08
Jun 11

Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion.

David Navetta, a founding partner of the Information Law Group, said that Patco has about another week to dispute the magistrate’s recommendations, but that it is unlikely that the judge overseeing the case will overturn the magistrate’s findings.

Navetta said the magistrate considered the legal issues and propounded an analysis of what constitutes “commercially reasonable” security.

“Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability,” Navetta said. “The court explicitly recognizes this concept, and I think that is a good thing.”

But Avivah Litan, a fraud and bank security analyst at Gartner, took strong exception to the way the magistrate arrived at the recommended decision, calling it “an outrage.”

“In my opinion, this is frankly an egregious injustice against small U.S. businesses,” Litan said. “It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”

The Technology

Ocean Bank relied on service provider Jack Henry to process bank-to-bank transfers, and it selected an authentication process that required customers to log in with a company ID, user ID and password. Customers also were asked to provide answers to three “challenge questions” that would be asked if the system scored a transaction as “high risk.”

The Jack Henry product came with a risk scoring system developed by RSA‘s Cyota, which rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site. Challenge questions were prompted when the risk score for a transaction exceeded 750 on a scale of zero to 1,000 (RSA considers transactions generating risk scores in excess of 750 to be high-risk). Ocean bank also kept track of customer “device IDs,” an amalgamation of attributes from the customer’s PC that could be used to create a unique fingerprint for that machine.

Until 2008, Ocean Bank set its dollar amount threshold — transfer amounts that would automatically require the answer to a challenge questions regardless of the Cyota fraud score — at $100,000. But in July 2008, the bank lowered that threshold to $1. The bank told the court that it did so to enhance security following ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were forced to answer a challenge question whenever they used the bank’s system.

The Analysis

Patco’s security expert, Sari Green of Portland, Me. based Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, the bank greatly increased the risk that a fraudster equipped with a banking Trojan would be able to compromise the answers to a customer’s challenge questions. Patco also argued that because the questions were triggered on every transaction regardless of the scoring of the transaction, that system did not provide any additional security.

Navetta said the magistrate considered the question of whether Ocean Bank’s security was sufficient. The magistrate analyzed whether the bank’s security satisfied “multi-factor authentication” guidelines by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token); and something the user is, such as a biometric identifier. (Those guidelines were established in 2005 by banking regulators at the Federal Financial Institutions Examination Council (FFIEC).

Navetta said the magistrate accepted the bank’s argument that the password-based scheme used by the bank was multi-factor as described in the FFIEC. “To some degree the court acknowledged that the bank’s security could have been better,” Navetta said. “Even so, it was technically multi-factor as described in the FFIEC guidance in the court’s opinion, and ‘the best’ was not necessary.”

The magistrate wrote that while the guidelines say two out of three of those factors should be incorporated, it says nothing about how banks must respond when one of those factors detects an anomaly. More importantly, the magistrate accepted the bank’s assertion that a device ID satisfied the “something the user has” requirement.

The magistrate was unswayed by evidence presented by Patco’s lawyers that modern malware threats like ZeuS can modify content in the victim’s browser (and thus prompt users for the answers to all of their secret questions). ZeuS also allows attackers to tunnel their communications through a victim’s own PC and browser, an attack method that can negate the value of a device ID as a second factor. Navetta said Patco’s main theory concerning the weakness of the bank’s security was that the lower dollar threshold set by the bank made customers easier prey for predators like the ZeuS Trojan, but that the magistrate was unconvinced by that argument because Patco did not have actual forensic evidence that a keystroke logger was the culprit. The magistrate said Patco erred by “having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

Avivah Litan said the methods used by Jack Henry to support Ocean Bank were not appropriate to the risks associated with online business banking in 2009.

“Zeus, browser-based Trojans and other modern-day threats are known by anyone following online banking security to circumvent all the methods that were being used at the time by the bank and its processor,” Litan said. “Unfortunately, the 2005 FFIEC guidance referred to examples of relatively crude online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques.”

The FFIEC was on the verge of releasing updated guidance at the end of last year to clarify the new and stronger types of multi-layered defenses required in 2011.  Litan said those updates were expected to explain that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next-generation cybercrime techniques.

“It’s truly disappointing that the much-needed update was never issued, no doubt because of internal politics and disagreements among the regulatory agencies,” she said. “The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from bank shortcomings that compromise the safety and security of their accounts,  just as consumers are protected under Regulation E. In my opinion, this judge did not correctly interpret the 2005 FFIEC authentication guidance.”

Patco co-owner Mark Patterson said the company hasn’t yet decided whether to appeal.

“The one thing the judge mentioned in his decision is that there is basically zero case law on [question of what constitutes reasonable security] for the banks,” Patterson said. “Not anymore. That’s why we’re concerned this could have national implications. Tons of small businesses continue to be at a huge risk for this type of thing happening to them.”

The magistrate’s recommendations are by no means a done deal, even if the district court adopts them. The decision could be appealed, possibly all the way to the US Supreme Court. Interested parties could present further legal argument by filing amicus curiae (friend of the court) briefs at any time during the appeal process.

A copy of the recommended decision is available here (PDF).

KrebsOnSecurity will continue to follow this case and to bring you updates on new developments as they happen. Stay tuned.

Tags: , , , , , , , , , , ,

126 comments

  1. Major implications here … just like ordinary people should not be using credit cards on Internet, when those same cards can be used as debit cards, so should small businesses not be using banking services which can get breached.

    As we have seen here, if the company’s dealings with the bank get breached, it does not matter if the breach was at the bank or at the company, the company is screwed.

    A variation on this is to assume that all the money you have in one bank can be lost in a breach, so do not have a big balance at the same bank as where you will be doing electronic banking.

    Are there insurance policies against this sort of thing? The insurance company sends auditors to your place of business to check your computers. If any of them have badware, your insurance premiums go up.

    • It’s amazing to me that so many people could be so clueless about security. Whomever is in charge of security at Patco is responsible for the breach, because they allowed their users to have local admin rights on their computers. If they were using normal, restricted user accounts, the zeus trojan (and 99.999% of malware in general) could not have installed.

      The court is right: Patco was responsible for the breach. Let’s hope that they learn something from this.

      • Hi Derek, that’s a good point about local admin and it definitely adds to Patco’s liability.

        However, don’t you think a defence in depth principle should also apply here? Given the potential value of the transactions shouldn’t both parties have had multiple layers of defence? Would it be prudent not to bother with seat-belts and speeding limits because air bags should be %100 effective? In situations with significant potential for harm we don’t normally rely on any one thing to protect us – why should we here?

        If you do agree with that defence in depth should apply then some of those defences which were performed negligently by the bank make them at least partly liable doesn’t it?

  2. This is just another clear indications that judges do not understand IT, and legal professionals face an uphill battle through the courts in securing rights for the average person.

    Time and time again different jurisdictions make embarrassing and ignorant decisions like the one above.

    I urge Patco to appeal for the sake of the national and international implications of the ruling.

    • Unfortunately I think in this case the judge made the correct decision, especially with regard to his interpretation of the 2005 FFIEC guidance. Mostly in siding with the bank there is an implication that they are correct per the guidance, but deficient per reality.

      But I don’t think your far off in your statement. It seems that politicians are by and large the ones that don’t understand IT. We have been waiting on new FFIEC guidance for far too long. By the time they do get around to releasing new guidance that adequately secures this channel fraudsters will have already moved on to new methods.

      It would be nice if the judge had decided this the other way, but hopefully this is a wake-up call to politicians to get moving on new guidance.

  3. Keith Appleyard

    With my personal internet banking, in addition to the multiple response questions, I still have to use a Chip Card Reader whenever I add or amend a Payee, and again the first time I make a payment to that Payee. That gives me the confidence that I’m not at the mercy of Zeus.
    I think this ruling is too naive.

    • Even with some smart card chip or any PKI technology, Zeus Trojan is still going to overcome that layer of security, isn’t it? I think only the ‘out of band’ can battle this Trojan. 🙂

      • Clive Robinson

        Alan,

        I have been arguing for out of band systems since before the turn of the century. Although there are a number of systems proposed they mainly use a mobile phone service.

