Yesterday, I spent a lot of time on a post: Another Lawsuit Against Weak Online Banking Authentication.
Today, (ironically and thankfully!) Bank Technology News came out with an article on the same subject. I'm tickled, because there's a quote from Avivah Litan, distinguished analyst and VP at Gartner Research that is as powerful as they come.
"Nothing that Goes Through the Browser Can Be Relied Upon!" In yesterday's post, I played the part of the judge and found that Citizen's should be held liable. (see below) Based on what I am reading into this article...it looks like I'm not the only one who thinks they will be...
Here's the story from BTN along with some of my (maybe sardonic/maybe right on) viewpoints (in blue) mixed in between. Is the Genie Out? - Bank Technology News Article
Bank Technology News | October 2009
By Rebecca Sausner
In February 2007, a fraudster armed solely with Indiana residents' Marsha and Michael Shames-Yeakel's username and password was able to gain online access to their Citizens Financial Bank home equity line of credit, and proceeded to steal $26k - wiring it first to Hawaii, then to Austria. Chicago-based Citizens opted not to cover the loss on the grounds that Reg. E doesn't cover credit accounts like HELOCs, and that Reg. Z wouldn't apply because the couple had linked their small business account to the HELOC for payments and made some business purchases with it.
When the Shames-Yeakel's refused to repay the stolen funds, the bank played hardball, reporting the delinquency to national credit bureaus and allegedly threatening to foreclose on the couple's home. Editor's Note: Nice!...talk about NOT being a good "citizen!" The move will bite them in the butt! This being America, before long the Shames-Yeakel's became "plaintiffs," first appealing to the Office of Thrift Supervision (which sided with the bank) and eventually suing in district court, saying the bank's security practices were negligent.
By now Citizens Financial, and the rest of the industry, may be wishing they'd just let the $26k slide.
Hindsight always is 20:20 isn't it? Time to
Envision Foresight...it's 20:15
In late August, an Illinois district court judge denied the bank's motion to dismiss the case, noting, "In light of Citizen's apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect the Plaintiff's account against fraudulent access."
Two years later, you'd be hard pressed to find a bank just using username and password to secure online accounts. But this case has the potential to be much bigger than the just the rudimentary security and $26k at issue. The court's precedent-setting ruling opens the door to the possibility that the bank will be held liable for the loss because it hadn't kept up with security guidelines or industry best practices, despite the banking regulations that seem to protect banks from liability on business accounts. This could be a massively expensive proposition given that just about everyone agrees that even the multi-factor authentication called for in the FFIEC guidance can't protect business accounts, and fraud against businesses is exploding. *Yeah...I said that yesterday in my mock ruling of the case
Or, as Gartner VP Avivah Litan puts it, "Nothing that goes through the browser can be relied upon. The man-in-the-browser attacks that are going on against these corporate cash management applications are all circumventing one-time password," she says.
Litan's certainly not the only industry analyst who thinks so. "I would go as far as to say that multi-factor authentication as defined under FFIEC, isn't sufficient to meet the environment we're in," says Tom Wills, analyst at Javelin Strategy & Research.
This from yesterday's post: "For most banks, the bar for what is considered reasonable for online banking authentication was set by a 2005 document issued by the Federal Financial Institutions Examination Council...
2005? LOL!
That's analagous to 100 years ago in terms to the progress made by hackers since then.
Heck, online banking malware has INCREASED BY FOUR-THOUSAND-NINE-HUNDRED AND NINETY-FIVE PERCENT(4995%) SINCE 2007! In 2005 there were ZERO...now there are arguments about which of the 3 password stealing trojans (Conficker, Clampi and Zeus) are most dangerous. Look at the chart (above left/click to enlarge) to get an idea of what has transpired with "vulnerabilities" since 2005 when the FFIEC last considered what was "reasonable."...which concluded that banks should employ what's called "multi-factor authentication," which involves requiring the customer to log in with a user name and password (that's bad) "in combination" with some other form of authentication, such as a single-use password or code generated by a token the customer has in his or her possession, or a special code sent via text message to the customer's mobile phone.
Say again? "requiring the customer to log in with a user name password" along with another form of authentication. Well, we all should know by now that "username's and password's" are a joke. My question is "How do those two items even "factor in" as part of the "multi-factor" equation? The "fact" that the first "two are absolutely 100% useless" throws more weight on the voracity of the next form of authentication. (let me guess...what's the first letter of the month you were born) If I was the worlds dumbest hacker (without keylogging and without visiting social networking sites) I could still gain a 1 in 4 chance in getting it right by guessing "J."
My point is...another "password" is useless, including the once heralded "One-Time Passwords" because they can be keylogged in real time. (and for all we know, they can be Trojanned in real time as well) The fact remains, and there is a preponderance of empirical evidence proving that "anything" done to protect a user in a web browser is absolutely useless.
or...as Gartner VP Avivah Litan put it, "Nothing that goes through the browser can be relied upon.
Based on the evolution of hacking combined with the fact that the FFIEC hasn't "REVISITED" their document SINCE 2005, I don't see how that business can be held liable. 2005? C'mon, as I stated, that was 100 years ago compared to the progress hackers have made with Trojans such as Clampi, Zeus and a host (pun intended) of other ways to obtain online banking credentials. (see graphic above and tell me you aren't cringe-ing)
If I'm the attorney, the graphic above is "Exhibit A". Do I even need to produce "Exhibit B"? If I'm Judge Johnny and I can B. Frank, I find for the plaintiff... $588,000 plus interest, plus attorneys fees, responsibility to report and clear up their standing with all the credit bureaus, plus $100k in damages for putting this poor couple through the ringer. (Notice how I kept it low because I realize that "the real damages" are going to be the loss of customers endured by banks who continue to put their customers into a position where their card information is swiped by the bad guys instead of by the consumers themselves...
Back to BTN's article where I left off: "I would go as far as to say that multi-factor authentication as defined under FFIEC, isn't sufficient to meet the environment we're in," says Tom Wills, analyst at Javelin Strategy & Research.
That's not what banks want to hear. Those that can't afford to upgrade security are wondering what kind of software corporate customers can install on the user end.
Editor's Note: LOL! Software? Did they just read their own article? We don't need no stinkin' software! :-) Even that software guy on the left must realize that the solution is HARDWARE. As IBM said in their recent report, no website is safe and financial transactions need to be done with a separate machine than what is used for browsing.
But if the Shames-Yeakel case goes in the plaintiff's favor, it could force banks to do more to secure under-protected business banking accounts. (Editor's Note: I've got the perfect solution for you!) "Businesses won't put resources into security until they've been hit, or they're regulated into it," Wills says.
Editor's Note: Well, that would not only be a bad idea ...it could be a potentially very expensive mistake. Let me throw a cliche to you as a life-preserver. "An Ounce of Prevention is worth a TON of cure" There's a better way. It's called the No-Brainer Solution...you can shorten it to No-BS if you like. Remember, your chances of keeping card holder data out of the hands of the bad guys is "SLIM" and "NONE"
If Hindsight is 20/20, FORESIGHT is 20/15!
0 comments