expensive, and the banks likely will have to foot the bill - one hardware gizmo for every customer. A second reason is that the banks also suspect that the secure tokens being peddled by irresponsible companies are not a real answer to the problem, but are only a short term hack.

The banks suspect this but the peddlers aren't telling the truth. Security people have known for a long time that these tokens are subject to phishing; all they do is force the phisher to do a dynamic real time phish instead of doing the connection to the bank in their own sweet time.

Yes, ladies and gentlemen, the secure tokens guarantee that the user and the bank are talking together right now, but they don't guarantee someone isn't in the middle passing packets back and forth and listening happily to traffic! Spoofing - phishing - is a class of attack called man-in-the-middle (MITM) and these tokens .. fall to the MITM. Or will do when the phishers get around to it.

So what's the solution? FCers know the solution is in bringing the user and her browser back into the security model. Banks know they can't do that (alone), but they also know that at the end of the day, they are going to have to carry the can (also alone). Even if the Lopez case goes against them, all the posturing tells us one more thing: banks know the FDIC or whoever will eventually put the onus on them to solve the problem.

So who can solve the problem? Who do the poor phishing victims have to sue?

"Wachovia offers the standard 128-bit encryption and requires on-line customers to have user IDs and passwords."

Who told you that would secure your customers?

Some more snippets: Stats suggest that users (now, still) trust online banking more then branch banking. Yet corporate customers would change banks if they could get fraud controls from a new bank (sorry, PDF).

Posted by iang at April 6, 2005 09:09 PM | TrackBack

Iang, that online banking trust survey doesn't pass my smell test. 59% feel their "Personal information is more secure when [they] bank at [their] Primary Institutionís branch office than if [they] bank online with [their] Primary Institution". What does that mean? Only 15% trust online banking less than branch banking? That's pretty surprising.

Anyone confident in the methodology of Ponemon or Watchfire? (The latter certainly has an angle to sell.) The fact that it is an online survey that reports that "the top banks selected as their primary bank for online banking are National City, Washington Mutual, U.S. Bank, PNC, Citibank and Wachovia" (not in report, but in press release at http://www.watchfire.com/news/releases/4-5-05.aspx) further makes me suspicious: Bank of America claimed to have the most online customers in 2003 at 6.2 million, more than the total number of customers of, say, Wachovia or National Bank.

Report is at http://www.watchfire.com/resources/privacy-survey.pdf

Posted by: allan friedman at April 6, 2005 05:42 PM

Hey Allan, for the right price I will prepare you a survey that states exactly what you want it to say ;-)

It is very tough, there are few sources of good information in any of these questions, because whoever takes the trouble to report on it almost always has some angle to peddle.

Posted by: Iang at April 6, 2005 05:59 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.