        Saddly with many using smart phones for Internet access such out of band channels are now back in band if the smartphone OS gets compramised (which has happened).

  4. Patco have to fight, bad case law set by some half-whit magistrate is going to make it 10 times harder for the next company who have the “2-factor fight with the banks” issue.

    Additional security questions offer no more security, it’s simply like having a longer password when it boils down to how malware works. The banks know this too, I guarantee it’s mentioned at every conference they go to, and they aren’t idiots., they just have better lawyers.

    Banks have a duty of care, sure guidelines help, but they are no more than baseline guidance. Banks are neglectful of their duty of care if they do not offer OTP based 2 factor auth for significant financial transactions. Even that is not really enough these days with modern malware capabilities.

    One time passwords (tokens or SMS or TAN) are the first generation of 2 factor IMHO, and only prove you have access to the authentication device with a shared secret on it (RSA loosing them is a separate issue).

    You’d be better off burying it in your kids sand pit than banking with banking-jokers that argue that security questions are “2-factor enough” to guard millions.

    Judges need to be telling these halfwit banks & their expensive, “Quit penny pinching and doing the minimum security guidance, get real and provide your duty of care, or just pick up the phone for christs sake!”

    Thats my $0.02 donation.

    • @Pete [IANAL]

      You are correct that 2FA is not being followed and there needs to be a good solution, but the current solutions don’t work. Even before the Lockheed Martin incident and RSA now admitting that tokens are garbage and need to ALL be replaced, users that had tokens for electronic banking have been hit with fraudulent transactions.

      The thieves find what they believe is a good target and there is 2FA involved, they don’t just give up… They redirect the user into a spoofed site for their online bank, have them enter the current token string and credentials as if they would be logging in and then the thieves use all the information to go ahead and make their own session and the transactions start again.

      Until victims become accountable for their own security, banks can’t be held supremely accountable for each and every fraudulent transaction.

      • Agreed, but it’s far better than what they have now & I get your point about overlays, injects and redirection but you cannot side step the issue that the thief will get lucky and compromise the victims machine, no matter how good their rational-level security is, so banks do need to take more precaution with the online channel and I’m sure you agree they are clearly not doing enough.

        Stupid case law won’t help either party improve. Other device soft tokens change the auth game when they use the pin as part of the code generation, especially if the seeds generated in house. I see this as a good step forward for client side. Bank side, is another story.

      • Regarding client side security, this quote from Brian Krebs pretty much says it all:

        “Any solution that does not assume the customer’s machine *is already compromised by malware* stands zero chance of beating the bad guys at their own game.”

        I completely agree with Brian. Financial institutions need to “step up to the plate” with security solutions that don’t rely on trusting untrusted devices (aka the customer’s computer).

        The simplest of these client independent solutions being those that analyze usage behavior/patterns and flag/block anomalies (i.e. transaction amount, day and time of day, recipient, recipient location, transaction volume, transaction velocity, etc.), as well as allowing the account owner to set specific account usage parameters and limits.

    • “Additional security questions offer no more security, it’s simply like having a longer password when it boils down to how malware works. ”

      I don’t believe that is true. The way the system was supposed to work was based on a dynamically generated risk rating. So, normal user login from “trusted” device…only username/password. Login from Russia and untrusted device…additional questions asked. We can argue about how much security it adds, but certainly there is some protection here from basic keystroke logging. If the bank changes this to always ask the questions, then this value is lost. That was a really stupid thing to do and shows a complete misunderstanding of the threat.

  5. The real problem here is that the big banks don’t want to bother with the issue because of volume and the little ones and credit unions farm this out to service providers that don’t want to bother.

    This issue really needs to be addressed at the bank level, restricting ACH transfers to a white list and a phone call to the phone on file both currently and several months ago if changed for transactions that are not usual.

    My credit union is tone deaf on this issue because they farm out the online aspect. Maybe the way to handle it to is force some share of losses on to these providers giving them a reason to go the extra step.

  6. And this is how you end up with regulations, or laws, compelling people to do what they should do anyway.

    OT:From Salon.com
    “Attention Apple users: An advertisement might have pushed malicious software your way ”
    http://www.salon.com/about/inside_salon/index.html?story=/about/inside_salon/2011/06/07/note_to_salon_readers

    Nice to see that some sites are upfront about this sort of thing.

  7. I don’t use my small-town bank on-line. In fact, I don’t have an on-line account because their site will not allow login without setting primary and third party cookies. I tried in vain to advise them that third party cookies were not allowed on my machine. To me, these cookies serve no purpose other than off-site tracking and other mischief.

    • Even in my small town, there are other small town banks to choose from. Keep shopping.

      • “Even in my small town, there are other small town banks to choose from. Keep shopping.”

        Quite agreed. My small town credit union has completely in-house online banking and they are minutely concerned with the security of their members’ online banking transactions.

        Maybe the lesson to be learned here is that credit unions are doing the job better than banks are.

        YMMV.

        • Kudos to DeborahS. + why is this innocuous post being negged? Is this site being patrolled by the banking industry?

          • It seems like all DeborahS’s posts get negged regardless of their content.

          • Probably has to do more with the bank vs. credit union rivalry than with the comment itself…

  8. As has been discussed 99.9% of the smaller banks farm out their online banking to an external vendor like Jack Henry, Harland or FIS. Until these vendors get religion and realize that true out of band authentication is the only way to 100% stop Zeus MITB type malware attacks small businesses face a huge unmitigated risk. The smaller banks need to band together to force the online banking vendors to allow out of band authentication ASAP. Until then all businesses should be using a dedicated PC with Ubuntu to do their online banking.

    • PCI contracts are supposed to spell out responsibilities of people downstream.

      If some or all the actors are being negligent, then either the PCI contracts are flawed, or not being enforced, or not brought into the legal battles to show an obligation not being met.

    • @MaineLou: “true out of band authentication is the only way to 100% stop Zeus MITB type malware attacks”

      Well, no:

      http://news.cnet.com/8301-27080_3-20017762-245.html

      http://www.eweek.com/c/a/Security/Zeus-Trojan-Mobile-Variant-Intercepts-SMS-Passcodes-from-Bank-Sites-480154/

      “businesses should be using a dedicated PC with Ubuntu to do their online banking”

      A “dedicated PC” is more about delusion than reality: As long as a system boots from an easily-infectable hard drive, human error can cause the system to be infected. Since there may be no indication of a problem, and since no scan guarantees to find all infections, even a “dedicated” infected system may continue in use.

      Recovery from infection consists of a full drive re-format and then a re-install of both OS and apps, but even that only works if malware has not infected BIOS flash storage. The better approach is to not get infected in the first place, but training is not going to eliminate human error. The underlying problem is a technical flaw in our hardware boot process which supports infection. We can see that the issue is fundamentally a hardware problem when we address it by booting from DVD, different boot hardware which is more difficult to infect.

    • Clive Robinson

      MaineLou,

      The problem is finding an out of band comms channel that is both timely and genuinely out of band.

      The development of technology in smart phones means that the usual out of band channels (SMS voice etc) are now inband on smart phones.

      We have seen software that can monitor the audio channel for spoken words and DTMF tones and getting access to the content of SMS’s is trivial by comparison.

      Importantly it’s not the session we should be authenticating which is what most of these systems do but the actual transaction.

      And authenticating the transaction has to go through the person to the token, not use the comms device as the token as an attacker can do an end run around the security at the low level of driver shims.

  9. The issue here is not the “unfairness” of the events. It is whether the bank was negligent.

    According to some telling parts the transcript, which Patco disputes, Patco erred by continuing to use their computers, did not immediately image them and had an IT vendor scan and clean them. This destroyed evidence and removed the possibility of linking the presence of the Zeus trojan to the fraudulent transfers. If that’s what happened it’s a real shame. But it’s also quite understandable given the crisis that Patco found itself in.

    Ultimately the case is about the law and the interpretation thereof. What we can see is that the laws need to be updated to accommodate the changed threat landscape. Until that happens a court can only rule based on current law, and that’s why we see decisions like this.

    • Nick is exactly right.

