The bank fraud blame game

As always, banks look for ways to shift the risk of fraud to
someone -
anyone - else.  The New Zealand banks have come up with some
interesting
wrinkles oh this process.  From Computerworld.

 							-- Jerry


NZ banks demand a peek at customer PCs in fraud cases
Stephen Bell


June 26, 2007 (Computerworld New Zealand) Banks in New
Zealand are
seeking access to customer PCs used for online banking
transactions to
verify whether they have enough security protection.

Under the terms of a new banking Code of Practice, banks may
request
access in the event of a disputed transaction to see if
security
protection in is place and up to date.

The code, issued by the Bankers' Association last week after
lengthy
drafting and consultation, now has a new section dealing
with Internet
banking.

Liability for any loss resulting from unauthorized Internet
banking
transactions rests with the customer if they have "used
a computer or
device that does not have appropriate protective software
and operating
system installed and up-to-date, [or] failed to take
reasonable steps to
ensure that the protective systems, such as virus scanning,
firewall,
antispyware, operating system and antispam software on [the]
computer,
are up-to-date."

The code also adds: "We reserve the right to request
access to your
computer or device in order to verify that you have taken
all reasonable
steps to protect your computer or device and safeguard your
secure
information in accordance with this code.

"If you refuse our request for access then we may
refuse your claim."

InternetNZ was still reviewing the new code, last week,
executive
director Keith Davidson told Computerworld.

"In general terms, InternetNZ has been encouraging all
Internet users to
be more security conscious, especially ... to use up-to-date
virus
checkers, spyware deletion tools and a robust
firewall," Davidson says.

"The new code now places a clear obligation on users to
comply with some
pragmatic security requirements, which does seem
appropriate. If fraud
continues unabated, then undoubtedly banks would need to
increase fees
to cover the costs of fraud," he says, so increasing
security awareness
and compliance in advance is probably the better tactic for
both banks
and their customers.

"Bank customers who are unhappy with the new rules may
choose to
dispense with electronic banking altogether, and return to
dealing with
tellers at the bank.  But it seems that electronic banking
and in
particular Internet banking has become the convenient choice
for
consumers," Davidson says.

The code also warns users that they could be liable for any
loss if they
have chosen an obvious PIN or password, such as a
consecutive sequence
of numbers, a birth date or a pet's name; disclosed a PIN or
password to
a third party or kept a "written or electronic
record" of it. Similar
warnings are already included in the section that deals with
ATM and
PINs for Eftpos that was issued in 2002.

There is nothing in this clause allowing an electronic
record to be held
in a password-protected cache -- a facility provided by some
commercial
security applications.

For their part, the banks undertake to provide information
on their
websites about appropriate tools and services for ensuring
security, and
to tell customers where they can find this information when
they sign up
for Internet banking.

"One issue we have raised with the Bankers Association
in the past is
that banks should not initiate email contact with their
customers,"
Davidson says.

The code allows banks to use unsolicited email among other
media to
advise of changes in their arrangements with the customer,
but Davidson
says they should only utilize their web-based mail systems.

"It is hardly surprising that some people fall victim
to phishing email
scams when banks use email as a normal method of
communication, and
therefore email can be perceived as a valid communication by
end users,"
he says.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

[ This may well be OT; I leave that to the moderator. ]




"Leichter, Jerry" writes:
-+-----------------------
 | As always, banks look for ways to shift the risk of
 | fraud to someone - anyone - else.  The New Zealand
 | banks have come up with some interesting wrinkles on
 | this process.
 | 

This is *not* a power play by banks, the Trilateral
Commission,
or the Gnomes of Zurich.  It is the first echo of a
financial
thunderclap.  As, oddly, I said only yesterday, I think
that
big ticket Internet transactions have become inadvisable
and will become more so.  I honestly think that the party
could be over for e-commerce, with eBay Motors as its
apogee.

Now what I think I know and what I am about to say are all
based on hearsay.  It is surely wrong in part, but until I
am corrected in public it is true enough for lemonade
making.

