One of my favorite posts of the last week, and one of the scariest, is Brian Krebs’ Washington Post article on Businesses Are Reluctant to Report Online Fraud. This is not a report on a single major bank heist, but instead what many of us have worried about for a long time in Internet fraud: automated, distributed and repeatable theft. The worry has never been the single million-dollar theft, but scalable, repeatable theft of electronic funds. We are going to be hearing a lot more about this in the coming year. The question that will be discussed is who’s to blame in these situations? The customer for having almost no security on their small business computer and being completely ignorant of basic security precautions? The bank, both for having crummy authentication and fraud detection, with an understanding the security threats as part of their business model? Is it contributory negligence? This issue will gain more national attention as more businesses have their bank say “too bad, your computer was hacked!” Let’s face it, the bank has your money. They are the scorekeeper and if they say you withdrew your money, the burden of proof is on you to show they are wrong. And no one wants to make them mad for fear they might tell you to piss off. The lines of responsibility need to be drawn.
I feel like I am the last person in the U.S. to say this, but I don’t do my banking on line. Would it be convenient? Sure, but I think it’s too risky. My bank account information? Not going to see a computer, or at least a computer I own because I cannot afford to make a mistake. I asked a handful of security researches I was having lunch with during Defcon – who know a heck of a lot more about web hacking than I do – if they did their banking online. They all said they did, saying “It’s convenient.” Me? I have to use my computer for research, and I am way too worried that I would make one simple mistake and be completely hosed and have to rebuild from scratch … after my checking account was cleaned out. In each of the last two years, the majority of the people I spoke with at Black Hat/Defcon … no, let’s make that the overwhelming majority of the people I have spoken with overall, had an ‘Oh $&(#’ moment at the conference. At some point we said to ourselves “These threats are really bad!” Granted, many of the security researchers I spoke with take extraordinary precautions, but we need to recognize how badly the browsers and web apps we use every day are fundamentally broken from a security standpoint. We need to acknowledge that out of the box, PCs are insecure and the people who use them are willfully ignorant of security. I may be the last person with a computer who simply won’t budge on this subject. I even get mad when the bank sends me a credit card that has ATM capabilities as a convenience for me. I did not ask for that ‘feature’ and I don’t want the liability. While the banks keep sending me incentives and encouragements to do it, I think online banking remains too risky unless you have a dedicated machine. Maybe banks will start issues smart tokens or some additional security measures to help, but right now, the infrastructure appears broken to me.
Reader interactions
7 Replies to “Burden of Online Fraud”
@tim – ATM, P.O.S terminal require both a card and a person to be present. This is fully automated fraud on the front end. Granted they used ‘mules’, but they did not need to. At least with ATM theft there is a camera, and with most POS terminals there are maximum monetary limits and fraud detection. The type of on line banking I am talking about is not the same thing and lacks the same protections.
-Adrian
You seem to neglect a basic point. Every day millions (billions?) utilizing online banking, ATM machines, and online shopping without issues. Do accounts get hacked? Yes. Is the communication between ATMs and the random Tandem that runs them insecure? Yes. Is it causing such a problem to suggest they should stop? No. Banks have an incentive to identify the problem and resolve it for the customer. Otherwise consumers lose trust in the system and move elsewhere.
That is not to say that there are not flaws and can’t be improved (I wouldn’t have a job otherwise). But I simply don’t buy the scenario that things are so bad you shouldn’t bank or shop online.
For the record I used two factor authentication for my main account, use cash a lot, and keep a backup account in case of issues with the primary account – its called managing risk. Something I notice a lot of security people suck at.
And one other thing Adrian – why on earth would you use a machine that you do research on to online bank? Dedicated a machine that runs your life. I keep a MacBook for that purpose. Therefor you don’t need to worry about making a mistake.
For non-technical people who ask me this type of question I usually suggest they do not bank online. It’s too easy to get lax about it, especially since few really do understand just how crazy-vulnerable apps/browsers/systems/web are these days.
I don’t follow my own advice, though, as I do pay most of my bills online these days (that or I procrastinate and feel guilty about using mail and generating more waste). Then again, I also do so only from a system I own that I only use for a small number of things, and does not ever get used to “browse around” the web at random. The only time I open a browser on that system is for Netflix or banking/bills. Now, I still get snail mail sent to me from all of these institutions I work with, but I pay my bills one-at-time online; no plans, recurring schedules, emailed balances, or accepting those flyers for online-only.
One reason being that if an institution I use gets breached, regardless whether I did my business with them online or in person, my data is probably sent right to the same place. Sure, I might miss out on being sniffed off the transaction server if I do my business offline, but that stuff isn’t transparent enough for me to judge.
I’m actually just as worried or more about using my credit card in various random places, like gas pumps or retail stores. If I can, I pay by cash every chance I get.
And I agree with your about things like Debit/ATM capabilities. My bank got bought out about 2 years ago and they re-issued my ATM card to me with Debit capability. Huh? If I wanted that, I would have signed up for it in the last 15 years I’ve been with them.
@reppep – yeah, one time keypads like what PayPal provides; the payment process can still be hacked if the users machines is totally compromised. It does make fraud a little harder for any given transaction and much tougher to do without the user taking some action. But I was thinking more along the lines of some dedicated devices to support the transaction … think something like an Ironkey with a simple user interface that is independent of the users OS and tunnels directly to the payment processor. You can have shared secrets making it difficult for man in the middle attacks and somewhat unaffected by the platform or network being compromised.
-Adrian
Various banks issue all kinds of gadgetry to improve security. Bank accounts still get hacked (generally through customer PCs, as I understand it) — ‘who’ exactly is getting hacked is an important semantic & legal distinction, as discussed here.
@reppep – banks or customers?
Of course, banks do issue smartcards and hard tokens and scratch-off cards. They still get hacked.