      The court can only deal with the laws that exist and should not be making new laws just because we feel sorry for Patco or because we don’t don’t like banks.

      The banks need to be commercially reasonable, but they can’t save the customers who are negligent with their own IT security.

      • You both missed the headline. The issue Brian is calling attention to is not the fairness of the decision but the magistrate incorrectly assessing 1FA as 2FA.

        • According to my understanding, they did have 2FA. Perhaps not as effective as you or I would wish, but it was 2FA. There is no error in my opinion.

          • According to the court filing they were using 1FA. All were things the person would know not something they would have or something they are. The Jack Henry Premium Product doesn’t incorporate a token or any biometrics. It is clearly NOT 2FA.

            • The argument is that the Device ID was industry standard for the part they have.

              • If it is, then the “industry standard” was created without consulting anyone in the computer security industry.

                That device ID can be trivially faked by a program running on an attacking computer, because basically what it boils down to is asking the attacker “Hey, who do you want to pretend to be?” and blindly accepting their response.

                This also does absolutely nothing to guard against a compromised client computer, which a real “something you have” factor would account for (hint: “a computer” does not count as something you have)

      • Bravo…bravo…

    • As a small business owner, I would not have known to image my computer and would immediately scan & clean to prevent further damage. Where can I find the appropiate measures to further protect our company? At this point, our customers demand Direct Deposit via ACH, so I would be behind the competition if I could not perform internet banking transactions.

  10. Two issues at play here, which really should decide the matter…
    1 – Did the victim company have reasonable security? Half the time the answer is no. Should the bank responsible if you leave your ATM card with your PIN on a sticky note and someone goes and steals all your money? Same thing goes with a computer that becomes compromised because the AV is 3 years out of date, the company doesn’t have any anti-spam or content filtering in place and users don’t have the slightest idea of what a legitimate website is compared to a malicious one.

    2 – Did the bank or Online core processor take any kind of steps to provide the customer with a safe online experience? And these steps need to be done in comparison with what is industry accepted. The bank / Jack Henry did that.

    So the real blame here should be placed on 2 parties.
    1 – the victim company for not having any idea of what IT security is and being too cheap to invest in the money to either in house or outsource IT support that is security conscious (if it was outsourced IT, then that company is to blame for being bad at what they do).
    2 – Why does the FFIEC get off scott-clean? It’s them who set the rules for the banks. It’s them who has the information of all the accounts being compromised. They should step up and release guidance that says banks need to improve their security and provide an avenue for assisting banks to stop the fraud.

  11. The real problem here is everyone is pointing the finger at the banks. While many banks do need to implement real muliti-factor authentication the small business needs to invest some money in their computer security. No one wants to admit this. The end user does hold some responsibility here. Many business have their computer directly connected to the internet or only rely on the windows firewall or the AV firewall only.

    Most small business will train employees on the threat of being rob in the store. They implement security cameras, and alarms. However they do not invest a single cent in internet security. Then they want to blame the bank for their computer getting compromised. I’m not saying the banks can’t do more to help protect the consumer but come on when will the end user wake up.

    • The problem is that the PC (a proverbial Swiss Army Knife) is the wrong tool for the job. What’s really needed is a proprietary banking appliance that does absolutely NOTHING but connect to one’s bank.

      • Given the huge drop in cost of hardware, it makes sense to not be doing e-mail with same device that talks to the bank. By networking the devices, and having good security in the network connections, the data relevant to ACH etc. can be developed on computer other than the device which talks to the bank.

        Similarly info from the bank about ACH etc. received from vendors, goes to device not used for activity which is vulnerable to malware injection. Then bank info to company network to whatever computer is going to process it.

        • Well, a perfect example of just how cheap a dedicated banking appliance could be is the ROKU media streaming device (i.e., Netflix, Hulu, Pandora, et al. ), which now costs just $59.

  12. We need to keep in mind that judges/magistrates are not really qualified when it comes to technical matters. So they must rely upon how such matters would look to the common man to see if what the bank did in this matter was reasonable. In that case, it appears to me that the bank was reasonable.

    In this case, you might say the company had a key to their bank vault, and someone stole the key. Without personal knowledge of the possessor, the bank has to assume the key possessor is legitimate. The bank could have done more toward security, of course, but so could the company. Case closed, until banking industry standards are changed for the better or case law is updated.

    Regards,

  13. This just emphasizes that need for bankers to have a better system. For example, they need to have a system that requires the bank to get in person verification of automatic bank transfers to people that have never been recipients from that account before. Also, to reiterate Brian’s recommendations – use a linux boot CD to do any online transactions.

    • “For example, they need to have a system that requires the bank to get in person verification of automatic bank transfers to people that have never been recipients from that account before”

      So….You think the solution is “in person verification”? That is about as unpractical as it gets.

  14. “authentication process that required customers to log in with a company ID, user ID and password. Customers also were asked to provide answers to three “challenge questions””

    So you login using something you know, something you know, something you know and something you know.

    “Navetta said the magistrate accepted the bank’s argument that the password-based scheme used by the bank was multi-factor as described in the FFIEC.”

    Can someone please enlighten me how this is a multi-factor system?

    • I think the idea (not that it makes it right or that I am endorsing it) is that you have:

      Something you know – Answer to challenge question
      Something you have – Your username/password
      Something you are – RSA’s risk based authentication

      Because the above satisfies the FFIEC Guidance is why we definitely need an update… Multi-factor authentication really needs to become multi-channel authentication.

        • Oops your right, but its still multi-factor authentication as far as the FFIEC guidance is concerned. Hence the need for change is still necessary.

          From the actual FFIEC guidance: “A multifactor authentication methodology may also include “out–of–band” controls for risk mitigation.”

          If they simply changed that ‘may’ to a ‘should’ it would likely go a long way towards stopping this fraud.

          • I think “something you have” was in this case interpreted (wrongly in my opinion) to have been the customer workstation itself:
            “Ocean bank also kept track of customer “device IDs,” an amalgamation of attributes from the customer’s PC that could be used to create a unique fingerprint for that machine.”
            Shoehorning this with something they knew (username + password) was considered a good enough 2FA.

      • Passwords are something you know. Something you have is something you physically have, like an RSA token, a private key, a smart card, or something of that nature.

        Two factor authentication is designed to reduce our reliance on shared secrets as the sole means of verification because people can blab secrets.

    • “Navetta said the magistrate accepted the bank’s argument that the password-based scheme used by the bank was multi-factor as described in the FFIEC.”

      It’s not MFA. More confused people!

      Sadly, the FFIEC 2005 guidance does not require MFA – it requires LAYERED SECURITY, which is quite different from MFA. The FFIEC document was a very confusing read for many financial institutions at the time. The FFIEC guidance document basically discusses Layered Security and then has a whole appendix (a large part of the document) dedicated to providing an overview of MFA. As a result, there was a lot of confusion between the Layered Security requirements and the MFA educational material.

      In the end, Layered Security is what most financial institutions and banks implemented – NOT MFA. This is why we have solutions like the BoF “SiteKey” (i.e. challenge questions, user selected pictures. with some simple client “fingerprinting”) and similar technologies offered by RSA and other vendors. These are not MFA solutions (even though some vendor marketing incorrectly referred to many of these solutions as MFA).

    • If company id, user id, password, challenge questions, all come from the connecting PC, then all of that can be learned by malware infecting that PC.

      There also needs to be pattern of transactions.

      There needs to be a way to register authorized places to pay, how high to pay per day or transaction, which does not go thru the same PC which allegedly is doing the paying.

  15. The unfortunate truth here appears to be: banking system users beware.

    The fact that “commercial reasonableness” is the standard against wich banks will be judged seems to mean the entire industry can stick its head in the sand and the mass action will appear to be “commercially reasonable”.

    Perhaps the tables should be tunred and the small businesses of the world should be absolved of liability if the steps they took to defend against fraud were “commercially reasonable” i.e., consistent with what the majority of other small businesses do. Who is lobbying for that change in law? I’ m sure I can guess who is lobbying against such change–the bankers with their far-deeper pockets.

    • Your first sentence is exactly right.

