October 7, 2010

In response to a series of costly online banking heists perpetrated against towns, cities and school districts, Sen. Charles Schumer (D-NY) has introduced legislation that would extend those entities the same protections afforded to consumers who are victims of e-banking fraud.

Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen more than $70 million from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

On Sept. 29, computer crooks stole $600,000 from the coastal town of Brigantine, N.J.; seven months earlier, computer crooks stole $100,000 from Egg Harbor Township just 20 miles away. In late December 2009, an organized cyber gang took $3.8 million from the Duanesburg Central School District in Schumer’s home state. In that attack, the bank managed to retrieve some of the money, but the district is still missing roughly $500,000.

The same day as the Brigantine breach, Schumer introduced S. 3898, a bill that would extend EFTA’s Regulation E protections to certain local government entities, including municipalities and school districts. The Board of Governors of the Federal Reserve System is to define which entities are included in the categories of “municipality” and “school district.”

Steve Verdier, executive vice president and director of congressional affairs for the Independent Community Bankers of America, said the thinking behind the current law is that banks can absorb the losses from this type of fraud when it happens to consumers because there is usually a comparatively smaller amount of money involved.

“The bank is probably in no better position to protect against this type of fraud than the [business] account holder,” Verdier said. “Whereas consumers may not be as good a position to protect themselves against these types of losses, you would hope a government or school district would have employee procedures to guard against this type of thing. And if the bank is forced to start making good on these losses, that weakens its ability to serve consumers and they’re going to have to price that risk into all of their services.”

Avivah Litan, a financial fraud analyst with Gartner Inc., said there are a number of promising new technologies that banks can make available to their customers that help guard against these attacks, referring to several products that use specially encoded USB keys to load a virtual operating system on the customers computer and encrypt the keystrokes between the bank and the customer.

“Also, why limit this to schools and municipalities? Small businesses have just as much risk as school districts, as do churches for that matter,” Litan said. “So does that mean that small businesses have more resources to deal with this type of fraud than cities and counties do?”

There isn’t much — if any — likelihood that the bill will be acted upon before the November elections, in which case Schumer will need to reintroduce the bill when the 112th Congress convenes early next year.

A copy of Schumer’s bill is here (PDF).


45 thoughts on “Bill Would Give Cities, Towns and Schools Same e-Banking Security Guarantees as Consumers

  1. Henry Winokur

    Why not just protect everyone, businesses too, and make the mules as guilty as the perpetrators since they’re the enablers of the entire situation anyway?

    1. Yuliy Pisetsky

      Placing all of the burden on the mules will result in a bunch of money mules filing for bankruptcy, but not coming close to recovering all of the money. What’s needed is for banks and businesses to share the loss if all of the funds are not recovered. This will align the incentives correctly for both in doing everything they can to avoid theft. Currently the banks don’t have enough incentive to verify the veracity of transfer requests.

  2. JCitizen

    I think they need a new banking security standards law. Both for the business client and bank side of the equation.

    1. JBV

      I think businesses need insurance coverage for this kind of loss – it is available.

      1. Philip

        Insurance is available for every risk, as long as you are willing to pay a premium that is equal to the maximum covered loss.

  3. Jim

    You folks don’t really believe banks will take the lose hits? Banks will pass the loses on to customers as fees one way or another.

    1. Yuliy Pisetsky

      But in passing the fees to their customers they’ll end up losing customers to their competitors who can keep their costs (and thus fees) down. The incentive to reduce the cost is still there.

  4. Terry Ritter

    “Avivah Litan, a financial fraud analyst with Gartner Inc., said there are a number of promising new technologies that banks can make available to their customers that help guard against these attacks, referring to several products that use specially encoded USB keys to load a virtual operating system on the customers computer and encrypt the keystrokes between the bank and the customer.”

    With due respect to Litan, I dispute that claim. Here, the term “virtual” is being used to add “magical performance” to a technical argument which otherwise could not stand.

    The integrity of a virtual machine depends upon the base machine. If the system is infected, we cannot trust it to construct a proper virtual machine. And if the system is not infected, we do not need the virtual machine.

    Virtual technology does not surmount an existing resident bot. It may, however, lure both investors and customers into yet another disgusting security scam. Much worse, however, is the possibility that magic words will justify and pass otherwise bad law.

    Nothing about a virtual machine is going to isolate the keyboard on the base machine, so bot-based key-logging will still work. Nothing about a virtual machine is going to prevent a bot from getting between the user keyboard / display and the decrypted bank data feed, so fancy bot banking scams will still work. Neither encryption nor authentication can solve this.

