November 23, 2004

Bank coverups no longer acceptable in retail payment systems

The tide is turning on bank responsibility for retail frauds. Two years back it was normal for banks to deny any responsibility for problems with their systems. Coverups were routine, and the computer could never ever be wrong. Phantom withdrawals just don't happen.

That seems to have changed [1]. It's now quite routine for banks to announce that a certain group of customers have had their identities lifted. I think there are several factors behind this sea weather change; and whilst we might not be able to isolate a sole cause, I do think there is a trend based on these factors:

Firstly, in California, in about 2001, a state law was passed that made it mandatory for companies to notify the effected customers when a system is cracked and data could have been lifted. It would seem that the effect of this was felt outside the California, possibly because many US companies would have trouble advising just their Californian customers of a breach.

Secondly, observations have been made by security people that the banks should cooperate more and hide less [2]. We've known for a long time what happens when a company reveals a hack: the stock market and the press in all their combined ignorance downgrades the stock, as if it is a calamitous event. This sort of ignorance still pervades, but it looks increasingly ignorant, now [3].

What we hadn't really stressed until recently is the benefits from not covering up. There is the opportunity to swap notes, to learn from each other's mistakes, and to coordinate information and patterns with a better probability of hitting the scamster. This is now happening [4].

Thirdly, it has to be said that the massive increase in identity theft in the US, and the explosion of phishing, has made it easier for banks to be honest. It has now become institutionalised [5], which means it is no longer plausible to fob it off as something that really has no bearing on the here and now. Everyone knows about phishing, everyone knows about phantom withdrawals.

Fourthly, efforts by the Internet community in general, and by expert witnesses such as Ross Anderson and his students, in particular, have made the coverup a weaker tool. Several times, the banks have gone to court saying such and such a breach was impossible. Several times, Ross Anderson and his team have shown them to be wrong. (The banks even have the gall to admit that they misled the courts (and their customers) by then seeking to keep the evidence secret!)

And it is not just the courts. Information on frauds spread very quickly through the mail lists and blog spaces of small Internet merchants. Within days of a heist, the merchants know what is going on. The financial institutions can say what they like, but they can no longer rely on an unempowered clientelle to accept the spoonfed message.

All this new found honesty is a good thing, for consumers, and for financial institutions as well. We've long known that secrecy does not breed security, it just hides the problems. The difficulty with secrecy as a security policy is that it hides the problems equally badly from the public, from the crooks, and from the secret holder itself, so all that is really gained is a lottery as to who sees through the facade first.

One final observation is, I think, merited: All this willingness to work together and reveal the real hard facts quickly has been done by means of the market pressurising the financial institutions. Other than the California state law (which is easy enough to bypass), everything is between the customers and the banks (scammers falling somewhere vaguely in the middle).

Which is to say that the regulators of the banks are nowhere to be seen. I think on balance this is a good thing. The perverse concentration on strong identity that leads directly to strong identity theft is primarily a creature of the regulatory bodies, so the less they do the better, if reducing fraud is our aim.

[1] "More debit cards replaced," Richard Burnett,,0,5005015.story?coll=sfla-news-florida

[2] "How Much Security is Enough to Stop a Thief?," Stuart Schechter and Michael Smith, FC03

[3] " Under Phishing Attack, British Bank Shuts Down Some Services," Gregg Keizer;jsessionid=CIGVP13WT43RMQSNDBGCKHSCJUMEKJVN?articleID=53700579

[4] "Companies Forced to Fight Phishing," By Brian Krebs,

[5] "Phishing Feeds Internet Black Markets," By Brian Krebs

Posted by iang at November 23, 2004 08:50 AM | TrackBack

As I recall, the market cap downgrade for a security breach is now only on the order of 2% of a company's value, unless its a security or internet company.

My copy of the security economics book is on loan right now, so I can't check the reference, but see.... ... "The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers," which link is now broken, thanks to UT Dallas.

Posted by: Adam Shostack at November 23, 2004 05:22 PM

Here's what the Ross Anderson page says:

_The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers_ provides an analysis of the effect of security scares on share prices. A firm whose security is publicly breached can expect to lose 2.1% of its market capitalisation (an average of $1.61 bn per incident) while security vendors gain an average of 1.36% from each such announcement (giving a total gain of $1.06 bn per incident). Another study, of the February 2000 DDoS attacks, showed a slightly greater loss. (The Register has a more cynical view.)

Certainly seems interesting ... but I have searched the net, and it seems that the paper is no longer available. Bummer!

Posted by: Iang at November 23, 2004 07:33 PM