      This has been true long before there were computers and long before there were banks. There have always been conmen and there always will be and they are always at least one step ahead of society.

      People need to take responsibility for their own property, and in this case it means having appropriate security on their computers if they are going to do internet banking.

      In case you haven’t noticed, the FDIC is closing multiple banks per week because they are losing money. This deep pocket thing is a horrible myth. It comes from people not wanting to take personal responsibility. If you force the banks to be perfect instead of commercially reasonable, you won’t have any more banks. Not even BofA, JPM or Citi can provide perfect protection for all customers, including the ignorant ones who refuse to pay a pittance for internal security.

      • Agree that ignorance exists both on the banking and customer ends. The customers in this case were stupid, but then, so was the bank. It just seems to me the banks have an unfair advantage in this case since the standard to which they are being held is “commercially reasonable” while the customer is held to a different standard.
        Why the different standards? My hypothesis is: the big banks are able to afford better legal representation and more effective lobbyists; therefore, the laws are tilted in their favor.
        I’d like to see action to level the playing filed a bit more –make both parties take responsibility for their failure to adapt to the environment in which they are now operating.

      • @Carl your argument is overly defensive I feel. Do you work for a bank with an on-line presence with these weak authentication practices* by any chance?

        *(security questions trivially key logged by any malware in the last 5 years)

        • My institution does not use these processes, and I agree in today’s terms, they are extremely weak. I am not defending the effectiveness of the processes. If the FFIEC would address this thoroughly, we might have less weak practices as the industry standard.

          My point is that most people have no idea how many of these attacks banks stop and how hard they work and how much money they spend to stop them. We also work very hard to educate customers, but every single customer who has had problems with account compromise at our institution has clearly not listened to any of the advice that is put out and has had little or no effective defenses as well as having completely unsound security practices. Of course the customer is negligent and fully liable if they won’t take the most basic steps to protect their IT assets. How can a business not be responsible for protecting its IT assets?

          It seems people think the banks are gladly sacrificing the security of people’s accounts, which of course is the exact opposite of the truth. There are a lot of people in the IT Ivory Tower – It ought to be falling over. It is clear they don’t deal with the real thing or they imagine they have more power than they do.

          • That’ll be a yes then.

            “gladly sacrificing the security of people’s accounts” – not at all, I have the greatest respect for banks with robust security.

            You surely agree that password+questions auth is deficient in this day and age where banks are advised widely in security circles to assume the customers PC may well be compromised despite reasonable efforts & good protection levels of AV and OS firewalls?

            Allow me to flip the coin a second. Banks love the on-line channel because it’s cheaper than brick, mortar & human channel. Why don’t they protect it as appropriately as they do their retail premises? Physical presence, physical ID, behaviour, request type, physical responses, knowledge of the account are all commonplace. 12345%^|Fishes|Wanda|Springfield – Is a low bar & hardly an equivalent security comparison is it? Cheaper, granted.

            • You’re not reading well. The answer was not ‘yes.’ I said my institution does not use those practices.

              I think you are too unaware of the realities and actualities in the field.

  16. True muliti-factor authentication can be spoofed. Just because the bank requires a physical security token or even uses Phone Factor. The fraudsters have already proven they can fake the text message or intercept the text. They can even get the one time PINs from a security token. If this kind of authentication was more wide spread it may reduce how often this type of fraud will happen. It will not prevent it. Also there is no one thing that will prevent fraud. Sure the bank can call a customer on every ACH but verification by phone will not hold up if the person/company comes back latter and says I did not authorize this ACH.

    The fact of the matter is the fraudsters are better at getting past security than the people entrusted to create secure websites or systems. Most people feel “I have a fire wall that will stop any threat”. Security is layered. Internet security is lagging behind the threat. Security is working in a reactive state. We wait for a new threat then respond. It needs to be the other way around.

  17. Thanks for the clear and objective reporting on this topic. I’ve had to chuckle a bit at the IT security pundits jumping on this event in order to command a soap box for/against a particular view of on-line banking security and what banks are/aren’t doing right.

    Not to be left out, I compiled some thoughts about the potential for a similar demand for improved on-line authentication technology as what was experienced in late 2005 after the previous FFIEC guidance was issued here on my blog: http://bit.ly/kQYN8G

  18. While Banks are not responsible for the security of a customers computers or networks, they do share some responsibility for the exposure if they do not offer the customer the choice of saying no to online access.

    Very few financial institutions I am aware of allow a customer to not have online access to their accounts, they do not allow complete disablement of online bill pay or ach transfers.

    Worse yet, more and more financial institutions are inexorably transitioning their customers to online transactions exclusively, both on the personal level and business level, and they are beginning to institute fees and guidelines to encourage such, without setting mechanisms in place to safeguard the assets of their customers from this exposure.

    • Amen. This is another case that shows the imbalance of power between the banks and the consumers. Consumers are faced with accepting a unacceptable situation because the alternatives are limited (at best).

      Perhaps it is time to start a bank that DOES provide alternatives…would a free market move its business to a bank that offered a greater degree of customer protection? What do all the MBAs out there think?

    • “While Banks are not responsible for the security of a customers computers or networks, they do share some responsibility for the exposure if they do not offer the customer the choice of saying no to online access.”

      Really? You do have to option to say not to online access. Do not apply for online access. Do not apply for access to ACH transfers. Do not apply for bill pay.

      I understand that some people can only interact with their bank online. In most cases this because they no longer live were the bank is. People get new jobs in a different state and don’t switch banks anymore. If you do not like this find a bank where you live.

  19. True muliti-factor authentication can be spoofed.
    Incorrect.

  20. My $.03 – not a lot to say, except that I hope the judge in Experimetal recognizes he is in a unique position to set a tone by being brave and splitting the decision down the middle. Until all stakeholders, customers, banks, and I would add – telecom providers, get some skin in the game, relationships will not be built, working together will not happen, and only the badguys, attorneys and charlatan vendors will get rich.

    • Jim,

      When telecom providers start meddling in your traffic on behalf of the govt, you need to worry. The last thing I want is big brother telecom or the govt. flipping bits in my Internet stream. People would switch to SSL, and I guarantee legal MITM would be common-undermining the whole foundation of commerce on the Internet.

      Charlatan Vendors?
      It is the responsibility of the buyer to be educated when buying security gear. If you don’t know the problem you are trying to solve, then dont complain when the solution doesn’t work. Would you buy a car you have never test driven?

  21. Both sides of the issue need to be strengthened.

    The FFIEC guidance was a joke when it first came out, and most banking executives insisted that 2FA would never be accepted–when the reality is that they never wanted the headache, cost, or expense of maintaining a 2FA system.

    The end user does need to take some responsibility or industry needs to standardize on TPM or some other trusted platform, because most end-user machines have malware on them, and banks cannot be expected to secure these infected endpoints. Without a trusted environment no transaction can be safe.

    Stopgap solutions like Trusteer work for now, but a hardware solution is the probable best solution. Perhaps we can get rid of the vulnerable mag stripe on cards at the same time.

    • Don – I don’t disagree with your comments, in fact, we may share the same perspective that the government should stay out of it. I believe customers should be speaking with their bank (ask what you are getting), banks should be talking to their customers, and telecom providers should shut down garbage when they see it on behalf of me, not the government. As far as charlatan vendors- we agree there as well- no comments on attorneys?

      • Jim,

        I stand corrected, then. My big fear about “clean pipes” is that the government is already asking telcos to provide them-and the ideas they are talking about are not for specific entities or industries like finance or utilities. The FBI recently got permission to remove infected computers from networks.

        I think this is a VERY slippery slope. As broken as SSL is, I dont want another excuse to intrude. As I said before I believe that govt snooping could undermine what little private communication is left on the Internet, because legal SSL eavesdropping would become routine.

        BTW, lawyers stink. 🙂

  22. Michael Mather

    If a robber robs a bank, it is the bank’s money that is gone, not the customers’. This is because the bank is responsible for security. Period. The customers know nothing about how to make the banks more secure.