    It is possible to imagine an independent and encrypted computer, with both keyboard and display, connecting through a USB port. But the user still must sign onto the bank site, and when they do sign on, a resident bot can do anything the user can do on that site, only much, much faster. Neither a virtual machine nor an external security computer is going to stop that.

    The problem is the bot. The solution is to get rid of the bot. Trying to live with a bot by using “promising new technologies” is just nuts.

    This is not rocket science and it is not new. Depending upon magic to solve our problems does not work in technology any more than anywhere else.

    1. JCitizen

      I agree on USB schemes; but certain VMs that take advantage of hardware virtualization, and are properly set up, could help. I’ve been looking at Invincea’s virtual browser, and I think that would work even if the PC was infected. However, you have to have the proper CPU to be eligible for such solutions; but I also have not yet seen any evidence that malware can presently defeat such mechanisms .

      In fact, I doubt that malcode would be able to detect that kind of VM environment at all.

      1. Terry Ritter

        “I’ve been looking at Invincea’s virtual browser, and I think that would work even if the PC was infected.”

        The Invincea idea is to assume the system is not infected, and then create a virtual machine for the browser. That might contain malware coming in, but does nothing to handle a machine which already is infected. See:

        http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520609,00.html

        “When a user opens their browser, it would open in its own virtual machine and from there the user could go out and get infected all they wanted,” said Anup K. Ghosh, founder and chief scientist at Invincea. “Any infection is contained to the virtual environment and at the end of that session, the VM gets dumped and all the infections get eliminated.”

        “Drive-by downloads and more sophisticated man-in-the-middle attacks can be detected using behavior-based sensors in the virtual session — not signatures.”

        The problem we fight is a resident bot in the user computer, effectively between user and bank. Yes, the computer is in the middle of something, but that is not the classic man-in-the-middle (MITM) situation.

        Classically, MITM occurs between the computer and a web site (for example, in a “free WiFi” environment). That is handled now by first making an https:// or “SSL” connection, which establishes an encrypted pipe and uses cryptographic certificates to identify the site. Browser add-ons can expose the unexpected certificate changes that allow MITM. Companies generally have VPN’s which can be simpler to use.

        The virtual browser idea may improve sandboxing technology, but it does not appear to address the resident bot which is our main malware problem.

        1. Tim Towers

          The virtual instance will encrypt traffic within the instance, so whilst a compromised host can watch the keyboard, screenbuffer, mouse and network traffic the traffic will be wrapped in an SSL layer which will protect the virtual browser from having its data tampered with.

          Fiddling around with the memory inside a VM from outside may be a theoretical risk, and you can certainly crash the VM but I don’t believe it could be done sufficiently easily, reliably or subtley to be useful in an automated compromise. My personal opinion is that working within a VM can provide effective protection against all the automated attacks that are currently in the wild and the more twisted technical readers here may wish to homebrew a non-intel based VM to provide an additional layer of protection.

          However, the magic does not stop there. Many of the keys with virtual machines on them can actually be used as boot devices which will protect against everything that isn’t built into the firmware (such as the HP ilo (network kvm)).

          I note that the Asus splashtop/Expressgate environment may provide a certain amount of protection by starting up an operating system in a supposedly clean environment but most incarnations use files stored on the main operating system disk so without any signing or read-only protection they’re only safe until someone feels it is worthwhile to exploit.

          1. JCitizen

            Thank you very much Terry and Tim;

            This information makes good sense. I was always assuming one would install Invincea on a “pristine” PC in the first place. The browser session could be compromised after that, but supposedly would revert back to pristine condition after malware attack.

            Since this is hardware virtual machine technology; I would assume the partition containing the original VM would not be affected by the usual root infection of the computer. This is not saying malcoders couldn’t find a way around this, but I would think it would take them longer to bother looking for such targets for attack, and simply go for the low hanging fruit.

            Also, there are good sub-kernel solutions for blocking all keyboard and video activity from malware, and these work at the sub-kernel layer, and with the exception of Snoopfree, which is obsolete, I have not seen any successful attempts by malware to thwart those session protecting utilities. There is no reason why these could not also be running in the VM as well.

            I do not receive any compensation for any brand name mentioned here, I am just trying to foment free discussion of the issues at hand, and point to possible solutions.

          2. Terry Ritter

            “The virtual instance will encrypt traffic within the instance, so whilst a compromised host can watch the keyboard, screenbuffer, mouse and network traffic the traffic will be wrapped in an SSL layer which will protect the virtual browser from having its data tampered with.”

            Almost all banks use SSL already, so the data in transit already cannot be “tampered with” or snooped. So why do we still have a problem? The bot in the customer machine sees the plaintext data outside the encryption. More encryption cannot solve that problem.

