July 06, 2008
German court finds Bank responsible for malwared PC
Spiegel reports that a German lower court ("Amtsgerichts Wiesloch (Az4C57/08)") has found a bank responsible for malware-driven transactions on a user's PC. In this case, her PC was infected with some form of malware that grabbed the password and presumably a fresh TAN (German one-time number to authenticate a single transaction) and scarfed 4000 euros through an eBay wash.
Unfortunately only in German, and so analysis following is highly limited and unreliable. It appears that the court's logic was that as the transaction was not authenticated by the user, it is the bank's problem.
This seems fairly simple, except that Microsoft Windows-based PCs are difficult to keep clean of malware. In this case, the user had a basic anti-virus program, but that's not enough these days (see top tips on what helps).
We in the security field all knew that, and customers are also increasingly becoming aware of it, but the question the banking and security world is asking itself is whether, why and when the bank is responsible for the user's insecure PC? Shouldn't the user take some of the risk for using an insecure platform?
The answer is no. The risk belongs totally to the bank in this case, in the opinion of the Wiesloch court, and the court of financial cryptography agrees. Consider the old legal principle of putting the responsibility with the party best able to manage it. In this case, the user cannot manage it, manifestly. Further, the security industry knew that the Windows PC was not secure enough for risky transactions, and that Microsoft software was the dominant platform. The banking industry has had this advice in tanker-loads (c.f. EU "Finread"), and in many cases banks have even heeded the advice, only to discard it later. The banking industry decided to go ahead in the face of this advice and deploy online banking for support cost motives. The banks took on this risk, knowing the risk, and knowing that the customer could not manage this risk.
Therefore, the liability falls completely to the bank in the basic circumstances described. In this blog's opinion ! (It might have been different if the user had done something wrong such as participate in a mule wash or had carried on in the face of clear evidence of infection.)
There is some suggestion that the judgment might become a precedent, or not. We shall have to wait and see, but one thing is clear, online banking has a rocky road ahead of it, as the phishing rooster comes home to roost. For contrary example, another case in Cologne (Az: 9S195/07) mentioned in the article put the responsibility for EC-card abuse with the customer. As we know, smart cards can't speak to the user about what they are doing, so again we have to ask what the Windows PC was saying about the smart card's activities. If the courts hold the line that the user is responsible for her EC-card, then this can only cause the user to mistrust her EC-card, potentially leading to yet another failure of an expensive digital signing system.
The costs for online banking are going to rise. A part of any solution, as frequently described by security experts, is to not trust widely deployed Microsoft Windows PCs for online banking, which in effect means PCs in general. A form of protection is fielded in some banks whereby the user's mobile phone is used to authenticate the real transaction over another channel. This is mostly cheap and mostly effective, but it isn't a comprehensive or permanent solution.
Posted by iang at July 6, 2008 08:28 AM
Some related discussion in this recent post
http://www.garlic.com/~lynn/2008j.html#56 WoW security: now better than most banks
about lots of work being done in late 90s on compensating procedures for well recognized vulnerabilities of personal computers ... mostly compensating procedures involving various kinds of hardware tokens. then a particular disastrous deployment(s) saw retrenching from all the efforts (rapidly spreading opinion that hardware tokens were not practical in the consumer market).
post-mortem analysis turned up that problems had little to do with hardware tokens themselves but (after-market) installation and configuration problems (regarding interfaces connected via serial port).
there were presentations at banking conferences in the mid-90s about the transition to internet for online banking.
one class of presentations was moving the existing (consumer) online banking from bank-specific dialup to internet based ... the issue was that there was significant customer support costs with dial-up modems connected via serial port and associated bank provided software. moving to the internet basically moved all such support costs to ISP (and other vendors) ... which were also amortized across a much larger set of applications (not just banking).
an observation was that it was unfortunate that the institutional knowledge (about serial-port problems from the earlier generation of online banking) wasn't used to avoid the later hardware token deployment problems.
the other class of presentations (from mid-90s banking conferences) was that internet (& personal computers using the internet), were too vulnerable to use for "cash management" ... aka commercial/business version of "online banking".
http://www.garlic.com/~lynn/2008j.html#61 German court finds Bank responsible for malwared PC
some amount of this is long-time, well understood personal computer vulnerabilities ... especially when connected to the internet ... and also well understood the inability of after-market security products to effectively deal with the multitude of problems (i.e. often repeated refrain that security has to be built it).
since retrenching of the various hardware token based efforts of the late 90s (after disastrous deployments ... mostly unrelated to actual hardware token characteristics) ... the current security buzzword is virtualization.
for little topic drift ... my (current) linkedin tag-line is 40+ virtualization experience, online at home since Mar70.
I had done a lot of work as undergraduate that was being picked up and shipped in commercial product. At the time, I would periodically get requests to do certain things ... for inclusion in commercial product. Some yrs later, I hypothesized that some of the requests may have originated with various gov. organizations ... indirect reference here:
which strongly influences my belief that security has to be built into the infrastructure .... after-market solutions are only poor piecemeal patchwork.
a current strategy is to leverage virtualization to address multitude of fundamental vulnerabilities (much better than any of the after market products, which are also increasingly becoming ineffective). Note that there are still a few ways to compromise the virtualization countermeasures ... and one of the problems (in the current environment) is that none of the existing after market security products are effective against such compromises (accelerating those product obsolescence)
Banks are liable for phishing attacks on customers, says German court
A German court has ruled that banks are liable for phishing attacks on customers, reports Spiegel.
A judgment of the Amtsgericht (lowest court) at Wiesloch says the banks are responsible for damages arising from unauthorised interception of confidential data (phishing).