    With on-line banking, ditto. The banks are responsible for security. If someone uses malware to steal your password, that is still the bank’s responsibility. If the bad guys use your password to steal the money in your account, that is the bank’s responsibility. You didn’t withdraw the money, so it should still be in the account, and the bank should make it good. Only the banks are in a position to make things secure.

    Now, they might have to take some strict actions to enforce that security. For example, maybe they should provide you with a special thumb drive that you have to boot from to do banking. Maybe that thumb drive can do cyber security. I don’t think it would be hard for experts to come up with a secure system.

    But that would never happen until it is the banks that stand to lose their money. And, when they do stand to lose, they will move on the issue.

    I think it is ridiculous for individuals to be expected to keep their computers secure, especially with the insecure software that comes with any computer you buy.

    • @ your answer to a thumb drive that is for banking . It is already on the market as you described and this drive is for that propose. I not here to sell or advertise a product and would not disrespect brians blog for free advertisement.

      • The problem with a thumb drive (vs a CD-R) is that it’s somewhat trickier to make it read-only. If you successfully do that in a way that no hacker can undo, you essentially have the same solution as a read-only LiveCD. The advantage of using CD-R media is that the hardware prevents any writing to the media. So you can use your installed software to access the internet and type or paste anything you want to into the browser, but it won’t be possible for any malware of any kind to install itself in your operating system and hijack the operation. (Or intercept the data you enter, etc.)

        • @deb there is on the market now a flash drive strickly for banking and it prevents all kinds of attacks malware ect .

    • While not agreeing with your basic premise that the bank is liable for my mistakes or omissions, I concur with your idea of a single-purpose booting device (could be a thumb drive or a CD-R). However even that is not a bank’s responsibility. I think this attitude is part of the general malaise of not taking responsibility for one’s own actions.

  23. Perhaps there is a way to do authorization through the web interface without ZeuS being able to spoof it easily.

    For instance, normally a captcha doesn’t help, because ZeuS simply relays the captcha and the user’s solution to it back and forth.

    But what if it wasn’t a single question? Imagine an array of images and multiple choice captcha questions that ask the user question confirming details of the transaction that has been requested. ZeuS can’t answer them correctly because ZeuS is asking for a different transaction than the user. It can’t simply transmit the same answer the user chooses, and if it’s captcha that requires a choice among multiple images, it’s going to have trouble picking the correct wrong answer. The images in the array would be loaded into the software by the individual bank branch rather than coming preloaded as part of the software, to make it more difficult for ZeuS to recognize images. To be most effective, the questions themselves would be in images rather than plain text:

    If this is a deposit to checking, click the cat
    If this is a deposit to savings, click the horse
    If this is a withdrawal from checking, click the house
    If this is a withdrawal from checking, click the tree
    If this is a bill payment, click the mailbox
    If this is an employee direct deposit, click the flagpole
    etc

    Once the user has chosen an image from the first array, the bank then asks him/her to choose a range of amounts for the transaction, with the limits of the ranges varying with each transaction and presented in random order. They would specifically NOT ask the exact amount, as ZeuS could then simply substitute the number the user entered for the number it recognizes as the one it transmitted:

    If the amount is between $501 and $725, click the dog
    If the amount is between $1576 and $4550, click the truck
    If the amount is between $0 and $500, click the daisy
    etc.

    Then the user enters a password and if there is a key fob authentication, it would ask him/her to choose an image based on what the authentication number is.

    I don’t know enough about these transactions to specify the exact questions, but certainly bankers and business owners in a community could come up with something that would be difficult for criminals in Eastern Europe to defeat, especially if the specific details were different for every bank.

    • hmmm very intresting idea…

    • Unfortunately, I don’t think this would be a hurdle significant enough to overcome. It assumes ZeuS or alike being difficult enough to code to recognize images. The past shows they have access to talented, ethics lacking programmers and they got away with hundreds of thousands of dollars in many heists, sufficient incentive not to back-off. Besides, in my understanding, they can take over completely the victim screen (maybe during lunch break or when detecting there is no local activity for longer time) and do it interactively, especially if no key fob is required. I consider the following 2 ways to offer a comprehensive protection:
      1. As suggested by Brian, Terry Ritter and others, get rid of the bot. Use a LiveCD distribution or, to the very least a dedicated computer.
      2. For the banks end: Introduce total out of band authentication solutions for instance via SMS to a non-smart phone (maybe even a dedicated device distributed for this purpose, the same way fob keys are). Make sure the authorization code generated includes (parts of) the destination account number and the amount. changing the amount or the destination in the background by Zeus would automatically invalidate the authorization code.
      Combine the 2 methods above for maximum protection.

      • Image recognition ability is one of the reasons I would want things as locally-oriented as possible. And given the amount of money involved, it’s not unreasonable for banks to actually offer their customers a choice of image photo albums that they feel comfortable recognizing.

        Could a computer distinguish an iris from a hyacinth, a monarch butterfly from a swallowtail, a Blackhawks logo from a Braves logo, the mayor of my city from the school board superintendant? I could. I might be incapable of distinguishing other types of similar images, like the starting lineup of the local baseball team, that others would easily identify. The images would be chosen from albums the customer had chosen, and the images in the album would be assembled by the local bank branch, using a GUI that would allow them to crop and resize images they loaded into the program from any source they chose.

        • @AlphaCentauri: “Could a computer distinguish an iris from a hyacinth, a monarch butterfly from a swallowtail,”

          I think you are missing the point: NO MATTER WHAT THE AUTHENTICATION MAY BE, there comes a time when it has succeeded and the bank trusts whatever comes down the line. Or the browser trusts whatever the user is typing. With a bot infection in place, that line or keyboard may be under malware control.

          As soon as the authentication succeeds, NO MATTER WHAT IT IS, the attacker is into the candy store. The idea that the whole problem is a matter of poor authentication is just another banking delusion.

          Any computer with a bot infection is vastly insecure in a plethora of ways going far beyond online banking. Locally stored email, online stored email, other online accounts, every file on every drive, possible changes in dated legal documents: the issues go on and on and on.

          The problem is the bot. The solution is to not have a bot.

          Unfortunately, computer manufacturers have given users no way to certify that their equipment is clean and suitable for online banking. How can users possibly be held responsible for something the manufacturers themselves cannot guarantee? How can equipment suitability for intended online use not be considered part of the problem?

          • “How can users possibly be held responsible for something the manufacturers themselves cannot guarantee? How can equipment suitability for intended online use not be considered part of the problem?”

            Actually, I’ve been persuaded by you and Brian that the client solution for business online banking is to use LiveCDs that can’t be written to. That seems pretty foolproof to me, unless you are arguing here that anything less can not be guaranteed safe, and that I’ll agree with.

            “The problem is the bot. The solution is to not have a bot.”

            That I’ll also agree with, and it’s the only genuine solution to the problem that I can see.

            • Clive Robinson

              DeborahS,

              Live CD’s are not a foolproof solution.

              Firstly we have to accept that all comodity OS are vulnerable, and this increases with time since the OS was released.

              This means that the Live CD OS is vulnerable to infection after it has booted just like any other OS. The only difference is that when you turn off/reboot any installed malware gets wiped.

              Now we have seen clean instals of OS’s when connected to the Internet being compromised well within 5mins of being connected…

              For a small business the chances are they would leave the live CD booted PC on all day and do transactions as and when they come up during the day.

              This unfortunatly means not only can the Live CD system be compromised but more importantly any forensic evidence of infection gets wiped on turn off / reboot.

              • Well, of course. No tool ever performed any expected task simply by being present. You have to use the tool correctly to get the desired result.

                So while I can agree with you that a Live CD or DVD OS is not by itself a foolproof solution, particularly if you use it in the same ways that you use a permanently installed OS on writable media, it still can be foolproof if used correctly.

                And the correct way to use it is to access your financial institution immediately after bootup, and reboot or shutdown immediately after. Or, to remove the unwritable DVD from the drive immediately after bootup, but this only protects against the types of malware that need to write to media to successfully attack.

                “Now we have seen clean instals of OS’s when connected to the Internet being compromised well within 5mins of being connected…”

                I’ve seen this claim made, but I have yet to see a convincing explanation of exactly how this happens on a clean system with no interaction from the user. If the browser is clean and hasn’t yet connected to the internet, nor has any other internet-enabled software connected to the internet, how could malware of any kind get into the system? Where’s the transport mechanism?