            “Fiddling around with the memory inside a VM from outside may be a theoretical risk, and you can certainly crash the VM but I don’t believe it could be done sufficiently easily, reliably or subtley to be useful in an automated compromise.”

            The issue is not necessarily “fiddling around with memory inside the VM,” although I expect that to be both easier and more effective than you apparently do.

            The larger issue is that the VM is constructed by code executing on the existing base machine, which, having been compromised, may not allow an effective VM. Building a VM on a compromised base builds a compromised VM.

            “My personal opinion is that working within a VM can provide effective protection against all the automated attacks that are currently in the wild and the more twisted technical readers here may wish to homebrew a non-intel based VM to provide an additional layer of protection.”

            AFTER an effective and clean VM has been established, using the VM as a sandbox can be effective. But unless you want to re-install the OS every time (in which case the VM does not help), we have to address the issue of a pre-existing bot. We have to get rid of the bot before we can assume the OS will work normally for anything, including constructing a VM. We have no tools which guarantee to detect a bot.

            “However, the magic does not stop there. Many of the keys with virtual machines on them can actually be used as boot devices which will protect against everything that isn’t built into the firmware (such as the HP ilo (network kvm)).”

            Nothing about this is magic. The problem is that Microsoft Windows is easily and widely infected by bots. No other OS has nearly that problem. So if we boot another OS, whether from hard drive, DVD or flash drive, we immediately get a major security advantage. Many Linux distributions directly enable flash drive installation, so no special product is needed.

            “I note that the Asus splashtop/Expressgate environment may provide a certain amount of protection by starting up an operating system in a supposedly clean environment but most incarnations use files stored on the main operating system disk so without any signing or read-only protection they’re only safe until someone feels it is worthwhile to exploit.”

            I believe the Asus environment is just a Linux in a USB flash drive on a motherboard USB header instead of an external stick. To not leave anyone out, I believe one can buy little jumper cables that will connect from an extra motherboard USB header to a little USB socket which one can connect to a normal flash drive which can be taped in place inside the box.

          3. Terry Ritter

            @JCitizen:

            “Since this is hardware virtual machine technology; I would assume the partition containing the original VM would not be affected by the usual root infection of the computer.”

            I am not ready to make any such assumption. VM hardware technology offers *assistance*, not a complete solution. Clearly, the CPU chip itself does not have memory or keyboard and so depends on the outside devices. We cannot simply clone a CPU core and have an independent machine because the CPU is not a full machine. VM support is even less than that. Much depends upon software construction, and we cannot depend upon that in an environment having a resident bot which can call home and get expert help.

          4. Tim Towers

            I feel I aught to mention that there are vendors which sell virtual machines on USB sticks which can be configured by banks and yet remain read-only to users.

            Running a trusted VM from a readonly device is possible. If you don’t trust the VM you can boot from them. I won’t mention company names.

          5. Terry Ritter

            @Tim Towers:

            I feel I aught to mention that there are vendors which sell virtual machines on USB sticks which can be configured by banks and yet remain read-only to users.”

            I am quite unhappy with the phrase “virtual machines on USB sticks.” Virtual machines are built in RAM, and do not exist pristine and separate on a USB stick. Virtual machines must be constructed and supported by the existing OS, and if the OS is infected we cannot trust the construction or support.

            On the other hand, booting something other than Windows is always a good idea from an online security standpoint.

        2. JCitizen

          @Terry;

          Thank you Terry – very interesting! Could you give me a link to an instance where a hardware virtual machine session was compromised?

          I know you can probably detail it verbatim, but I’m trying to avoid high-jacking Brians page here. Thank you for any attention paid to this request. 🙂

  5. jim

    There are, minimally, two unintended consequences of the bill referenced within Kreb’s article.

    #1 is that there will not be any incentive on the part of municipalities or school districts to be accountable for the security of their systems should they not be responsible for the loss. These are government entities that should be expected to create secure environments that protect taxpayer monies, children’s personal information, employee information, and taxpayer information. In contrast to Schumer, the NYS Comptroller, speaking about an account takeover incident indicated – “District officials need to keep a sharp eye on the bottom line. Protecting taxpayer dollars from computer hackers must be a priority. Lindenhurst learned the lesson. Now school officials across the state need to follow Lindenhurst’s lead and focus on cyber security. Criminals are always looking for new ways to break into vulnerable IT systems.”
    Regulating dealings between non-consumer entities results in minimalist relationship structures which are ultimately engineered to meet the minimum expectations. I recommend that banks and their customers work together on a solution.
    Secondly, small to mid-size financial institutions, namely community banks, would be put at a significant disadvantage to the larger institutions which have financial resources to implement processes that provide a PERCEIVED security structure.

