Thursday, July 03, 2008

Finance Industry View of Security 2

I have blogged before on the Finance Industry View of Security. Although there have been some minor improvements in the past few years, the overall situation is probably getting worse. I attribute this not to the increasing cleverness and organization of the attackers but to what I regard as a systemic failure by the banks to respond appropriately. The banks appear to be more concerned to protect themselves than to protect their customers, and as a result they fail to do either.

A recent posting by Steven J. Murdoch on the Light Blue Touchpaper blog (written by security experts at Cambridge University) points out that New Banking Code shifts more liability to customers. In the Support Economy, service providers dump cost and risk onto their customers simply because they can. They then produce fallacious arguments in terms of "moral hazard".

But if banks don't care about our online security, there are other organizations than do. You can now get good online security from World of Warcraft (press release June 2008). Dave Maynor comments "Isn't it kind of funny when an online game has better security than most banks?" (via Adam Shostack). Christian Frichot thinks there are No Excuses.

But Dan Glass reckons you won't be seeing these security tokens in the mail from your bank any time soon. He argues that the banks simply aren't going to bother with this until they are forced by governments. He's probably right; I'm not holding my breath.

I think a more likely scenario is that people start switching their funds to more secure providers. Maybe PayPal will get its act together, or Blizzard will open a bank. Or the entire world switches to using Linden dollars. Why not?

Update 2016. Did I say Linden dollars? I obviously meant Bitcoin. But you get the idea.


Hans said...

I use a security token with my ETrade account and it works fine. I think that the most compelling point on this topic is that it's not just the banks being stubborn. Security tokens really bother most people (who aren't computer professionals). If one bank forces all customers to use them, this could genuinely be a reason for customers to switch banks. And that's why regulation is needed: to prevent some banks from stealing customers by not requiring the security tokens.

Imagine all the biggest banks adopted tokens, and suddenly there are TV commercials about how such-and-so small bank doesn't require you to be a computer wizard just to bank online.

Richard Veryard said...

See my next post Financial Industry View of Security 3.