Tom Field of the Field Report blog wrote an entry titled, "Trust on Trial" after returning from the RSA security conference. According to him there were three words on everyones mind: cloud, computing, and trust.
Trust was the surprise word. It seems a lot of business people are questioning the safety of using a bank at all, let alone banking online. Two cases are specifially mentioned in his post:
Experi-Metal, Inc. vs Comerica Bank and PlainsCapital vs Hillary Machinery.
These two aren't picked because of their unusual nature (although PlainsCapital vs Hillary is unusual), but because they are the latest in an ongoing trend: business customers account is pilfered, bank claims no responsibility. Normally the customer sues the bank, but in the case of PlainsCapital, the bank preemptively sued the customer, asking a court to declare it's security practices "reasonable".
What is reasonable security for a bank? Nobody really knows, since no clearcut definition has ever been coined. That doesn't mean there aren't standards and minimum requirements, it just means that there isn't an official definition of "reasonable."
If you think about it, there is actually a very good reason why that particular term isn't defined. And many security experts fervently hope it remains that way. Internet security changes quickly. What is reasonable today may be totally hopeless tomorrow. Defining reasonable security will give banks a hardcoded standard to comply with - a standard that will quickly become unreasonable. What needs to be done is not define "reasonable security," but to require financial institutions to keep abreast of the latest security risks and adapt their protections accordingly. Hopefully the judge in PlainsCapital vs Hillary will recognize the danger of giving banks a definition to hide behind and will refuse to define exactly what reasonable means when it comes to banking security.
So outside of lawsuits, what can be done to solve this problem of banks being robbed and refusing to accept any culpability? First of all, business accounts should be given the same protections that personal accounts enjoy. Second, the regional and smaller banks that seem to be the main offenders in the lack of adequate security category should honestly examine their security measures in light of what is currently out there in the way of bad guys and take steps to protect against them. Banks that are involved in lawsuits need to review their security and see if they should just settle to save time.
The business customers aren't totally innocent either, although the cases I've seen appear to implicate the banks more. If a customer who does 1 or 2 electronic transfers a month suddenly has 10 a day it should ring alarm bells and stop the transfers. This failure to stop unusual transfers is a common complaint by business customers who have had money stolen by electronic transfers. The business may have to accept some blame, however. Are their virus definitions up to date? Has someone been going to questionable websites? Are their security policies clear and well thought out?
If things keep going the way they are now, before long no business will trust their banks. That will make for some serious headaches, since it's almost impossible to do business without a bank account these days.
Showing posts with label Hillary Machinery. Show all posts
Showing posts with label Hillary Machinery. Show all posts
Wednesday, March 17, 2010
Thursday, February 25, 2010
More fallout from PlainsCapital vs Hillary Machinery
Last week Hillary Machinery filed it's counter to PlainsCapitals lawsuit. The PlainsCapital suit seeks nothing from Hillary (other than legal fees and court costs), but wants a judge to rule that PlainsCapitals security measures were commercially reasonable at the time of the bogus transfers. Hillary is seeking the return of the unrecovered monies and legal costs.
Most of the security community, or the most of the portion making their opinion known, seem to believe Hillary is in the right. But not everyone is ready to pick a side just yet. Benjamin Wright, an expert in data security and cyber investigations law has pointed out in his blog that we only have Hillary's side of things, so until PlainsCapital has it's say, any conclusions we come to are speculation.
But as things have developed, PlainsCapital's say may be too little, too late. Hillary has not stood still and has not played the quiet game. They have told their story loudly to anyone willing to listen, and it is a compelling story. Even if PlainsCapital had security measures in place that Hillary hasn't mentioned, the Banks reputation has been tarnished, and this incident will probably pop up when least expected for years to come. And regardless of who wins, both litigants will probably both find the way they handle financial transfers changed forever when this is over, because real fallout from this whole event is not going to hit just PlainsCapital or Hillary Machinery. It could change the way banks do business, and that will affect anyone who deals with banks.
DarkReading.com reports that at next weeks RSA Security conference Authentify, Inc. (who are consulting with Hillary) will be asking security professionals to sign a petition to Congress in an effort to force banks to establish better security for business customers. I don't think anyone wants more government regulation, but the fact is that what happened to Hillary Machinery and PlainsCapital isn't unique, or even unusual, even if the lawsuit is. Apparently small and medium size banks haven't done anything to correct the situation. With the attention of Washington being called to it, the government probably will.
Most of the security community, or the most of the portion making their opinion known, seem to believe Hillary is in the right. But not everyone is ready to pick a side just yet. Benjamin Wright, an expert in data security and cyber investigations law has pointed out in his blog that we only have Hillary's side of things, so until PlainsCapital has it's say, any conclusions we come to are speculation.