    1. Tim Towers

      I would observe that even if the laws indicate that you can reclaim your money you would still have to go through significant pain and suffering claiming it not to mention any reputational damage and having to clean or rebuild your IT systems. I don’t think this ruling will cause any of these groups to spend less time on IT Security.

      It is the nature of humans to keep accepting bigger risks until it all goes *bang*. Even when you see people having problems there is a tendancy to not believe it can happen to you. The banks will be seeing frauds all the time wheras the customers only see it once so it seems to be sensible that the group which has experience in these matters should be the ones to set adequate rules and take the blame if the customer’s funds are stolen even when they follow the rules.

      If this ruling means that the banks with the least effective security policies have to tighten up on their internet banking requirements and pass increased charges to their customers then surely that’s a good thing? The invisible hand of capitalism working for Information Security 🙂

  6. Mike

    Goddamnit America, just implement 2-factor authentication on login and high value transactions already. UBS has had this figured out for years now.

    1. Terry Ritter

      Bots *defeat* 2-factor authentication, even with 1-time external dongles. Improving authentication or adding cryptography cannot solve the malware bot problem, because the customer is relying on equipment which has been made insecure.

      The bot is inside the customer computer and may be in real-time communication with the botmaster. As one possibility, the bot can pass through all the authentication the user provides until the account is open. Then the bot can cut off the user and do what it wants. Many other approaches are possible.

      1. Matt

        While I agree the one time password 2 factor concept is dead and buried the additional mutual authentication method offered by passwindow is not vulnerable to malware on the network, customer computer or mobile. Its also not vulnerable to remote interrogation or instruction attacks which also plague the electronic 2FA field. So while its generally true most 2FA is compromised there is an exception.

    2. Tim Towers

      Man in the browser attacks can defeat 2 factor auth. c.f. zbot.

  7. emv co man

    For over a decade banks have known that adding a photo of the owner to a credit card would cut down on billions of dollars of fraud annually; but the cost of $5-$10 per card couldn’t be recouped from insurance or written off against tax, so the banks have never implemented it.
    Banks and bankers are greedy; they’ll never do anything about anybody else’s losses but their own.
    Let’s hope the Bill goes through, and quickly.

  8. Patrick W. Barnes

    Placing the entire burden upon the financial institutions is a mistake. It has been a mistake to do so for consumers, and doing so for businesses and government entities is even worse.

    Financial institutions can and should implement NIDS-type protections and sane policies to mitigate fraud risks. They do have a responsibility to provide reasonable safeguards to prevent unauthorized access and abuse. When they have done all that they reasonably can, however, they should not be forced to compensate a consumer, business or government entity when the same fails to uphold their end. If they do not have adequate safeguards in place, then they are responsible for any fraud that enables.

    When a banking customer suffers from fraudulent transactions, they have usually made a mistake somewhere along the line to enable the fraud. Somehow, they have been compromised, and usually by preventable error. If they have failed to take adequate precautions, there is only so much their financial institution can do to protect them, and they should face the consequences for their failure.

    Ultimately, both financial institutions and their customers have responsibilities to protect themselves from fraud. It is wrong to automatically place the entire burden upon one or the other. Instead, responsibility must be placed on both to create the incentives for each to take care of their duties.

    Here are some thoughts:

    * Create a threshold for fraud amounts, below which the financial institution is expected to cover most or all of the losses. This is to keep trivial cases from ballooning in costs through investigations and arguments.
    * Establish strict and frequently-revised baseline safeguard requirements for financial institutions. The finance industry is familiar with these. Add them to standard auditing requirements, and when a financial institution fails to comply, fine them. The bulk of the fine can go into a fund from which victims of fraud might be able to recover some of their losses. This fine might even be adjusted based upon the transaction volume put at risk (the size of the bank and the risk resulting from the failure, in essence.) Each institution’s compliance history should be public record.
    * Place the burden of proof on financial institutions. When fraud above the earlier-suggested threshold happens, the financial institution must prove that their required safeguards were in place and that the fraud was not a result of (in)action of the financial institution. If they can prove these things, then they are not liable for the charges, and the responsibility for the losses falls to the customer. If they cannot prove these things, they are liable for the charges and may face punitive action for their failures under the above-suggested safeguard requirements.
    * When a customer suffers from a fraudulent transaction and is forced to eat the losses, they can apply for remedies from the earlier-mentioned fund. This would be an opportunity to include user education or to require the customer to improve their security practices. For example, disbursement of funds could include “free” security software (paid for from the dividends), information for the end user to guide them in preventing fraud (publications, videos, etc.) or increased rewards when the customer can demonstrate knowledge and/or implementation of proper security practices.

    This represents a quick brain dump. Counterpoints welcome.