                Now, if the user does open an internet-enabled application and connects to a dirty remote site, or software on the system is somehow already dirty, then you have an explanation. But it’s not simply being connected to the internet on a freshly installed OS.

                “For a small business the chances are they would leave the live CD booted PC on all day and do transactions as and when they come up during the day.”

                And if they did this they would not be using the Live CD or DVD correctly, since the correct use would require that the Live CD or DVD be freshly booted immediately before accessing the financial institution, and rebooted (or the machine shut down) immediately after. If access to the financial institution is required several times during the day, the simple solution would be to have a dedicated machine that is only booted up and used for financial transactions, and shut down immediately after each one. Considering how inexpensive computers are these days, and how simple a system would be needed, this would be very cheap insurance indeed. At least I’d gladly spend a few hundred bucks to protect hundreds of thousands of them. It would also be pretty easy to write in controls that would automatically shut the system down if it wasn’t used within x minutes of bootup, so you wouldn’t have to rely on flakey humans to remember to do it.

                I can however imagine one scenario in which the LiveCD or DVD could fail you. And that would be if malware was lurking on the website of your financial institution that could infect you just by connecting to it, and run in your browser with no need to write to media. The solution to this, I think, would be to have a browser that is so stripped down, or at least so uncommon, that the malware would find no toehold to infect you. The old @browser comes to mind, but your financial institution’s website would have to be similarly simple in construction for that to work. But I imagine that could be arranged.

                • Clive Robinson

                  DeborahS,

                  Although I personaly have not seen a PC owned in 5mins I’ve actually had it happen to a system I was installing in about 20mins.

                  It was a few years ago but it was a salutary lesson. The system was at a company that had what was for the time a nice new shiny Internet connection from a “cable supplier” For legacy reasons (ie software supplier did not support the latest OS version) the company wanted Win2K installed.

                  Well I installed it and because I did not have the patches with me (I was expecting to install the latest OS) and the company sysadmin couldn’t find theirs and was in a hurry he elected to download from MS “live”.

                  The attacker we now know was sweeping the IP addresses of the Cable Provider and when new systems poped up attacked them automaticaly. They got in via a vulnerability in the OS not the browser.

                  Admittedly these days commodity OS’s are a little tougher to crack (or so we ar led to belive) and most security news suggests that malware gets in via bad browsing habits, but this old attack route classes still work if you have an exploit.

                  With regards “bad browsing” habits, people often forget that there is a gap between the human typed in domain name and the actuall IP address fetched. There are a number of tricks that can be used to break this and also break routing. Some require the attacker to have a machine on the network, some require to be upstream at the ISP’s or higher network.

                  It annoys me sometimes how certain organisations are quick to blaim users when infact there is little the user can do period.

                  A number of years ago I pointed out that the Banks were in many ways to blaim by making tiny increments to security of their systems. What they were actually doing was training the attackers into better ways of attacking by making the step size small enough for the attackers to climb up.

                  It is fairly clear with hindsight that no bank want’s good security as long as they can externalise the loss onto the customer. I could trot out a lengthy list of reasons but I will leave that to others.

                  • Clive Robinson,

                    While I am always the first to admit that there’s very much I don’t know, it does seem to me that the attack within 20 minutes of connecting to the internet you describe was very much an artifact of Win2k’s standard issue firewall, if it had one at all. I’ve never used Win2k, oddly enough, so I don’t personally know. But modern firewalls close the ports that hackers can use to spot new machines “popping up”, for that exact reason. The user can open them later, if desired for some reason, but the standard configuration is for them to be closed, or in stealth mode, where they can’t be detected by an unknown attacker.

                    Nonetheless, internet connections have an ungodly number of ports, and it certainly is conceivable that an open one could be found and abused. This suggests that for a dedicated banking machine, one would want to close all ports except http and ssl, and block all communications with IP addresses different from your financial institutions’. Actually, it seems to me there could still be more to work out if the banking machine is part of an internal network, but if the value of the assets you want to protect is sufficiently high, it should be possible and worth it to identify exactly which ports and which IP addresses are needed for transactions, and lock down everything else. Remember, this machine will only be active for a matter of minutes at a time, for one and only one purpose.

                    And I would use a stripped down browser, with as little attack surface as possible, preferably none, and enter web addresses as IP addresses, which could easily be copied and pasted by the person doing the transactions, maybe even hardcoded into the browser, if you rolled your own. But blocking all IP addresses except the bare minimum necessary for transactions really should eliminate any man-in-the-middle attacks.

                    We can certainly argue for as long as we can stand it that banks should be more responsible for our security, but as you point out, they are very unlikely to have a financial motivation for doing so. This is another thing that many credit unions have in their favor, that they exist to serve a community first, and making money is mainly to provide for that community and give back to it, not to enrich individuals first and foremost.

                    But ultimately, whether you do business with banks or credit unions, your assets belong to you only. So I would come down on the side of the asset owners having primary responsibility for them. The question of how to do that however, is a big one. And the questions of how business is conducted among partners who can’t or don’t want to take on that responsibility are still largely unanswered.

          • @Terry Ritter,

            I realize that the bot controls the transaction and transmits whatever answer the legitimate user chooses. But the idea is that the *question* is wrong rather than the answer. If the user requested the bank to transfer money from a savings to a checking account but ZeuS requested an ACH transfer, then when the bank says, “Choose the cicada if this is a transfer from savings to checking, choose the scarab beetle if this is an ACH transfer,” when the user chooses the cicada, ZeuS can transmit that reply, but it will still be the wrong answer for an ACH transfer.

            I agree that a live CD is a good solution. But there are two problems. One is that currently the user must take that initiative. With my idea, the users don’t have a choice because it’s intrinsic to the web transaction. The second is the ethical issue of a solution that protects the elite who understand how to boot in a different operating system but allows everyone else to remain vulnerable. If miraculously everyone started using live CDs, how long would banking trojans continue to be Windows-only problems? How long before social engineering emails started to arrive spoofing banks and telling people to burn a malicious file to CD to use as their live CD? How long before malicious CDs began arriving in the mail like AOL discs, with spoofed bank letterhead warning people to start using them?

            • @AlphaCentauri

              “I agree that a live CD is a good solution. But there are two problems. One is that currently the user must take that initiative. With my idea, the users don’t have a choice because it’s intrinsic to the web transaction. The second is the ethical issue of a solution that protects the elite who understand how to boot in a different operating system but allows everyone else to remain vulnerable. If miraculously everyone started using live CDs, how long would banking trojans continue to be Windows-only problems? How long before social engineering emails started to arrive spoofing banks and telling people to burn a malicious file to CD to use as their live CD? How long before malicious CDs began arriving in the mail like AOL discs, with spoofed bank letterhead warning people to start using them?”

              Please let me know if I’m putting words in your mouth (that you wouldn’t agree to), but it sounds to me like you would be in favor of the paradigm shift in operating systems and software that we were talking about a couple of months ago. I’m supposing that because it sounds like what you really want is for the operating systems and software that people normally use should “just work” – ie, be safe – out of the box and with no special handling required.

              In that discussion we seemed to agree that the operating systems we have today, and in fact the entire operating system paradigm we currently have, is inherently insecure. They can be successfully attacked and there is no real remedy for that.

              Nick P had some excellent points about a secure general purpose OS he knew of from the 70s, and some dedicated purpose OSes currently in use that he thinks are secure (or potentially could be secure, I don’t clearly remember which one he said). But as I recall, the one feature of these systems that would have to be in a new paradigm for a secure OS is that they would be far less feature-rich than the OSes we use today. In principle, I agree with that. If you want a lean, mean computing machine with no attack surface, then it will not do as many things as we’ve come to expect our computers to do.

              So the question is: what do you want? A feature-rich computing environment frought with peril, or a clean, safe system? In principle, I don’t see any reason why we couldn’t have both, and maybe the newbies should be steered toward the safe one, but that’s the trade-off.

  24. At the end of the day, all of these cases were the result of a human being compromised, and the system was not smart enough to know it. Short of handing our driver’s licenses and requiring defensive driving courses for end users, the best solution is to assume the worst, malware at the endpoint. Although I do care if my personal information, health records, or kids info is on the computer that belonged to the unpatched human, I would focus on educating the bank acct holders to do daily reviews of their accounts, and ask that banks conduct intraday monitoring for suspicious behavioral activity to at least, stop the money from going out the door. And both parties should constantly be speaking and educating each other.

    • Agreed, industry absolutely needs more communication as “the good guys”, as well as increased customer communication and outreach.

      Unfortunately, people seem to think that they are not responsible for their own computer security.

  25. One of the first issues (of many) that I am curious about is why did PATCO’s attorney’s miss the first step in the process of any computer related situation?

    The magistrate said Patco erred by “having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

    • When a company management discovers it has a security problem, what is the first thing it does?

      Calling a lawyer is not the first thing.
      Calling the police is not the first thing.

      Local IT may say that outside IT assistance would be advisable to expedite repairs, due to constraints on our budget, and past differences of opinion regarding wise security measures. In any case, IT is not being told to preserve evidence for some law suit that is not yet on the radar screen. IT is being told to fix security, so the company can continue operating, but without the breach continuing.

      Everyone is told to change their passwords, which does not help with infected PCs. More vigorous checking of security on all corporate machines, than usual, is conducted to identify any infected, starting with those directly involved in the breached data.

      The company tries to stop the bleeding of the security leak, it tries to figure out what has been lost or corrupted, it looks up the law rules to find out if there is breach notification obligation. Maybe PR is needed to mitigate shame.

      It is only when the bank fails to return all the money, that the company calls a lawyer.

    • Clive Robinson

      4n6pc,

      It is not clear what the magistrate actually ment, or why.

      Also it is entirely possible it was not done as a deliberate act.

      If you think about a small company that is vaguely security aware they would run scans and cleanup malware on a very very regular basis.

      Thus it is entirely possible that a company could run a virus or other checker on say a thursday lunch time and do it without yet being aware there has been a security incident that happened that morning or since the scan the week before.

      The only way around this is every time before you run a scan you do a full bit for bit forensic drive image. In the unlikley event the scan detects a real significant anomaly (not one of a myriad of false positives) you have in theory a suitable forensic image. However you have to keep these going back quite some time due to the built in failings of most scanners, that they can only look for malware they know of.

      As most will realise this is not practical in the majority of cases.

      The fact that the legal proffession is well behind the curve on computer forensics as are many forensic practitioners is negligence on their behalf.

  26. Keith Appleyard

    A large proportion of respondents seem to be blaming the customer. You presume a higher level of technical intelligence than the average customer possess.
    I’ve had friends & colleagues express concern to me that they can ‘share’ Chip Card Readers – they think that makes them somehow ‘weak’, and they all ask why can’t they be given a personalised customised Chip Card Reader unique to themselves?
    If they can’t appreciate that the individual Card + PIN gives them a unique identity, how can you expect them to make a value judgement on what I consider to be laziness on the part of the Bank. They assume the solution provided by the Bank is fit for purpose because the Bank knows best, just the same as they trust the Brakes on their new Car.

  27. Security questions are “Something the user knows”. This is not real two factor authentication… My company needs to use RSA key fobs + passwords for two factor authentication for sensitive data. It clearly would not fly with a PCI compliance audit for us to ask a security question in addition to a password.

    That being said, the customer shares in the blame for having a compromised system. However, if the court case is about whether security questions are two factor, they’re not.

    • I don’t think I can agree fully with degree with which you put responsibilty on the user. Zeus isn’t all that is used to steal banking info. AV programs cannot even keep up with Zeus (which is only one of several info stealers) and they have far more than that to detect. My Symantec AV is checking for updates every five minutes and there is still stuff it cannot detect even after weeks. Now the hackers have jumped to attacking Macs. So what does Apple do? They give advice on how to remove MacDefender after it has already been installed. That should be given but it should be last. First Apple should make it so that all user accounts require an elevation password to install into privileged system file space no matter what user account is used. Second Apple should confirm that the advice given on how to turn off auto-open of package install files in Safari is needed. Newly created user Safari configurations should make that the default. Get the idea? About the only system immune to most malware any more is some Unix system (I don’t define Macintosh or Linux as Unix). But even there, other ways of enhancing security are welcome as long as they work on them. But if it only works on Windows you are enforcing the least secure platform is the only one that must be used. How is that the fault of the user if they want to use OpenBSD instead and can’t because these enhancements don’t work there? Maybe online banking just isn’t practical any more for small businesses. New legislation is needed, especially if banks and credit unions can do some of this protection easily. I cannot understand why banks cannot put limits in place on ACH transfers. As an ordinary person I am warned when something goes over the limit. If I can be warned, why can’t a small business be warned? They should at least have the option of setting warning limits with an option to block the transfer for a given time duration when it goes over the limit.

  28. There seems to be a couple of legal principles that are inconsistent with the interim ruling.

    Firstly, prevailing practice is only one principle that applies. There is also the balance between the cost of preventative measures and the potential exposure to loss. In the TJ Hooper precedent
    (http://itlaw.wikia.com/wiki/T.J._Hooper) where a cargo was lost for lack of a radio, Judge Hand took the view that the cost of a radio was so small, the value of the cargo so high and the likelihood of storms so common that to operate without a radio (even though prevailing practice at the time) was negligent. So here, the issue of what guidelines were published from who could be irrelevant since the value of internet banking was so high, the cost of a token so low and the likelihood of internet threats so common…

    Secondly, the entity most able to influence the risk should be the one that is liable for failing to control the risk. In this case it is the bank which chose and configured the transaction security mechanisms. The customer’s choice was limited to finding another bank to do business with. If case law is established that customers are liable for fraud based on mechanisms chosen by their bank it will encourage reckless behaviour on behalf of the banks. Why should banks spend money on security if isn’t creating a benefit for them in managing their liability?

    • @Geordie Stewart: “There seems to be a couple of legal principles that are inconsistent with the interim ruling.”

      This whole thing seems very strange to me. How can the law say the bank is not liable for loss, when the relationship is between the customer and the bank? OK, there are banking standards, and if the bank did not follow them, presumably they could be fined, their banking license revoked, or they might even be prosecuted as a criminal action. Those are reasonable functions of government control. But they do not absolve fault, even if followed.

      Finding that a bank has followed normal guidelines is not the same as saying the bank cannot be held responsible for loss. Simply going through the motions, doing things like everybody else, should not absolve the bank of responsibility for the results. If all of the banks are jumping off a cliff (and they are), do we reward one bank for doing the same? In the end, money in their keeping, and in their system design, was lost. It does not take a rocket-scientist to see that their banking system has failed.

      Yes, banks do have it hard, because it is technically IMPOSSIBLE for the bank to know if a customer computer has a hidden bot infection. But customers have it even worse, because it is JUST AS IMPOSSIBLE for customers to know if THEY have a bot infection, and they are not in control of the online banking system. Tools to certify customer equipment as being clean for online banking SIMPLY DO NOT EXIST.

      When banks talk about customer online responsibilities, there is usually some talk about antivirus systems, which were still a good idea a decade ago, but are now generally obsolete. Antivirus systems cannot act before the malware has been found, identified, and entered into main signature databases. That takes time, and during that time many users will be infected, despite having the latest antivirus programs. Then, once the malware has installed itself, it is probably “encrypted” so the original signature no longer works to find the hidden bot. How has this helped? Antivirus is a red-herring issue intended to imply that customers have control where they actually have little or none.

      Nor can any possible eduction act to prevent human error, and it only takes one human error to cause an infection which may remain present for hundreds of sessions, until the OS is re-installed (or a clean image recovered).

      Exactly what do the banks think customers COULD do? We do not know because neither law nor the banks themselves have produced a set of rules for customers to follow, which would then protect customers under law or contract.

      Perhaps no such rules are written because they cannot be written while still hiding from customers the risk they currently take. But if no such rules can be written, what would that say about customer responsibilities? How can a customer have a responsibility which cannot even be codified?

