Posted on Wed, Sep 30, 2009 @ 12:26 PM
In a recent article posted to Dark Reading, a couple is suing their bank for failure to protect their account resulting in a fraudulent wire transfer. Apparently someone stole the logon credentials to the couple's on-line account, obtained a loan of ~$26,000 which was deposited into the couple's business account. From there the money was transferred to a bank in Hawaii and on to Austria.
The couple is suing the bank largely based on allegations that the bank failed to properly secure the couple's account. In the article, Mr. Bruce Schneier states, "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."
This intrigued me and so I went to his blog (http://www.schneier.com/blog/archives/2009/09/eliminating_the.html) to find out more. It is, or was at the time of the blog entry, Mr. Schneier's opinion that the only way to combat this type of fraud is to make the bank liable for fraudulent transactions. With all due respect, I have to disagree. Promoting this point, in this particular case, is a bit like putting the cart before the horse.
What the article does not tell you are at least a few important points regarding this case:
- How did the thieves obtain the logon credentials? Did either the man or woman (both?) write them down in plain sight; was their PDA stolen; did they use something easily guessable; etc.? It seems that no one is contesting the validity of the credentials so my first question is how they were obtained. If the couple did not take adequate risk protections then where is their responsibility and liability?
- Were there other, similar transactions (obtaining a loan of similar amounts) in the banking history of this couple? Maybe the bank's fraud transaction system did notice it, but since others had occurred (with similar characteristics) it was not ,a red flag.
- Were there any regulatory or legal statutes broken by the bank? If not, then that could imply they were doing their due diligence. We don't know the results of their last security audit from regulators - did they pass with flying colors, were there shortcomings in on-line security measures and/or countermeasures?
Mr. Schneier goes onto suggest that banks become more like credit card companies with regard to identifying and stopping fraudulent transactions. As he correctly points, out credit card companies have "...developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They've pushed most of the actual costs onto the merchants." And you can bet that these security technologies are a large investment - money that many banks don't have. I don't know exactly how Citizen's Financial Bank ranks in terms of revenue but it is probably a safe bet they are not as large as major credit card companies. And while the credit card companies may not be drowning in fraudulent transaction losses, their feet are not completely dry. Their solutions and technologies do reduce the chance of fraud but they are not perfect - especially if someone has a legitimate credit card number.
Suppose someone stole a credit card that you (against all advice) had not signed. A thief uses the card to purchase a big-ticket item and when you get the bill, you rightfully contest the charge. Is it the credit card companies fault that a legitimate card was used? No. Is it the fault of the store clerk who did not check for a signature? Maybe. If they had questioned the "card holder" they probably would have forged the signature anyway. Is it the fault of the original card holder who should have signed the card, thereby giving the clerk an opportunity to compare signatures, making the purchase more difficult? That's my belief.
Without knowing the extent to which the original bank account holders did their own due diligence to protect their account, and without knowing the extent of the banks security measures, I don't think we can just put the blame on the bank.
I do agree with Mr. Schneier on one point: "It's an important security principle: ensure that the person who has the ability to mitigate the risk is responsible for the risk." My point exactly. If it turns out the account holders (who have a major role in protecting their account) did not do this, then they should be held responsible.
The full article can be found here regarding this case: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=220100950
Posted on Wed, Sep 23, 2009 @ 01:29 PM
Cybersecurity Act 2009 - Review Part 1
This entry is one in a series of blog postings regarding a review of legislation currently before the US Congress. It should be noted that according to several sources there is a re-write of the bill, however, as of this writing that version is not posted in either the Library of Congress nor the Government Printing Office websites.
The title of this post (actually a tagline)--from the movie Highlander--seems very appropriate in regards to a section in the Cyber Security Act of 2009 (S.773 Sen. Rockefeller; Sen. Snowe; and Sen. Nelson).
Section 7(a) of this Act states that the the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals. Part (b) of this section further states "...it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."
I will not go into whether or not the Government can devise a comprehensive, effective and, in general, adequate security certification program. I am sure there will be plenty of discussions/posts/etc. on that topic if this Act comes to pass.
As I read Part (b), several thoughts come to mind. What is going to happen to the existing certification bodies such as ISC, SANS or any other non-vendor specific certification entity? Are those certs going to fade away or become less-significant? Will the government recognize these certs and potentially institutem some sort of grandfather clause? What will be the impact of this "required" certification on training organizations? Initially every vendor, consulting and professional services organization will have to send their staff to be certified but, eventually, there probably won't be a need for so many training entities or staff. I don't think these certs will go away as there are many industries and organizations that don't work with the US government but it remains to be seen as to the significance these certs now carry.
My next thought was in regards to vendors who offer implementations of their products. According to the Act the engineers with these companies will need to be certified as well as and maintain the cert. This may be more than some organizations want to go through just to offer implementation services. Sure consulting or professional services organizations may benefit from the outsourcing, but what if the on-site consultant needs advanced engineering support from the vendor? There will be a hit to the multitude of organizations and people who will now have to put up the time, money and possibly other resources in order to get their staff "approved" for government work--even if they outsource--to handle such a crisis.
Then I thought...one certification for everyone? Even most security professionals will agree that would be difficult, if not impossible, to establish. A debate that has been around for years is which is better: CISSP or SANS GIAC? Most security practitioners would agree that each has its own place as they are distinctive in their focus. The CISSP is generally looked upon as more managerial in nature while the GIAC certs are more technical. Not a criticism--just stating that the nature of each is different. Trying to imagine a one-stop certification boggles the mind, if nothing else, from the amount of material that would need to be studied. Unless there are different levels/tracks of government certification (which potentially is its own nightmare) this will be very difficult to implement.
If you step back and think of the scope this section of the Act implies, it is enormous and the resource impact to thousands of organizations is tremendous. While I certainly applaud the perceived intention of this section, I can't see there only being one certification that fits everyone and provides the best service to the government.