    1. Terry Ritter

      “When a banking customer suffers from fraudulent transactions, they have usually made a mistake somewhere along the line to enable the fraud. Somehow, they have been compromised, and usually by preventable error. If they have failed to take adequate precautions, there is only so much their financial institution can do to protect them, and they should face the consequences for their failure.”

      I could agree, were the whole problem not based on technical issues not easily resolved.

      The vast majority of customer computers used for online banking run one or another version of Microsoft Windows, and almost all bots do infect Windows. Yet Microsoft does not provide a program to certify a particular Windows installation as bot-free and thus suitable for online banking. When the customer has no means of identifying a problem, it would seem difficult to blame them for not solving it, even if it is in their own equipment.

      We might think, like cars, that computers should be inspected periodically. However, unlike brake failures, bots cannot be perfectly detected, even in a technical setting. Moreover, computers would have to be inspected before every online banking session.

      I would argue that the hardware and software manufacturers bear far more responsibility than users. It is possible to build computers which cannot be infected, and most of the malware problem is due to people not having such computers.

      The current alternatives for actually solving the problem (instead of just manipulating who pays) are just two: either use the banking drive-thru, or bank online using something other than Microsoft Windows. Ideally, customers would use a free Linux LiveCD, which is difficult or impossible to infect, but will never be as nice to use as Windows.

      Shall we have a law which says: “Do not use Microsoft Windows for online banking”? The mind boggles! Nevertheless, the malware bot problem is related to weaknesses in the particular hardware and software design which dominates the marketplace. Why this is not seen as a national security issue is beyond me.

      Nobody likes these solutions. But they are all we are likely to get unless and until the computer hardware industry wakes up.

      1. Patrick W. Barnes

        You are correct about it being essentially impossible to fully protect a Windows computer, but of the parties affected by fraudulent transactions – the financial institution and the customer, who should really be held responsible for a customer using an infected system? I argue that the customer should. It is not the fault of the financial institution. What could the financial institution do to prevent the use of an infected system? Attempt to bar all Windows systems? The economics in play make that an impossible proposition.

        It is the customer’s responsibility to make sure their end is secure. That may mean using a system dedicated to online banking, using live media to boot the system for banking or using an operating system that is less likely to be infected. Whatever the resolution, only the customer can take those precautions, and the backlash against a financial institution that requires such things would be damning to that institution. Customers have to learn how to protect themselves and have to put forth the effort if they do not want to be held responsible when an insecurity in their system or behavior results in a breach. Leaving them with the responsibility when a breach is their fault provides the incentive, and it is only fair.

        With my suggestions above, the customer would only be responsible if the financial institution can demonstrate that the breach was not their fault. The only way to prevent fraud is for the parties at both ends of the transaction to make themselves secure. Making financial institutions pay when the customer fails to keep up their end takes away the incentive for the customer to secure their transactions and completely fails to reduce the instances of fraud, instead fostering the bad behavior that allows customer-end breaches to continue.

        As for the hardware and software makers, I believe that they do have a responsibility, but regulations to deal with fraud should not bypass the customer and place responsibility directly upon those vendors. Instead, customers should be allowed to hold hardware and software makers responsible for security and other matters. If customers make security a high enough priority, they can shift the balance of power to vendors of secure systems. So far, that has not been customers’ top priority, and so the customers should bear the costs of their decisions to favor things like familiarity and easy migration paths. When customers are ready to make security a top priority, vendors will deliver or fall to competitors that will. Let the market forces take care of customer priorities.

        1. Tim Towers

          I have never met anyone who would not fall for a well-crafted spear phishing attack.

          I have never met a system which was capable of running a browser that can do banking but which could not have malware written for it. Even systems which sign all binaries can have interpreted code or buffer overflows.

          I have never seen an antivirus or IDS or any software which can immediately, automatically and reliably identify malware and block it before it has any effect.

          If the above statements are true, the only way to trust a transaction request from a client is to use a trusted system that has not had the opportunity to become untrusted. Even then, the users can be misled, coerced or make simple mistakes.

          However, the cost to the bank of making this a requirement would be the alienation of most customers so it is a better business decision to allow some chance of a compromised client and mitigate the risk through profiling and other mechanisms.

          1. Patrick W. Barnes

            I would argue that there are many people (only a small fraction of banking customers) that would not fall for a spear-phishing attack. Otherwise, your statements are completely correct, hence my point above that financial institutions should be held to maintain NIDS-type protections and sane policies. That applies both to logins and to transactions. For example, if a wire transaction is initiated for a large amount, to a foreign destination or by a customer account that has never used wire transactions, that transaction should be flagged for review by NIDS-type protections. To back that up, the bank could have a policy requiring account holders to notify the bank before they can use wire transactions at all and before they can use wire transactions to foreign accounts. Another policy could require the customer to call in and verify any large transactions. Finally, the institution could include a policy for verification and a delay period for suspect transactions, such as those flagged for the reasons above.

