Matt Freeman’s point about terms of reference framing a problem is a good one. Politicians and political activists do this all the time. Terms such as “affirmative action”, “pro-choice”, “pro-life”, “social justice”, “wage slavery” and “politically correct” are intended to tilt the terms of debate before discussion even begins. That said, I think banks are in a very weak position to make much of this strategy. Any bank that became known for shifting fraud risk to its customers would suffer worse and more immediate damage from loss of business to competitors than from fighting law suits to avoid covering the losses. Exercising ones “right of exit” from the country of one’s residence is a much more difficult step than switching to another bank. This is one reason why competition is such a powerful tool for the good of society. It works to keep businesses relatively honest based not on the good will of management but on justified fear of financial damage. Needless to say, this is hardly an original insight. It was Adam smith who said, “It is not from the benevolence of the butcher, the brewer, or the baker, that we expect our dinner, but from their regard to their own interest. We address ourselves, not to their humanity but to their self-love, and never talk to them of our necessities but of their advantages.” If banks want to retain their customers, it is in their self-interest to erect the maximum web of protections against identity theft and fraud. Such measures will encourage customers to utilize the convenience of on-line banking which also reduces the bank’s costs. It also provides the maximum legal defense if someone really is defrauded due to their overwhelming negligence and then tries to shift the blame and the loss to their bank.

The discussion of two-factor versus two-channel authentication that Matt points to is interesting. As pointed out there, the potential issue with two-factor authentication is a man-in-the-middle attack where someone intercepts the combination of password and transient code value to gain access to the victim’s account. This is potentially very serious if, as Matt indicates is his experience, there is no subsequent authorization required even for outsized or out-of-pattern transactions. While the security of two-channel authentication may well be superior, I suspect there would be significant resistance from customers. It might well be more effective for the bank to demand repeat authentication for transactions above a given size or to a formerly unknown payee and absorb some or most of the smaller losses caused by successful man-in-the-middle attacks. Combined with checks on the identity of the computer originating a transaction request, this should hold such successful attacks to a minimum.

I haven’t had time to look at Ross Anderson’s many offerings at the last cited URL, but they certainly look interesting for those concerned with security on electronic networks.