Check out Brian’s reporting on S.3898. There is not a word on *how* the banks should stop this new and fast-growing crime. (Note that this is not the bill I would write. But it’s a great example of what happens on the Hill when an industry fails to get out in front of an important problem with a sensible proposal.)

> Holding the customer accountable for their
> in-house security is as valid a point as holding
> the bank accountable for their’s

My view is whom to hold accountable can only legitimately be decided by the elected representatives of the people. The banks *say* they disagree. Note, however, that at the FDIC Symposium on Combating Commercial Payments Fraud on May 11, 2010 in Washington, D.C., the banking industry representative who was most vocal about the righteousness of the banks’ imposing commercial-account online banking funds transfer fraud losses on randomly-unlucky small- and medium-sized enterprises admitted that if the name of the organization that was hit by ZeuS happened to be “Barney Frank for Congress Campaign Fund”, he would make good on *that* loss regardless of its size or who was “really” responsible.

> The real issue I am concerned about is the
> increased pressure by banks to go completely
> on-line or face fee increases while at the same
> time watching these types of crimes proliferate.

Be Very, Very Afraid, then. Check out:

http://www.bankerstuff.com/BankerstuffWebinars/November16WebinarJavelinOnlineBanking/tabid/579/Default.aspx

Javelin Strategy & Research predicts that there are still almost $7 *billion* in banking costs that can be wrung out of the system via moving transactions into cyberspace. Given the revenue losses Sen. Durbin has inflicted on the financial services industry in the Dodd-Frank Act, expect redoubled efforts of the kind you fear. I would just like to see the banks disclose the risks their commercial customers are accepting by moving their banking online.

Like or Dislike: 0  0

That’s all we need. More laws restating what security pro’s see as obvious. In the end you get a detailed list (limited) of methods that will no longer be used by attackers and a plethora of unlisted techiques that won’t be prosecutable.

Holding the customer accountable for their in-house security is as valid a point as holding the bank accountable for their’s.

The real issue I am concerned about is the increased pressure by banks to go completely on-line or face fee increases while at the same time watching these types of crimes proliferate.

Like or Dislike: 1  0

2nd line of defense: Use a dedicated machine with a Linux O.S. (see also http://www.distrowatch.com &/or http://www.linux.org/dist/list.html for comprehensive listings). Can’t use a dedicated machine? Then…..

3rd line of defense: Boot the machine off of a Linux disk and save your data to a USB flash drive. And DO NOT store your login IDs and passwords electronically; but DO store them in a physically secure place (e.g., a safe).

Like or Dislike: 0  0

Our congressmen need to look at this, and not only change the liability laws, but help the banks with their security concerns. After all we are supposedly in a “cyber-war” with enemies already. It only makes sense for the government to help the little banks out on the infrastructure and costs on this new security,. if they mandate the requirements.

Consumer’s Union has more or less joined the fray, with political action to improve credit card practices and fraud protection. CU is a BIG lobby, I didn’t hesitate to join, and we now stand together to put pressure on congress and the banking industry as a whole!

Like or Dislike: 1  0

You list is part of the picture – I might add that few seem to be aware that Microsoft has a free utility called “steady state” that locks the hard drive to ANY changes in files. Ordinary files would have to be stored on another drive or partition. I’m not sure which versions of Windows that it is available. If not available for your version, maybe a look at Faronics would be in order.

You would still want AV and AS solutions in place, in case the present session were somehow compromised. This would entail unlocking the drive at least two times a day, to update the operating system and/or AV/AS utilities. You would not want to do any unnecessary surfing during these updates; and immediately relock the drive afterward.

Some say a Puppy Linux Live CD would be better; your mileage may vary.

Like or Dislike: 1  0

http://www.zdnet.com.au/sms-two-factor-authentication-dead-in-3-years-nab-339284387.htm

Like or Dislike: 0  0

I realize the bank probably doesn’t want precedent set here also, but it is still ridiculous.

Like or Dislike: 1  0

The problem with Debit cards is that once you provide a PIN to a merchant, you are entrusting the key to unlock your bank account with the merchant’s security. And most merchants are clueless when it comes to anything close to Payment Card Industry security. As an example: in 2007 in Southern California, it was speculated that Office Depot Databases were compromised. Hackers harvested Debit card numbers and corresponding PINs. Wamu, BofA, and Wells Fargo reissued 250,000 debit cards in response. The actual breach was never positively identified.

Everytime you use a Debit card and provide your PIN for a retail transaction, you’ve just entrusted it to the merchant’s network security.

I would suspect that using Debit cards with various retailers also increases your chances of encountering Card Skimmer too. Yet banks issue Debit cards to customers by default. Bank staff doesn’t even know how to issue a simple ATM Card anymore.

Since electronic deposit is quickly becoming the industry standard practice, the business model needs to change because the bad guys are adopting more quickly than the financial institutions and merchants. The “It’s too complex” or “It’s too expensive” is no longer an acceptable excuse.

Like or Dislike: 1  0

The bank said “tough luck” and would not even investigate the fraud.

Now, at least, to use the card I have to enter in my zip code (and since I have an unusual zip code, this offers me a modicum of security).

As a result, I now insist on choosing a bank that requires PIN numbers for credit cards, just as debit cards work.

Debit cards do not have the legal loss protections of credit cards (although if Obama’s banking reforms pass this may change), and credit cards traditionally don’t have PIN security. So it was hard to find to find a secure credit card.

The only company that supports the consumer is American Express, but since they have high bank fees, many retailers won’t accept them. The hunt for an honest, secure, universally-accepted bank is unending.

Like or Dislike: 1  0