            While these criteria represent some of the most obvious threats, even these basic triggers are not used by many financial institutions. It would be easy to come up with all kinds of other triggers that, combined, could identify and prevent most varieties of wire fraud encountered today.

        2. Terry Ritter

          “You are correct about it being essentially impossible to fully protect a Windows computer, but of the parties affected by fraudulent transactions – the financial institution and the customer, who should really be held responsible for a customer using an infected system?”

          I have actually addressed this specific question in a larger article on my site:

          http://www.ciphersbyritter.com/COMPSEC/BANKMALW.HTM

          “I argue that the customer should. It is not the fault of the financial institution. What could the financial institution do to prevent the use of an infected system?”

          True, the bank cannot detect a bot in the customer computer, and so cannot even ask the customer to get it removed.

          However, the customer cannot detect the bot *either*. Serious bots do not make their presence known, and there is no tool which guarantees to detect them. So what is a customer to do? What choice does a customer have? How can a customer be responsible for what they cannot detect, or even, reasonably, fix? We do not have enough computer repair people to do continuous OS re-installs, which is silly anyway.

          “Attempt to bar all Windows systems? The economics in play make that an impossible proposition.”

          I disagree that it is “impossible.” If mere economics were the only problem, that would be an effective and important solution. Unfortunately, the problem with it is technical, in that the bank cannot really detect what OS is running, if the OS lies. However, the bank might require customers to *agree* to not run Windows online, if they want their stolen money to be returned by the bank.

          “It is the customer’s responsibility to make sure their end is secure.”

          While I am in favor of that, eventually, I think it can only be reasonably applied after customers have the tools to detect bots and fix them. Currently, there is no guaranteed (or perhaps even likely) bot “detection,” and “fixing” involves a full OS re-install (or recovery of a pristine OS image). The tools are simply not there to presume that customers have not taken reasonable care with their banking connection.

          “customers should be allowed to hold hardware and software makers responsible for security and other matters. If customers make security a high enough priority, they can shift the balance of power to vendors of secure systems.”

          But that implies a whole lot of pain over a whole lot of time which we can predict and possibly prevent. The problem was created by the hardware and software design which now dominates the market. Let those guys fix the problem, or pay for it.

    2. Arctic Hare

      “When a banking customer suffers from fraudulent transactions, they have usually made a mistake somewhere along the line to enable the fraud. Somehow, they have been compromised, and usually by preventable error.”

      How do you know this? Is this an assumption or is there evidence to support the claim that customer error is usually involved?

      1. InfoSec Pro

        @ Arctic Hare “How do you know this? Is this an assumption or is there evidence to support the claim that customer error is usually involved?”

        There is clear evidence that the use of online banking is a mistake that enables fraud. If the customer is not set up to do online bank transactions the fraud is impossible, ergo the customer is responsible.

        Admittedly their bank may not give them a choice, in which case their mistake lies in not choosing a different bank.

        Underlying this is the mistake of valuing convenience and efficiency more than security. It is costly and time consuming to do things carefully and securely, so the benefits of online banking are attractive, until the risks manifest as fraud losses. Then the fight about who bears the cost is on…

  9. calandale

    “The bank is probably in no better position to protect against this type of fraud than the [business] account holder,”

    I call bullshit.

    When I make a wire transfer, as a private
    customer for whom the bank would be responsible,
    I have to jump through significant hoops,
    including out of band authentication.

  10. JS

    The fact a bill is proposed shows just how undermined the trust in the banking system really is. It basically says electronic banking is flawed enough to warrant protection to government municipalities.

    Banks are going to oppose it for this reason yet covering it with other excuses.

    There is something systemic here, in that the US wants to legislate into its governmental model that fraud & theft is so common & easy top to bottom!

    It doesn’t address the core problems.
    Corruption, Greed and Apathy by persons who form the basis for banking & other institutions.

    Corruption in this case as most of the money was laundered within the system.

    Greed as the bubble expansion of the 1990s and profit seeking we have “lost” having personal experience betwen business owners & banking.

    Big Banking has been promoting an environment about being a account number and anonymous and covering it with PR. What’s the difference between ZeuS rings and illegal tax shelters & money laundering? The banks promoted the global distribution of such money by the environment provided.

    Apathy by local communities in that they may have forever lost their local bankers to corporate banks. Local bankers could be meet, talked with and reasoned with and were stakeholders in the local community. If the business was hurt so were they and if they so too the business.

  11. Tim Towers

    Patrick, what do you mean by NIDS. I usually assume Network Intrusion Detection System but I assume you mean something that happens within the application logic when transactions are processed.

  12. BradR

    Sorry,
    Pushing the losses onto the banks is not going to work. As someone mentioned earlier, fraud losses for the consumer are much smaller than the losses with businesses. If you really want to see your smaller community banks fail – pass this new law. One of two of these hits will wipe out most community banks dead.

    Most banks make such a small margin on profits, you would actually be shocked. Try 1-2% on Assets and those are for the good years. Compare that with CD rates – where consumers are crying at receiving 1-2%.

    Running a bank is expensive, complicated, and frought with risk. My wife only does it for the challenge – she is an economics buff. We aren’t considered rich or wealthy but we are ok for the moment.

    1. Businesses should disable the ability to ACH and wire with their bank. If they want those functions, it should be manual or have other features such as automatic callback to verify activity.

    2. Everyone take responsibility for their own actions. The bank has secured communications, but we can’t secure your computer. Take the initiative and tell your bank to disable ACH and wire activity on your account. Be safe.

    3. Stop pegging banks as the bad guys, the government created this entire situation by pushing home loans to everyone that could breath and sign their name to a piece of paper. Banks filled the gap, unfortunately – there are bad players in every environment and they took advantage of the situation.

    4. Ask yourself and your neighbor why they want to beggar you. Every time you shop at walmart – you remove jobs from your community and send your money straight to China. No excuses, we are beggaring ourselves.

    5. Pay off your credit card debt and start saving. No more complaining about credit card fees and rates. They are what they are and you signed the paperwork – take responsibility.

    1. JCitizen

      Wonderful post Brad!!;

      And I agree with so many of your points. I do feel the banks need a standard to go by, though; and the help from the government to implement them. I’m not a big government type, but I see a lot of initiatives in Europe where the government helps promote good business with countries in the Euro zone, and assists the businesses in reaching goals. And most of the time they then get out of the way.

      In the US, it seems like government only dreams up ways to hamper business without enhancing their practices or markets. This needs to stop, if we are going to climb out of this economic slump.

      Folks in agriculture know what I speak of – it was called the “ag extension office”. But even it has become an office of welfare, instead of “How to improve my soils and pesticide science; or production selection, and market promotion”.

  13. Andre LePlume

    It’s difficult for a non-insider to know, but one way to interpret this proposal (by a senator from a US state whose economy is so closely tied to banking, I might add) is that the banks see Reg E extension as inevitable and are attempting to head it off with this half-measure.

  14. Marty

    “The bank is probably in no better position to protect against this type of fraud than the [business] account holder,” Verdier said.

    I would disagree. The banks and financial institutions are actually in the _BEST_ position to protect against this type of fraud. It is the bank’s inadequate electronic banking systems which are allowing this type of fraud (aka bank robbery) to occur in the first place, so the best place to start is by fixing the bank’s electronic banking systems.

    As Brian has stated previously:

    “No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system.”

    All the discussion about securing the customer’s interface (i.e. desktop computer) into the bank’s electronic banking systems is mostly irrelevant, since the crux of the problem lies in the the bank/financial institution electronic banking system.

    This comes back to what would be considered “reasonable security” on the part of the bank/financial institution. This involves layered security beyond just network security and data encryption. The most basic and simplest, is to implement anomaly detection in their electronic banking systems. This type of fraud (aka bank robbery) typically is the result of transaction anomalies. Wire transfers at off hours, where all previous transactions were during normal business hours. International wires, where all previous transactions were US only. Security configuration changes, with transactions to new accounts right after the change. Transfer of dollar amounts that aren’t typical of all previous transactions. One time transfers to new accounts, where all previous transactions were to existing accounts. The list of anomalies goes on and on. Bank customers should expect that a bank’s “reasonable security” includes layered security measures like fraud detection where the focus is on a bank detecting and preventing anomalous transactions which result in fraud (aka bank robbery).

    As a result of the banks/financial institutions lack of implementing “reasonable security”, we are left with the need for more federal regulation to ensure banking customers are adequately protected against this type of fraud (aka bank robbery).

  15. PaulJ

    @Marty hits it on the head. The banks should have the technology to do anomaly detection just like the credit card companies do (or purchase and deploy it). If something looks fishy, stop it and notify the customer just like Amex and the others do.

    With all the calls for live CDs and VMs and other hard-for-the-user technology, it’s really odd that simple things like transaction alerts aren’t being discussed. I have a variety of alerts on my credit-union and credit card accounts. I get emails (or texts) when a transaction over dollar-value X occurs, or someone logs into the web interface, or any other number of triggers. If I were a business owner I’d have as many of these alerts as I could, especially for things like ACH transactions.

    1. David

      The customers of the banks have been getting hit and damn hard, yes some of the customers should be doing more to protect themselves and how they do financial transactions onb line, but the banks are just as guilty in this and maybe even a little more so.

      The banks for the longest time have been reducing there staff and steering customers to do their banking thru the ATM machine, thru online banking, thru telephone banking. Why? Well you can reduce your staff if your pushing people do do more of their banking in another form.

      That being said, the banks have known for sometime how these criminals were beating the banks various security procedures when it came to getting their account holders money. What real changes have the banks adopted to lessen the risk to their customers and themselves? Not too much by the looks of things.

      Their are banks whose security seems stuck in the stone age, and others who have two factor autentication security . Even with the latter banks are still being beat bby the bad guys.

      The banks need to put in more procedural checks in their systems when it comes to large ACH transactions and large account balance transactions that seem out of place with an account holders usual buisness. The banks are going to know long before the customer finds this out.

      The banks have to get on this….They are not going to have a choice, they will have clients who will lose trust in doing any online buisness , and not only that they will seem to be one that is lax in security to the potential client. If the banks dont put more check in place and review their security, they won’t have to worry, because the Goverment will slam regulation on them hard and fast.

  16. hhhobbit

    I think the banks may have an issue here. Municipalities and larger school districts while not necessarily always having the staff (some do) to approach this problem at least could make all of the machines that handle the banking move over onto Linux and the rest of the machines, especially those used to handle email (Windows or Linux or Macintosh) not have anything to do with the financial transactions. Split the task of financial off from everything else and don’t let them mix with the other ordinary use machines. By that I don’t mean they cannot be on the same network but if they are on the same network the finance system don’t connect to ordinary systems The finance systems should have vulnerable ports blocked except to the other trusted finance systems, etcetera. If it is an issue of a shared database, have the database in charge of the finances be separate from the control database if at all possible.

    The problem for the Mom and Pops isn’t just logging into the bank. Many Mom and Pops have POS and the effects of Darl McBride and SCO had a chilling effect on the development of POS on Linux. POS systems need the same protection as a desktop system and at least one small business person I talked to has had their POS built on Microsoft Windows infected. I only asked that one small business. Here is all the supported POS for Linux I have found:

    http://www.viewtouch.com/poshome.html
    http://www.novell.com/products/linuxpointofservice/

    The key word is supported. If anybody else knows of any other supported Linux POS systems please contact me and let me know what they are and I will try to list them on my filter blog:

    http://www.SecureMecca.com/Downloads/proxy_en.txt

    My email address is on line 14. It is hoped that the banks and legislative bodies come up with something better for the Mom and Pops than what is there now. This legislation completely ignores them. In addition to not having the technical staff, Mom and Pops frequently don’t have enough machines to dedicate one strictly for finances either. The Mom and Pops are the ones that really need this protection! What is needed is some way of distinguishing whether the business is large enough that it has the staff and resources to go it alone or whether they need some extra protection just like a normal person has. Many haven’t grasped that inherent difference between big, medium, small, and tiny businesses yet. School districts and municipalities are the equivalent of either medium or small businesses depending on their size. But most of the larger school districts and municipalities that are being attacked would be far better off with some methodology to follow so they can foil all attacks in the future than they would be with this legislation which may break the banks. I have nothing to do with banking other than having two bank accounts and one credit union account with almost no money in any of them.

    Since they aren’t going to be able to even have hearings on this until after the election in the US Senate I advise municipalities and school districts who have come up with successful ways to avoid being attacked by Windows malware to show the solutions they have to the senators. I am sorry but I am NOT reading headlines about 25% of the Linux machines are infected by the Tuxnet trojan and 35% of Macintoshes are infected by the Cutt worm. Rather than legislation, showing the municipalities and school districts how to avoid being successfully attacked in the future and having them implement these solutions is what is necessary. I am sorry but I am mandatory on this one: Get the municipal and school districts finances off of Microsoft unless they REALLY know what they are doing. Given the fact that we have school districts and municipalities that are either all Microsoft Windows or mostly Microsoft Windows being successfully attacked is a powerful argument that they don’t know what they are doing. I suspect for every one that has been successfully attacked there are hundreds more with the same vulnerabilities that just by the luck of the draw haven’t been attacked yet.

    1. JCitizen

      Totally agree on your comments on Windows based POS. I’ve seen brick & mortar stores with POS exposed to the net with NO firewall!!! Using (choke) Windows ’98!!!

      This relates to many of my previous comments on Brian’s site about vendor compromise. It isn’t always the guy sitting at home shopping online that gets his personal finance information stolen!

Comments are closed.