Kiwi Banks propose to pass liability onto the customer…….

June 28th, 2007 Drazen Drazic Posted in Disclosure Laws, Dumb Security, Web Application Security, cyber crime |

This NZ ComputerWorld story from over the ditch; Banks demand a look inside customer PCs in fraud cases is a bit of a concern. If it progresses, it will be interesting to see how they propose this working. This worries me or should I say scares me given some previous experiences of banks wanting to touch customer systems:

A few years ago, the NSW Police called a meeting with the IT Risk and some Security Heads of the major banks here to discuss Internet Banking fraud. At the time, it was a knee jerk reaction to old news that they had stumbled upon to do with Gator and similar software on kiosk machines and user systems etc. The focus of the meeting was to discuss ways to put into place mechanisms to prevent Internet Banking fraud. Hey, pretty cool I thought, finally some real discussion on security better than just something one level above basic auth.

The following is entirely true. You just can’t make-up stuff this funny……..no one would believe you.

Somehow, from the outset, the discussion turned to anti-virus software on user machines. (Did I mention Symantec led off the “discussion” with a presentation on themselves?). Where is this going I am thinking? Are we looking at the bigger picture here? The next hour was spent in discussion on how the Banks could pass the burden of Internet Banking security responsibility entirely back onto the customer. The following suggestions were proposed:

- We (the banks) could scan their (customer) machines to determine whether anti-virus software is installed.
- Hey, but how will we know if the user runs the software? Easy, we’ll set-off the scan (ie; read: scan whole machine) before they can access Internet Banking!
- Hey, but how will we know if the signatures are up to date? Easy, we’ll just check the versions and enforce the update and then set-off the scan before they can access Internet Banking.

See where I am coming from? But then…..the showstopper, that for about 2 minutes was the silver bullet to Internet Banking Fraud. I shit you not:

“Guys, why don’t we scan their hard drives from our systems once they login!”

What can I say? The majority of the room was in agreement! From there on, it’s a real blur. The room starting spinning for me. Vague recollections of workgroups proposed to make this happen, some back patting and then agreements to meet again soon.

I made the mistake of chipping in at the end (only chance I got), with a question on what we (the banks) were going to do from our end. I mentioned the current levels of authentication being questionable and put it out there that this could be something we look at also. Did I get daggers or what? Luckily this workgroup never met….I think…..If it did, I wasn’t invited.
So…back to our NZ cousins. Lets hope that the Banks work with a focus that also looks within themselves. That is where most of the solutions to problems will be hopefully found…though nothing is fool-proof. In the end, stupidity on the part of the customer should be assessed in terms of liability……..but weren’t computers initially developed to remove human error from the equation? …..

This will be an interesting story to follow.