An article in Computerworld ( Link ) notes that New Zealand has shifted the burder of security responsibilty, and the burden of proof, to the customer, from the bank, in cases of alleged on-line theft or fraud.
There has been some debate on the concept. It certainly makes some sense to say that if you don't protect your access methods, then why should the bank be liable for your financial losses.
But there's also the issue of customer service. The whole point of online access is to provide additional/better customer service. Shouldn't the bank also provide adequate tools to allow their customers to operate in safety?And, what about the role of NAC and end point security in this scenario. Doesn't it make sense to check the customer's PC before the transaction is allowed?
What other issues should be considered, before this shows up in the US Congress?
Subscribe to:
Post Comments (Atom)
3 comments:
Interesting idea -- but I think there would be additional risks for banks taking on the responsibility of validating the on-going security of individual customer's computers.
What if the bank employee who scanned my computer accidentally deleted some of my files? Valuable customer/work/trade data...
Or worse, viewed some of my files.
What if a bank employee discovered that the computer they scanned contained illegal material -- would they report their customer to the police? If they didn't, could they be held liable?
It seems if banks are going to take on the responsibility of validating the security of a customer's system, they need to take a pro-active role in securing systems on an ongoing basis, not just absolve themselves of any responsibility when "they" deem there's been a breach.
How would a regular person fight the bank's decision that their computer was insecure and the cause of a breach? Hire a data forensics team to refute the bank's analysis?
Would the bank attempt to hold the individual liable if a security breach lead to a financial loss that wasn't limited to the individual?
My view is that the security needs to be transactional in nature.
For arguments sake, it doesn't matter if my computer is insecure, infected with Code-Red, etc. So long as the interaction between the bank customer and the bank is authenticated and typical.
Through FFIEC recommendations and VISA PCI we've seen financial institutions take a number of steps -- from multi-factor authentication, to transaction/pattern analysis, token/fobs/PKI. All focused on the transaction.
Allowing customers to use online financial applications can be cost effective for the institution -- minimizing the B&M costs of tellers, sorting, processing,etc. -- and will become even more lucrative so long as they can manage to mitigate the security loss/risks.
Scanning customer's computers and holding them responsible is the brick and mortar equivalent of strip searching everyone as they walk into the bank before they get to the teller.
If that's the case, I'll keep my $50 savings account under my mattress then, thank you very much. ;-)
This issue just came up this past week at work. A new VPN client was launched that requires 'host checker' software to be installed on the client. This software scans the computer based on host-configured rules to check for installed software, open ports, connection sharing, running processes, etc. It then phones that information back home. It continues to do this on a set interval.
Similar to the questions Chris posed; what if my employer noticed browsing history from Monster.com? Or maybe noticed search queries on 'how to avoid foreclosure'? Would they be more likely to push overtime, knowing I couldn't afford to lose my job? Also, who is responsible if the 'host checker' software is ever hacked and my system is compromised?
The majority of my colleagues accepted the new VPN client without raising an eyebrow. I wrote a few emails that fell on deaf ears. In the end, I created a Windows XP virtual machine (using the free Virtual PC 2007) - which also gives me the ability to analyze the 'host checker' program in a clean environment to see what they're really up to.
Shawn, another valuable point -- using an embedded machine to handle your trusted/untrusted (depends on your point of view) work transactions.
There are hardware and software solutions that try to address this without the overhead of another OS, as you're using for work, but the concept is the same.
Some financial institutions are trying to use trusted machines/modules on USB keys. Lenovo/IBM has the TPM on some ThinkPads and IBM Servers (Link).
But the ultimate interaction/interface of the Trusted Platform with the "real world" is where some of these concepts break down.
It's like taking your cherry 67 Chevy Camaro out for a drive on Sunday.
As soon as you leave the safety of your garage and your driveway, you're on someone else's road, at risk for chips, crashes, and dings.
Your car's no good if you don't leave the driveway.
You take the risk, but you stay on paved roads, and avoid pot-holes and dark alleys. :-)
Back to technology...
Ultimately someone, somewhere has access to your transaction. Even with Point-to-Point VPNs and SSL, given enough time and computing -- we'll see what your password was and your bank account number.
And as cyber-thiefs become more sophisticated, I expect a future "Code Red" will render an infected machine usable as part of a world-wide grid for cracking these very financial transactions.
What then? Free anti-virus for everyone? One Time Passwords? I just signed up for PayPal's Security Key, also known as a OTP (one-time-password) device. I think I'll blog more about this later.
Glad to hear that you're taking extra steps to keep your business/personal computing separate, especially since work expects you to be available remotely, but won't provide a device (laptop/desktop) to such an end. (can't you tell them you only run Windows 3.11 at home to get on the 'net and check email?) :-)
Post a Comment