I'll bite....
What Bruce suggests is a desirable idea, as are iang's objections. But ultimately the bank's sole role in the economy is to distinguish good and bad transactions/credits. If banks do not take responsibility for the security of their accounts, it's hard to say how they're providing any real service to their retail depositors.
Banks are going to have to adopt a risk management approach to on-line transactions, just as Visa and PayPal have. Big deals will mean turning up at a branch and micro-payments will take a click.
Their real problem is that they cannot currently distinguish a hacked customer [customer's fault], a defrauded customer [customer's fault and their worry], and a fraudulent customer [needs black-listing and prosecuting]. At the moment they're treating everyone as having been defrauded - which is slightly mean if they insist on using e-mail as an 'official' point of contact.
When the first bank detail stealing worms start ripping through the un-patched Win95 boxes of the world, this is going to become genuine survival issue for people like egg.com and First Direct.
iang is right. In the long-term we will *have* to turn off pure on-line banking. [Possibly on-line stock brokering as well...] Everything will have to be confirmed by phone/fax. That doesn't mean that the web couldn't still be used to arrange these things. It's just that any substantial movement of money will need confirmation over a verifiable channel.
If that banks don't do it - someone else will !
(P.S. Given how much money banks make from personal and mortgage lending, you have to wonder how much more expensive their charges might get when the current debt boom snaps.)
Posted by Thomas Barker at October 8, 2005 09:15 PMHi Thomas, thanks for your comments - returning your bite here :)
Banks do take a risk management approach, and one could argue that they are the only ones who do - they are certainly the experts at it, alongside the acturial skills of the insurance companies.
But in this case what they have done is reduced their risks to near-zero at the expense of risks to users. Banks adopted a flawed security approach and carefully removing risks to themselves. As they also aggressively pushed it out to customers as if it were secure, they may well have exposed themselves to liabilities, but that's not really relevent to the big systemic picture.
Even if we were to reverse the Bank's low-risk model by applying liability to them, we'd only be scratching the surface. See Lopez v. Bank of America, where the user got raided for using his Microsoft operating system (your example of worms is reality, for about 12-18 months now).
How are banks to deal with that? As I see it, there are problems at every leg, and while Bruce is right to point the finger at the banks, we need a lot more fingers than one, and really, what we need is for people to stand up and say "Whoops! We sure got that wrong ... now let's see about fixing it."
About the only person who's come close to saying that is Bill Gates, with his 2001 memo. Even he couldn't shift his company and source base far enough though. So if Bill Gates' attempts at security focus are the best we can do, then we'd better bed down for a long hard cold winter of net crime.
Posted by Iang at October 9, 2005 01:16 PMI am glad to see Iang's comments, they make a lot of sense to me. In his article Bruce proposed nothing specific and did not address any of the complexities or questions associated with his proposal. At the same time, getting the banks to have "more skin in the game" is desirable so it is good to see Bruce poking them with his stick.
The basic inability to establish an online trusted path between consumers and businesses can be seen as a hardware, OS, and browser issue. As I think Iang is pointing out, there are a number of stake holders involved in solving this issue (certainly including but not limited to the banks).
As for the social engineering aspects, I am not sure what to think about that or how you would assign blame. If a user responds to a phisher's "Acme Bank" email and provides his SS# and CC# even though he is not even a customer of "Acme Bank," would bruce propose to hold "Acme Bank" responsible for that?
Posted by Garth Somerville at October 10, 2005 12:03 PMIf I may make some comments regarding liability and banking: I partially agree that banks should play a strong role in the problem of phishing, but even if this happened, it does not mean that banks would stop phishing. Phishing is a numbers game, and it's a difficult problem to solve. There are pre-emptive techniques that can be put into action (I personally have developed some, but that is beside the point) by the institutions themselves, but they have to understand the problem first, and so far, to this day, most of them do not even know where to go. The vendors aren't helping much, due to the fact that they are in it to make a lot of cash, which is really where the center of the problem lies in the first place. Slightly annoying paradigm to deal with.
Posted by Lance at October 10, 2005 02:53 PMPerhaps I should have opened with something milder than "bite" :-)
I've taken a look at Lopez v. Bank of America, it's bit worrying this sort of thing can happen, but I suppose it is inevitable.
The really horrible decision there was the bank deciding to connect a customer's account to an international wire transfer system, and then not monitor or control this facility in any way.
Perhaps if the two-factor authentication actually authenticated the transaction rather than the user - I think this is done with SMS in Europe.
MR CUSTOMER. TRANS ID 12345556. WIRE $90k 2 LTVIA. RPL 2 CONFIRM. UR BANK.
That sort of thing? Then the instruction and the confirmation would run through the telecoms provider's systems, leaving a 3rd party record. (Yes, and violating your privacy, but most people don't care.)
It's interesting how you might tie a restricted secure channel, to a rich compelling and hopelessly insure one. In the investment banking world they throw billions through things like SwapsWire with web services, but it's all [IIRC] ultimately confirmed through faxed account statements.
Perhaps it would be appropriate for some commercial bank transactions to start running on a 24-hour confirmation basis. We're always going to have the ambiguity of intentions [did he mean that], so I suppose it's a matter of managing down the 'window of doubt'.
Posted by Thomas Barker at October 14, 2005 02:41 AM