The story begins with E-Trade's 10-Q filing of 17 November,
which filing is at [1] and elsewhere.  In that 10-Q, we
have
this paragraph:

> Other expenses increased 97% to $45.7 million and 55%
to
> $101.9 million for the three and nine months ended
September
> 30, 2006, respectively, compared to the same periods
in
> 2005. These increases were primarily due to fraud
related
> losses during the third quarter of 2006 of $18.1
million, of
> which $10.0 million was identity theft related. The
identity
> theft situations arose from recent computer viruses
that
> attacked the personal computers of our customers, not
from a
> breach of the security of our systems. We reimbursed
> customers for their losses through our Complete
Protection
> Guarantee. These fraud schemes have impacted our
industry as
> a whole. While we believe our systems remain safe and
> secure, we have implemented technological and
operational
> changes to deter unauthorized activity in our customer
> accounts.

In other words, remote exploitation of individual
customer's
computers, doubtless many of them home machines and the
laptops of road warriors, eventually lead to a loss for
E-Trade that was material enough to appear on the 10-Q.
This is not a pump&dump scheme where rubes are
snookered
into buying some worthless stock.  No, it is the actual
entry of trades into legitimate trading systems by
legitimate users, only with the special case that those
users are actually the alien malware using the captured
credentials of the legitimate user and entering the trades
from the legitimate users' legitimate machine.  As I
understand it, some of this malware is clever enough to
piggyback sessions that are opened by the legitimate user
using the much vaunted 2-factor authentication; thus
proving
that 2-factor auth is a mere palliative.

As you are well aware, stealing data is now and everywhere
the name of the game, and "we" have lots of
supporting
evidence that such theft is fully professionalized.  As one
example, the APWG has already shown that phishing e-mails
are transmitted in a pattern that suggests the transmitters
are enjoying a conventional 5-day work week, and there are
many other examples.  Mike D'Anseglio, Security Program
Director at Microsoft, said two interesting things in the
last six months: (1) that 2/3rds of all PCs have
"unwanted"
software running on them and (2) that state-of-the-art
attack tools cannot be eliminated without a clean install
from the raw iron up.

Well, ironically due to SOx, as the loss amounts get bigger
-- and bigger is an assured eventuality -- then those
losses
will hit Earnings Per Share, and disclosure from the
governance and the financial points of view is thus made
requirement as those losses are material.  Data security
has
nothing to do with the disclosure as the disclosure is
purely driven by the materiality.

So, let's do a little math.  E*Trade, call symbol ET, has
an
approximate market cap of $9.66B with approximately 440M
shares outstanding.  Their estimated annual earning per
share is $1.36.  Since the fraud loss goes directly the
bottom line, an $18M loss in the one quarter is a $0.04 hit
in earning per share for the quarter, which on an expected
quarterly earning of $0.34/share is a 12% hit to the
quarter.  This is sufficiently material that it MUST be
disclosed, and thus we have, like it or not, data sharing
about the impact of digital security lapse -- even if we do
not have data sharing about the mechanism of digital
security lapse.

What some of the banks now want to do is to have you
download fresh code each time you go to trade, code that
would "theoretically" protect the bank from the
fact that
your (user's) machine is almost surely compromised.  To get
that protection, such ideas as seizing control of the 
keyboard from the operating system so that keylogging
can't happen while trades are being booked, are being
floated.  Think about what that would mean -- training
users to use their Admin privilege to accept ActiveX
controls that strip the OS of this or that subsystem,
and to do so in the name of security.

--dan

P.S., The S.E.C. tackling some Estonian clown for $353,609
[2],
is an irrelevant side show at the scale I am talking about:
It's
not material to anyone who matters; invested at 10% it
wouldn't
even pay the salary of the PR flack who issued the press
release.


[1]
http://yahoo.brand.edgar-online.c
om/fetchFilingFrameset.aspx?dcn=0001193125-06-
226723&Type=HTML

[2]
http://www.se
curityfocus.com/news/11431

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com