Sunday, June 27, 2004

Finance Industry View of Security

The financial sector generally has a one-sided view of security. There are procedural obsessions to protect a company from certain risks, but there is often a blindness to the ways a company creates or amplifies other risks. Here are some examples.

1. Many companies encourage their customers to use publicly available data (such as date of birth and mother’s maiden name) as if they were secure passwords. Whereas many security procedures advise changing one’s passwords regularly, there is no mechanism for changing date of birth or mother’s maiden name. (Try ringing your bank and asking to change these details on your record.)

2. When I ring my bank, I have to provide lots of data to prove that I’m who I say I am. But when my bank rings me, they do not offer any data to prove they are who they say they are; and they produce a rather weak response when I demand proof.

3. My bank rings me with a “courtesy call”. But before they can get into the courtesies, they demand that I provide my security data. This behaviour could easily be replicated by a phishing gang.

4. My credit card company sends me credit card cheques, perhaps hoping to trick me into using them to pay my gas bill. These cheques are sent as part of a direct marketing campaign (aka junk mail). No doubt many people throw them in the trash without inspecting them properly, where they can be retrieved by criminals.

5. My online broker accidently broadcasts an email to a large number of customers, without properly concealing the email addresses of the recipients. Soon afterwards, I receive a load of spurious emails demonstrating that the list has got into the wrong hands.

The overall result of this lot is that the security of my financial affairs is reduced. Unless I am alert and savvy, I may be victim to a range of social attacks.

When I have complained to banks about these examples, the general attitude has been uncomprehending. The bank reassures me that if I can prove that someone has been dipping into my account without my consent, or that a credit card check has gone astray, then the bank will compensate me. But that’s not the point. There is an increased burden (transaction cost) on me. I have to detect and prove any fraud (Some bank customers have been themselves accused of fraud when they have complained of spurious ATM transactions.) Because of the increased complexity of the security risks, I am forced to devote more time and attention to the security and integrity of my financial affairs – for example checking my account more rigorously, carefully shredding my junk mail.

Many customers may be led into adopting less secure patterns of behaviour. A marketing phone call may catch us offguard, and we are overwhelmed with mail (junk and otherwise). Many people may start to think it okay to divulge their security information to casual callers, if they sound sufficiently efficient and plausible.

As the world gets more complex, there are many new security risks, and we cannot blame the finance sector for all of this. However, we might reasonably expect a financial service provider to understand these risks better than most of its customers, and to take some responsibility for managing these risks. The behaviour of many companies, and the response when challenged, indicates either that they don’t understand, or that they don’t care.

More on Asymmetric Trust.

News Update October 2004

Banks launch Bank Safe Online website. See Financial Times story by Josephine Cumbo, Personal banking e-fraud on increase (October 2nd, 2004)

No comments: