This is a fascinating area. I think your point about banks needing to think about their reputational capital is well made - there’s a potential temptation for banks to use the new technologies to transfer the risk of fraud from themselves onto their customers - e.g. the old cases of phantom withdrawals where some banks actually brought prosecutions against their customers rather than believe their systems could be at fault.

Or to take a more topical issue - the concept of identity theft itself a way of framing discussions about risk. If someone uses my personal details to login to my online account then saying that I’m a victim of identity theft neatly shifts the problem onto my plate in terms of proving I didn’t spend the money. From the consumer’s point of view it would be better to say that the bank has been defrauded by an impersonator and that they need to tighten their authentication.
(Bruce Schneier has written quite a bit about the idea that liability for a problem should follow the party that has the ability to reduce or remove the vulnerability to that problem).

At the moment I’m not sure (as an online banking user) where my liability begins and ends - particularly as my current bank doesn’t have any further validation of transactions once you’ve logged in. More here on two factor vs two channel authentication - as you say, it’s not clear why this sort of thing is taking so long to implement (lots of other good things on that site - it’s the The Cambridge University Computer Lab Security Group’s blog).

I also recommend the personal site of Prof Ross Anderson who leads that group - he used to work in banking, and he has lots of interesting research into what he calls information security economics - ie trying to model the security of a system from the incentives of the principals who use or abuse it.

Matt Freeman’s point about terms of reference framing a problem is a good one. Politicians and political activists do this all the time. Terms such as “affirmative action”, “pro-choice”, “pro-life”, “social justice”, “wage slavery” and “politically correct” are intended to tilt the terms of debate before discussion even begins. That said, I think banks are in a very weak position to make much of this strategy. Any bank that became known for shifting fraud risk to its customers would suffer worse and more immediate damage from loss of business to competitors than from fighting law suits to avoid covering the losses. Exercising ones “right of exit” from the country of one’s residence is a much more difficult step than switching to another bank. This is one reason why competition is such a powerful tool for the good of society. It works to keep businesses relatively honest based not on the good will of management but on justified fear of financial damage. Needless to say, this is hardly an original insight. It was Adam smith who said, “It is not from the benevolence of the butcher, the brewer, or the baker, that we expect our dinner, but from their regard to their own interest. We address ourselves, not to their humanity but to their self-love, and never talk to them of our necessities but of their advantages.” If banks want to retain their customers, it is in their self-interest to erect the maximum web of protections against identity theft and fraud. Such measures will encourage customers to utilize the convenience of on-line banking which also reduces the bank’s costs. It also provides the maximum legal defense if someone really is defrauded due to their overwhelming negligence and then tries to shift the blame and the loss to their bank.

The discussion of two-factor versus two-channel authentication that Matt points to is interesting. As pointed out there, the potential issue with two-factor authentication is a man-in-the-middle attack where someone intercepts the combination of password and transient code value to gain access to the victim’s account. This is potentially very serious if, as Matt indicates is his experience, there is no subsequent authorization required even for outsized or out-of-pattern transactions. While the security of two-channel authentication may well be superior, I suspect there would be significant resistance from customers. It might well be more effective for the bank to demand repeat authentication for transactions above a given size or to a formerly unknown payee and absorb some or most of the smaller losses caused by successful man-in-the-middle attacks. Combined with checks on the identity of the computer originating a transaction request, this should hold such successful attacks to a minimum.

I haven’t had time to look at Ross Anderson’s many offerings at the last cited URL, but they certainly look interesting for those concerned with security on electronic networks.

My apologies to Matt Freestone. I should have mentioned that in a follow-up note he put me on to the cartoon with the dogs that I mentioned in my original post. It is from the July 5, 1993 issue of The New Yorker and can be found at:

http://www.unc.edu/depts/jomc/academics/dri/idog.html

You will see that my memory played me a bit false regarding the breed of the dog and the exact quote, but the spirit was right.

Stephen,

I agree that there is often too little attention to security even in situations where one would think the public should be most sensitive. That said (and at the risk of being accused of plugging my old employer) I find the Bank of America on-line banking site to be noticeably superior in this area. They were well ahead of the curve in requiring that every customer establish an individual site key. This is information stored on the bank’s website that is returned when you attempt to log in and verifies that you are accessing the legitimate site location. A phishing scam trying to get people to divulge their login details by directing them to a bogus look-alike website would not be able to provide the correct site key. Only more recently have other sites started to emulate this extra protection layer. Another example of extra care is the NatWest on-line banking site in the UK. They NEVER ask for your full PIN or password. Rather they request a different random selection of the characters in a random order each time you log in. That way, even someone who successfully planted a keyboard scanner would have to capture multiple sessions and do significant analysis to isolate a user’s full details.

For someone like me who is sensitive to these issues, extra attention to security measures certainly cements my loyalty. More generally, I think it may take a major and well publicized security failure at some institution, with significant inconvenience or outright losses for customers, to raise the public’s responsiveness to such measures. When that day comes, however, the institutions that can point to their extra attention to security will reap their reward.

(For a more detailed discussion of alternate security measures see:
http://www3.sungard.com/SunGardFinancial/menus/documents/risk_managers/200605%20protect%20and%20survive.pdf

I often wonder what type of competitive advantage network security would provide for an organization. I can see the case for negative press, but I’m not sure whether many companies can successfully capitalize on positive press. Regardless of what a study might say, when I set up an account recently with an online trading company, where you think security and identity theft protection would be key points…I really didn’t find anything.

eTrade, Schwab, TD Ameritrade - they focused on cost to trade, amount of research, the speeds of the trade, ease of trading, but no talk of data protection. It would seem like this would be one market segment where if talk of secure trading paid off, it would be reflected on the above companies’ websites. Just my take, I think companies factor in the costs of data theft as a part of doing business, and then largely forget about it until major security breach involving data theft hits the news. Then they might issue a press release or hold some type of event to lessen the concerns of their customers.

Stephen
www.networkinstruments.wordpress.com