Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

The Blame Game: Security and Responsibility

by Seth Geftic on 10/22/2009
Topics: Identity Protection | Online Fraud, Fraudsters | Phishing

“All the money I had is gone. I can weep and I can cry, I can wonder why.”*

Recently a story came to light about a bank being sued by one of its customers after their account was hacked into by cybercriminals.  The customer is claiming that their bank failed to notice the suspicious transactions that drained their bank account.  

There has been some interesting conversation about “responsibility in the world of online security” for some time now.  But before I comment, here are a few caveats:

  1. I am not commenting on the actual case referenced above. I don’t know much about the case other than what was reported. 
  2. I am by no means a legal expert so I am not giving a legal opinion, but rather the perspective of someone who works in the security industry.

Now to the question:

In terms of responsibility with respect to security for online banking (and other portals in general), who is responsible when cybercriminals steal money (or sensitive data) out of a user’s account?

When the Account Provider is Responsible

When they don't meet regulations. That’s an easy one.  In the United States, the FFIEC guidelines require online banks to have a certain level of security commensurate with risk. In fact, many other countries around the world have similar security regulations with respect to online banking.  Obviously, if a bank fails to meet these requirements, then they should be held accountable.  Unfortunately, these requirements are not as strict for non-financial business, but there are regulations such as HIPAA and PCI DSS that require organizations to protect individual’s credit card data and other personally identifiable information (PII).

When they can’t stop basic attacks.  Phishing attacks have become commonplace and happen every day. In fact,  a report released by RSA’s Anti-Fraud Command Center shows they identified and addressed 17,365 phishing attacks in September 2009 alone, the highest number ever detected by RSA in a single month. 

But phishing attacks are somewhat of an interesting dilemma when it comes to responsibility.  Think about it, banks and other account providers don’t send the email directly to the users, nor do they provide their customer’s contact information to anyone. Instead, someone just pretends to represent the bank or account provider and attempts to trick the user. 

Second, the user is literally giving the bad guys their username and password by responding to something that went through an email server, ISP and a web browser but never once passed through the account provider’s site.  An analogy would be if you got tricked into giving your car keys to a robber and then sued the car company for having weak locks when your car was stolen. 

Despite all of this, I believe banks have a responsibility to stop the majority of basic attacks such as phishing. Why?  Simply because the technology exists that makes this completely feasible. In fact, mitigating online attacks is a best practice that is followed at most financial institutions as well as other companies around the world.  Strong authentication – whether it is in the form of risk-based authentication, token-based two-factor authentication, or some other strong authentication method like knowledge-based authentication – is common solution to help prevent stolen credentials from impacting customers. Additionally, many organizations have a phishing and Trojan detection and take-down service implemented to reduce their exposure and the impact from these threats.

When the User is Responsible
                                         
When the user is constantly a victim. I have had conversations with several fraud managers and line of business owners at banks and credit unions about whether it would be right to drop a customer if they persistently are victims of online fraud.  Most agree that there is a breaking point when the customer is told, "We don’t want your business anymore.”  If a user refuses to deploy basic protection such as virus controls and firewalls and continuously become infected with malware from the shady corners of the Internet, isn’t it okay to say that they need to “clean up their act” so to speak, before they can continue to be customers? 

Unfortunately, your local bank, your favorite social networking site, your healthcare provider - they are simply not responsible to also be your computer security team.  They can’t be held responsible for everyone who uses your computer, the websites you visit and the protection you have. At some point, they have a right (and a business responsibility I would argue) to say to a customer, “You are finished.” 

When they don’t take advantage of optional security features. Many online websites have towed the line of usability and security by making some of the more advanced security features, such as requiring one-time passwords, optional to their users.  The decision to keep it optional is logical so as to not force users into giving up some convenience in the process.  Many banks have incented users to adopt advanced security features by offering larger transaction limits if they sign up.  Still, most users choose not to enroll. As long as these features were reasonably promoted to users, then they have to accept some of the blame if they fall victim to fraud.

Nothing is Black and White
                                         
Advanced threats. The amount of account takeover that is acceptable to an organization varies greatly.  For instance, if you are protecting a government website with national security implications, there is unlikely to be any tolerance for risk.  I’d argue that the appetite for risk concerning healthcare data or access to a corporate internal website is very similar. 

However, those who run websites with less sensitive data might be more willing to balance the risk of a breach with the cost and convenience of security.  That’s a fair and logical discussion for every organization to have.  For instance, almost all banks accept a certain level of fraud.  For some, it might be 98 or 99 percent; for others, it is much less.  Either way, they rarely have a 100 percent rate of stopping fraud. To do so, too much security would be needed and would probably not be acceptable in terms of usability for most customers. 

And let’s be honest, the bad guys are extremely savvy today.  They are good at what they do and will always find ways to cause havoc and are constantly coming up with new ways to beat the system. That said, features such as transactional level protection, out-of-band challenges and sophisticated behavioral analysis are all excellent methods to defend against advanced threats, such as man-in-the-browser attacks.  However, if the threat hasn’t reached a level where the security investment to protect against them is justified, many organizations will hold off on deploying more security technology.  I see this all around the world where conversations with customers vary greatly depending on the region they are in and the industry in which they operate. Just because an organization is willing to accept some level of fraud risk, it does not translate to negligence.

The Bottom Line
I tried to outline some factors that might tip the scales of responsibility. But in the end, there is no obvious line in the sand between what does and does not pass for acceptable levels of security. It will vary greatly from organization to organization and ultimately it will be judged on its effectiveness. 

If your security isn’t up to par, eventually your customers will realize this and take their business elsewhere - and that’s the most effective judgment of all.

*“All The Money I Had Is Gone” by The Deep Dark Woods

Comments

No comments for this blog entry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication