A slightly smaller problem than this weekend's systemic risk and the US Treasury is the continuing weakness of the security of the US retail banking sector:
They are a staple of consumer-complaint hotlines and Web sites: anguished tales about money stolen electronically from bank accounts, about unhelpful bank tellers and, finally, about unreimbursed losses.But surely customers of the elite private banking operation at JPMorgan Chase, serving only the bank’s wealthiest clients, are safe from such problems, right? Wrong, says Guy Wyser-Pratte, an activist investor on Wall Street for more than 40 years who uses his hedge fund’s war chest of roughly $500 million to wage takeover fights and proxy battles in the United States and Europe.
In May, Mr. Wyser-Pratte learned that someone had siphoned nearly $300,000 from his personal account at the private bank through many small electronic transfers over a 15-month period. Then he was told by the bank that he could stop the theft only by closing his account and opening a new one — an enormous hassle, he said. And finally, JPMorgan Chase told him that the bank would cover only $50,000 of his losses.
Just like the other scandals, we watched this one arise, and now it is here. Warnings fell on deaf ears, so we can only wonder what is the systemic cause here of this mess.
In the case of phishing, it is relatively clear. The developers believe the PKI book. The PKI people believe in the efficacy of digital signatures to prove stuff. The cryptographers believe in the perfection of mathematics, and the security world believes in the completeness of their own learning. They are all wrong, but only at the large level of generalisations, not at the detailed level of particular claims. Any one of the claims, in isolation can be shown to be true. But, generalising these brittle claims to be solid building blocks is a completely different question. Few of the claims are strong enough to partake in a general model without severe support; the general model of secure browsing is the best evidence of how it is secure in name only.
How then is it built? By accident or by design, a series of claims meet together in a holy ring of righteous architecture. Each of the proponents claim loudly that their part is strong, but the ring has no strength. Eventually, one of the claims in the links is broken. For phishing, the browsers never did have the potential to show authenticity; not only did they not have the security strength to do it (c.f., Skype v. CSRF), they didn't even do it in practice (recall the lost padlock?), and their recent efforts to show authenticity (c.f. colour debate) reveal how far they are from understanding even the goal, let alone the implementation. Once that link was broken, and money was made, all the others revealed their weaknesses, as crooks systematically worked to breach the lot.
If we look at the wider financial collapse, now underscored by the nationalisation of the worlds biggest financiers of mortgages ($ 5.3 trillion.... or is it $ 5.4 ?), we see the same pattern. The bankers believed in their product. The originators believed in their origination, the securitizers believed in their free market and accurate price, and the holders believed in the assets. The CDO, the subprime, the other 100 special names, each was a contract. Each was clear in and of itself. But, when placed end-to-end, in a line, with a bunch of other agreements, the claims that were good in isolation were not strong enough to participate in the super-claim made of the overall edifice.
The financial system was built like a bridge; each piece rested on the previous one. And then, the clever architects bent the bridge around ... and around again, until the first piece met the last. The elegant keystone of finance was to finally lift up the first one to rest on the last.
Thus, the banks themselves invested their capital in their own product.
This weekend, the US Treasury joined in to make the ring stronger. The cunning masters of the financial universe carefully lifted up the fan-fred paper and rested them on the T-bills, which as we know are the expressions of the US economy's ability to generate taxes. These willing taxpayers are proud to place themselves and their mortgaged homes in the ring of power.
Beautiful, elegant, and hugely profitable. Just, somewhat, slightly against the laws of gravity.
The problem with this -- both the financial markets and the Internet security markets -- is that there is no-one to blame . Each is constructed in ring of claims, which eventually return to rely on themselves.
So when you read about who is to blame, be quick to be skeptical:
Long before the mortgage crisis began rocking Main Street and Wall Street, a top FBI official made a chilling, if little-noticed, prediction: The booming mortgage business, fueled by low interest rates and soaring home values, was starting to attract shady operators and billions in losses were possible."It has the potential to be an epidemic," Chris Swecker, the FBI official in charge of criminal investigations, told reporters in September 2004. But, he added reassuringly, the FBI was on the case. "We think we can prevent a problem that could have as much impact as the S&L crisis," he said.
Today, the damage from the global mortgage meltdown has more than matched that of the savings-and-loan bailouts of the 1980s and early 1990s. By some estimates, it has made that costly debacle look like chump change. But it's also clear that the FBI failed to avert a problem it had accurately forecast
Forget it. My experience of the mutual funds mess -- one what was *not* cleaned up despite public pronouncements to the contrary -- and other messes such as the digital gold story indicates that the FBI has zero chance of understanding the mortgage mess, let alone cleaning it up. Sure, there is fraud going on, but don't expect the FBI to understand the nature of it.
Posted by iang at September 8, 2008 07:54 AM | TrackBackThen he was told by the bank that he could stop the theft only by closing his account and opening a new one — an enormous hassle, he said. And finally, JPMorgan Chase told him that the bank would cover only $50,000 of his losses.
“While this is an unfortunate situation, we believe our response has been entirely appropriate,” said Mary Sedarat, a spokeswoman for the private banking service at JPMorgan Chase.
Mr. Wyser-Pratte emphatically disagrees. “They never should have approved that first transfer,” he said.
The wealthy financier “is getting a taste of what the rest of us have to deal with all the time,” said Gail Hillebrand, the senior staff lawyer for Consumers Union in San Francisco.
That sour taste is called automated clearing house fraud, theft involving unauthorized electronic transfers through the automated networks of the circulatory systems that connect the world’s bank accounts.
When a consumer writes a check, the merchant that accepts it is entitled to have the specified amount taken from the customer’s bank account and sent electronically to the merchant’s account.
But once someone has certain routing numbers for a customer’s account, fraudulent transfers become possible unless the customer carefully scrutinizes all of the transactions on the monthly account statement.
If the consumer reports a clearly unauthorized transaction within 60 days, federal banking rules require the bank to cover the loss, Ms. Hillebrand said. If not, and if the bank informed the customer in advance about the 60-day deadline, the bank has no liability. ....
Posted by: NYTimes -- more on that missing article at September 8, 2008 08:05 AMre:
http://www.garlic.com/~lynn/2008n.html#0
business news show this morning are wringing hands about gov. negotiations for Lehman bailout ... claiming that Lehman had 6months after Bear bail-out to get house in order. Since they didn't ... this is starting to look more and more like "moral hazard" .... no consequences and accountability for risky behavior resulting in increasing risky behavior, another kind of play on the peter pan reference at financial cryptography blog, never having to grow up and face consequence, aka treating financial industry executives as if they are minors and not adults
Posted by: Lynn Wheeler at September 12, 2008 11:01 AM