Some related discussion in this recent post
http://www.garlic.com/~lynn/2008j.html#56 WoW security: now better than most banks
about lots of work being done in late 90s on compensating procedures for well recognized vulnerabilities of personal computers ... mostly compensating procedures involving various kinds of hardware tokens. then a particular disastrous deployment(s) saw retrenching from all the efforts (rapidly spreading opinion that hardware tokens were not practical in the consumer market).
post-mortem analysis turned up that problems had little to do with hardware tokens themselves but (after-market) installation and configuration problems (regarding interfaces connected via serial port).
there were presentations at banking conferences in the mid-90s about the transition to internet for online banking.
one class of presentations was moving the existing (consumer) online banking from bank-specific dialup to internet based ... the issue was that there was significant customer support costs with dial-up modems connected via serial port and associated bank provided software. moving to the internet basically moved all such support costs to ISP (and other vendors) ... which were also amortized across a much larger set of applications (not just banking).
an observation was that it was unfortunate that the institutional knowledge (about serial-port problems from the earlier generation of online banking) wasn't used to avoid the later hardware token deployment problems.
the other class of presentations (from mid-90s banking conferences) was that internet (& personal computers using the internet), were too vulnerable to use for "cash management" ... aka commercial/business version of "online banking".
Posted by Lynn Wheeler at July 6, 2008 10:27 AMre:
http://www.garlic.com/~lynn/2008j.html#61 German court finds Bank responsible for malwared PC
some amount of this is long-time, well understood personal computer vulnerabilities ... especially when connected to the internet ... and also well understood the inability of after-market security products to effectively deal with the multitude of problems (i.e. often repeated refrain that security has to be built it).
since retrenching of the various hardware token based efforts of the late 90s (after disastrous deployments ... mostly unrelated to actual hardware token characteristics) ... the current security buzzword is virtualization.
for little topic drift ... my (current) linkedin tag-line is 40+ virtualization experience, online at home since Mar70.
http://www.linkedin.com/in/lynnwheeler
I had done a lot of work as undergraduate that was being picked up and shipped in commercial product. At the time, I would periodically get requests to do certain things ... for inclusion in commercial product. Some yrs later, I hypothesized that some of the requests may have originated with various gov. organizations ... indirect reference here:
http://www.nsa.gov/selinux/list-archive/0409/8362.cfm
which strongly influences my belief that security has to be built into the infrastructure .... after-market solutions are only poor piecemeal patchwork.
a current strategy is to leverage virtualization to address multitude of fundamental vulnerabilities (much better than any of the after market products, which are also increasingly becoming ineffective). Note that there are still a few ways to compromise the virtualization countermeasures ... and one of the problems (in the current environment) is that none of the existing after market security products are effective against such compromises (accelerating those product obsolescence)
Banks are liable for phishing attacks on customers, says German court
A German court has ruled that banks are liable for phishing attacks on customers, reports Spiegel.
A judgment of the Amtsgericht (lowest court) at Wiesloch says the banks are responsible for damages arising from unauthorised interception of confidential data (phishing).
...