But as things have developed, PlainsCapital's say may be too little, too late. Hillary has not stood still and has not played the quiet game. They have told their story loudly to anyone willing to listen, and it is a compelling story. Even if PlainsCapital had security measures in place that Hillary hasn't mentioned, the Banks reputation has been tarnished, and this incident will probably pop up when least expected for years to come. And regardless of who wins, both litigants will probably both find the way they handle financial transfers changed forever when this is over, because real fallout from this whole event is not going to hit just PlainsCapital or Hillary Machinery. It could change the way banks do business, and that will affect anyone who deals with banks.
DarkReading.com reports that at next weeks RSA Security conference Authentify, Inc. (who are consulting with Hillary) will be asking security professionals to sign a petition to Congress in an effort to force banks to establish better security for business customers. I don't think anyone wants more government regulation, but the fact is that what happened to Hillary Machinery and PlainsCapital isn't unique, or even unusual, even if the lawsuit is. Apparently small and medium size banks haven't done anything to correct the situation. With the attention of Washington being called to it, the government probably will.
Friday, February 5, 2010
Should LEDA sue PlainsCapital?
It's amazing how much bad publicity one little lawsuit can generate. And PlainsCapital, formerly of Lubbock, has managed to put it's foot in it good. If I was in investor I would be seriously questioning the leadership of the company right now. And if I were part of the Lubbock Economic Development Alliance I would be looking at damage control for Lubbock's reputation.
From the Denver Post: Lewis: Firm sued for being robbed
Why would I be looking at damage control? Because some of the authors of national stories about PlainsCapital suing Hillary Machinery don't know that PlainsCapital is now based in Dallas. So the stories talk about Lubbock based PlainsCapital, and proceed to make PlainsCapital - and Lubbock - look like a bunch of ignorant hicks.
ComputerWorld: Bank sues victim of $800,000 cybertheft
Of course, unless they had security measures in place that they aren't mentioning and someone just messed up, PlainsCapital acted like ignorant hicks, then acted more ignorant by trying to sue for vindication. I said it in the comments of my original post on this subject that email is not a secure verification method, and that point is being made by other observers. It's not like an expensive, high tech solution was needed. A simple requirement that no transfers be made without a phone call to verify they're legit would have prevented this.
From the codetechnology blog: Authentication issue at heart of lawsuit
So what would LEDA sue PlainsCapital for? Or maybe it should be the City of Lubbock suing them? I'm thinking defamation of character, damage to their brand, brand dillution...shoot, I don't know, but surely there's some stupid lawsuit they can hit them with that won't be as stupid as PlainsCapitals suit against Hillary.
From BankinfoSecurity.com: Texas Bank Sues Customer After $800,000 Scam
And a few more just because four stories don't demonstrate how widely this is being reported:
From Foxnews: A video clip
From Dallas Morning News: PlainsCapital suing customer Hillary Machinery over cybersecurity
From the e-business blog: Cybertheft victim gets sued by bank
From Techdirt: Bank Sues Identity Fraud Victim After $800,000 Removed From Its Account
And from the forums at Barrelhorseworld.com: We were cyber attacked/robbed...
Enjoy your weekend.
From the Denver Post: Lewis: Firm sued for being robbed
Why would I be looking at damage control? Because some of the authors of national stories about PlainsCapital suing Hillary Machinery don't know that PlainsCapital is now based in Dallas. So the stories talk about Lubbock based PlainsCapital, and proceed to make PlainsCapital - and Lubbock - look like a bunch of ignorant hicks.
ComputerWorld: Bank sues victim of $800,000 cybertheft
Of course, unless they had security measures in place that they aren't mentioning and someone just messed up, PlainsCapital acted like ignorant hicks, then acted more ignorant by trying to sue for vindication. I said it in the comments of my original post on this subject that email is not a secure verification method, and that point is being made by other observers. It's not like an expensive, high tech solution was needed. A simple requirement that no transfers be made without a phone call to verify they're legit would have prevented this.
From the codetechnology blog: Authentication issue at heart of lawsuit
So what would LEDA sue PlainsCapital for? Or maybe it should be the City of Lubbock suing them? I'm thinking defamation of character, damage to their brand, brand dillution...shoot, I don't know, but surely there's some stupid lawsuit they can hit them with that won't be as stupid as PlainsCapitals suit against Hillary.
From BankinfoSecurity.com: Texas Bank Sues Customer After $800,000 Scam
And a few more just because four stories don't demonstrate how widely this is being reported:
From Foxnews: A video clip
From Dallas Morning News: PlainsCapital suing customer Hillary Machinery over cybersecurity
From the e-business blog: Cybertheft victim gets sued by bank
From Techdirt: Bank Sues Identity Fraud Victim After $800,000 Removed From Its Account
And from the forums at Barrelhorseworld.com: We were cyber attacked/robbed...
Enjoy your weekend.
Subscribe to:
Posts (Atom)