      And where is the banking card like the insurance card many drivers carry which says, “In case of accident” do this, this, and that? When an accident response sequence is written down, is has to make at least some sense. How can forensic requirements possibly apply before there is strong technical reason to believe that laws have been broken? And how can a business remain in business when all computing equipment suddenly needs to halted for some duration?

      The most important step in avoiding malware is to not use Microsoft Windows online, or JAVA on any platform, and even the Mac is getting iffy. The next most important step is to boot from a LiveDVD. Those small businesses who can should consider returning to the drive-thru. Those who cannot use the drive-thru probably must buy serious online banking loss insurance.

      • The best rules are only as good as understanding the threats at a particular point in time.

        The threats are constantly evolving.

        Perhaps what is needed is a variation on PCI-DSS for the customers of the banks. Not so much rules, as standards.

  29. @DeborahS: (with a LiveDVD) “it won’t be possible for any malware of any kind to install itself in your operating system and hijack the operation.”

    To be clear, the issue we are addressing here is “infection.” A bot can still get in and run in the browser or OS, but when the session is over, the bot is gone like the snows of yesteryear. We can deal with the possibility of active malware by banking online only immediately after a boot, before doing anything hinky which might download and start malware.

    “The advantage of using CD-R media is that the hardware prevents any writing to the media.”

    Using such systems, as I have done, tends to mellow one away from absolutist dogma. Firefox and security add-ons need security updates all the time, and there has to be a better way to handle things than burning yet another data CD every week.

    The alternative I found is Puppy Linux, which supports adding changed files to the boot package on the DVD. The next boot then loads only the latest files. So we update Firefox as usual, hit Save on the desktop, and a new “session” is written to the existing DVD (for example, DVD+RW). The next boot automatically loads the updated system.

    I run Puppy Linux all the time, I am running it right now, and I just update every 2 to 4 weeks, depending on how things go.

    Now, the usual academic complaint, generally by those who have never actually run a LiveDVD system daily or had to update it weekly, is that malware might write to the DVD. But Puppy Linux loads completely into RAM as it boots. After that, the DVD can be removed, and no malware is going to write to a DVD which is out of the tray.

    The problem with booting Puppy from USB flash drive is that the drive is treated like a hard drive, and malware can infect it. If you get one with a write-protect switch, you cannot update it until you flip the switch, and at that moment it becomes insecure. I would be happy with a solution which allowed the flash drive to be removed immediately after booting and before going online, but that currently is not available, as far as I know.

    • Thanks Terry for the clarifications. I wasn’t thinking about code running in RAM as much as I ought to have been and you’re absolutely right that once the OS and browser are loaded into memory and running, many kinds of malware don’t need to write to media to infect the system and cause problems. But as you point out, the solution to that is to do your banking immediately after boot up and then to unload the system and reboot to do anything else. A headache perhaps, but when I have my own business (sometime soon), I’ll be more than happy to do it for the peace of mind this regimen would bring.

      And, depending on how much money you could be sunk for if your financial accounts were breached, it might even be worth it to burn new CDs or DVDs however often is needed, if that’s what it takes to be bulletproof.

      I’m getting ready to make the leap into Linux and Android, so I’ll be trying both methods out – rewritable and unrewritable media. Chances seem pretty good to me that both methods would have their uses. Perhaps for unrewritable media it wouldn’t hurt to write your own custom browser that wouldn’t need to be updated – all it would have to do is access your financial institutions, since you wouldn’t be doing anything else from that system. And the chances that malware could attack and infect a completely homemade browser seem pretty slim to me. (So long as you don’t borrow data structures and APIs from any of the big guys.)

      But for a generic system using available browsers, it sounds like you’re right that keeping a rewritable LiveDVD up to date is completely workable, so long as you, bank immediately after bootup (remembering to remove the DVD from its drive after the browser loads), and then reboot immediately after. And it’s only the fact that you can continue running with the DVD removed from the drive that allows you to do this. If the system media is in the drive, then it’s possible to install root kits and other persistent malware that can survive a reboot. But no media, no headache.

  30. One of the issues at stake here is establishing the duty of care standard for Banks. If Ocean Bank is found to have no liability in this case, does this mean that configuring challenge questions in a way that reduces their effectiveness, lagging in the adoption of new technologies and failing to alert your customers when suspicious activity is suspected is now to be considered reasonable behaviour for banks when providing banking services to corporate customers?

    I’ve been reading some of the posts here and considering the proposition pointed out by some that Patco was liable because they were the ones who allowed the Malware to infect their systems. There’s some truth to that. Rather than being black or white though it’s probably a matter of contributory negligence.

    A quick legal analysis (and I’m not a lawyer).

    Patco contracted Ocean Bank to provide banking services. There is no apparent dispute that they had a contract and that the law of contracts applied. Therefore, both parties had a duty of care to conduct themselves in a reasonable manner that avoids causing loss or damage to the other party.

    So what constitutes reasonable care for each party? Reasonable care is dependent on the circumstances. In this case, the value of the assets being protected is relevant (apparently a line of credit of some $0.6 Million). Therefore, (personal view) a high degree of care would be expected from each party.

    It seems reasonable the Patco is responsible for preventing communications on their computers from being eavesdropped through the presence of malware. Preventative measures are widely available and cost effective given the value of the assets being protected. While people here have successfully argued that preventative measures are never %100 effective, this does not change the fact that Patco had the duty to protect the basis of its communications with Ocean bank. A failure to do this means that they have failed their duty of care. However, this needs to be seen in the light of the behaviour of the other party.

    Ocean Bank also had a duty of care to ensure that all requests made to it were legitimate in the process of providing banking services to Patco. Ocean Bank chose and configured the basis for establishing the veracity of requests from Patco so has a duty of care to ensure that the basis for establishing veracity was appropriate. Given the value of the assets being protected, a key question is: “Was it reasonable not to use a token or a series of challenge questions based on the potential value of transactions?” I would argue definitely not. Firstly, tokens are widely used (and effective) for protecting transactions a fraction of the size of the $0.6 million line of credit in this case. The value of the token verses the size of the risk makes this a no-brainer. Secondly, the bank failed to configure the challenge questions in a way that optimised risk management. Consider that in any activity there is a profile of normal behaviour. The article states that the Ocean Bank account was primarily used to make weekly payroll payments. When the weekly pattern changed there should have been challenge questions to perform transactions outside of the normal profile in terms of amount or frequency. My bank calls me every time I use my credit card to purchase something from Amazon since for some reason they think that is unusual for me. There’s no suggestion of Ocean Bank making a phone call to Patco even though the transaction pattern must have been highly unusual. In fact, according to some reports the transactions were flagged within Ocean Bank as suspicious but no action was taken.

    I think the argument that Ocean Bank is safe from a finding of negligence because they followed a standard is bogus. For those who haven’t checked out the TJ Hooper case here is the Judge’s view on when a prevailing practice defence can be disregarded:

    “A whole calling may have unduly lagged in the adoption of new and available devices. . . . There are precautions so imperative that even their universal disregard will not excuse their omission.”

    In summary, the bulk of the liability should rest with Ocean Bank. They are the experts in banking and banking security. They chose and configured the authentication mechanism. They disregarded the use of new technologies which were prudent given the value of the line of credit. They failed to take action and alert Patco when suspicious transactions were flagged.

    Patco should be liable for some of the loss since their contributory negligence contributed to the loss. It was unreasonable though for the basis of the security to rest on the assumption that Patco’s computers would never ever be infected with malware. Better to assume that it eventually will and work on solutions which prevent replay attacks or mitigate the damage when attacks do occur (transaction ceiling limits etc).

    To argue that Ocean Bank is not liable is to argue that reasonable care and skill constitutes configuring challenge questions in a way that reduces their effectiveness, lagging in the adoption of new technologies and failing to alert your customers when suspicious activity is suspected. If this is to be the new standard of care taken by banks then they will spend even less on security…why would banks spend money on calling customers about suspicious activity unless they had a financial interest to do so? In short, unless something is going to mitigate a bank’s financial risk they’re not going to bother with it.