Tom Field of the Field Report blog wrote an entry titled, "Trust on Trial" after returning from the RSA security conference. According to him there were three words on everyones mind: cloud, computing, and trust.
Trust was the surprise word. It seems a lot of business people are questioning the safety of using a bank at all, let alone banking online. Two cases are specifially mentioned in his post:
Experi-Metal, Inc. vs Comerica Bank and PlainsCapital vs Hillary Machinery.
These two aren't picked because of their unusual nature (although PlainsCapital vs Hillary is unusual), but because they are the latest in an ongoing trend: business customers account is pilfered, bank claims no responsibility. Normally the customer sues the bank, but in the case of PlainsCapital, the bank preemptively sued the customer, asking a court to declare it's security practices "reasonable".
What is reasonable security for a bank? Nobody really knows, since no clearcut definition has ever been coined. That doesn't mean there aren't standards and minimum requirements, it just means that there isn't an official definition of "reasonable."
If you think about it, there is actually a very good reason why that particular term isn't defined. And many security experts fervently hope it remains that way. Internet security changes quickly. What is reasonable today may be totally hopeless tomorrow. Defining reasonable security will give banks a hardcoded standard to comply with - a standard that will quickly become unreasonable. What needs to be done is not define "reasonable security," but to require financial institutions to keep abreast of the latest security risks and adapt their protections accordingly. Hopefully the judge in PlainsCapital vs Hillary will recognize the danger of giving banks a definition to hide behind and will refuse to define exactly what reasonable means when it comes to banking security.
So outside of lawsuits, what can be done to solve this problem of banks being robbed and refusing to accept any culpability? First of all, business accounts should be given the same protections that personal accounts enjoy. Second, the regional and smaller banks that seem to be the main offenders in the lack of adequate security category should honestly examine their security measures in light of what is currently out there in the way of bad guys and take steps to protect against them. Banks that are involved in lawsuits need to review their security and see if they should just settle to save time.
The business customers aren't totally innocent either, although the cases I've seen appear to implicate the banks more. If a customer who does 1 or 2 electronic transfers a month suddenly has 10 a day it should ring alarm bells and stop the transfers. This failure to stop unusual transfers is a common complaint by business customers who have had money stolen by electronic transfers. The business may have to accept some blame, however. Are their virus definitions up to date? Has someone been going to questionable websites? Are their security policies clear and well thought out?
If things keep going the way they are now, before long no business will trust their banks. That will make for some serious headaches, since it's almost impossible to do business without a bank account these days.
Rasonable security cannot be called reasonable if an attacker exploited weaknesses in older technology used by the banks.
ReplyDeleteIf there is theft, then the court needs to ask: could this have been prevented if only you (the bank) would of had the latest and greatest security?
If the answer is a big YES, than the bank is guilty.
I agree. The concern is that if a definition of "reasonable" is crafted by a judge, it will require lawsuits to update. Definitions are, by definition, pretty static. Data security is by nature fluid.
ReplyDeleteI have my business account at PlainsCapital Bank. Now I'm a little worried. Think I'll keep my balances lower after reading this.
ReplyDeleteIt's not just PlainsCapital, and the answer isn't to keep your balances lower, it's banking reform, whether it's done voluntarily by the banks or legislated. I'd prefer to see it done by the banks.
ReplyDeleteAlso, something I forgot to mention in the main post is that everyone - both small businesses and individuals, need to become more aware of security and question our banks about what they do to protect our transactions. As long as we just trust them, they have no reason to be more concerned. they should, but they don't.
Good take Bert. New information including a new press release and timeline www.hillaryinc.com/pcbvshmi.htm
ReplyDeleteQuite simply, I think prudent and reasonable people would agree that a bank's security measures are NOT "reasonable" if they allow a customer's account to be accessed then looted by Eastern European cyber criminals of hundred's of thousands of dollars over the course of 2 days and in a manner so inconsistent with the account holder's normal transactional history. Rather than spend so much time and energy defending a DEFEATABLE SECURITY SYSTEM, trying to DISCREDIT and more recently trying to DEFAME a victim of it (namely Hillary Machinery Inc), PCB and their counsel should do just a little research on the plethora of well documented cases of cyber crime events involving Eastern European cyber criminals and focus on protecting the customers they still have.
ReplyDeleteYou are exactly right. I never intended to imply that ANY customer was to blame for their money being stolen from the bank. I found the press releases very informative.
ReplyDeleteIt was a bit obtuse of me to say that we should all be asking our banks about their security. While that might be nice in an ideal world, the fact is most of us don't have the knowledge, or the time to gain the knowledge, to ask the right questions, let alone be able to tell what the right answers are.
I've said before that unless there is something PCB was doing something we're not aware of, they screwed up big time. Suing Hillary was stupid, and continuing in the suit is either a sign of more stupidity, or being to stubborn to admit they were wrong.
11-8-2009 - PlainsCapital Bank, by their own admission in a memo they provided us (http://www.hillaryinc.com/hillary_docs/estesroarkmemo111209.pdf) sent Hillary Machinery Inc's secure account access codes to a DNS known to be used by a phishing trojan called "PHISH-POTPOR" reported by McAfee (http://www.hillaryinc.com/hillary_docs/phishpotpor.pdf) and US-CERT (http://www.hillaryinc.com/hillary_docs/uscertcybersecuritybulletin.pdf)
ReplyDeleteI don't think that was reasonable security.
I agree.
ReplyDelete