Avivah LitanThere was tremendous emphasis on customer education as a partial solution to payments fraud, during presentations made at the FDIC conference on ‘combating commercial payments fraud’ earlier this week. Of course, no one can argue against customer education and in fact, it is effective – but only up to a point. We all know by now that customer desktop and AV protection software has failed to detect the most insidious malware and Zeus variants. So how are end-users going to protect their PCs if even the best security software vendors can’t?
Now the ‘tip-of-the-day’ being offered to bank customers is to have them use ‘dedicated PCs’ for online banking. But even dedicated PCs can become infected. Not all malware is delivered via email; some can be dropped off by honest and legitimate web sites that are infiltrated. Of course, a dedicated PC will limit a user’s exposure to malware but it too is by no means foolproof. (I would more likely recommend inserting a Ubuntu CD into the CD drive and booting off of a read only OS and browser).
The type of customer education that is really needed is informing business customers that online banking can be dangerous and that they can lose all the money in their accounts and not get it back from their bank, under current law. There is an implicit assumption out there among Americans that our money is protected by U.S. banks, whether it’s in a consumer or business account. Those of us who follow this industry now know that this is a false assumption for U.S. business accounts.
Next time, a business logs on to its bank’s website, it should clearly see this message, right on the home page. “Bank at your risk”. Or if banks don’t want to be that clear and be more ‘bank-like’ they can always say: “Please be aware that unauthorized withdrawals from your account may not be refunded, subject to the terms and conditions of your agreement.”
If you ask me, that’s the kind of education U.S. businesses need.
Category: Uncategorized Tags:
3 responses so far ↓
1 Stephen Wilson May 13, 2010 at 7:13 pm
Amen to that!
I think user education has long gone past its Use By Date. It is simply beyond the capacity of normal users to tell pharming sites from real sites, or even to spot all spearing phishing e-mails.
And in any case, the mass theft of IDs from backend databases shows that most stolen PANs in circulation probably originate from regular Card-Present transactions. The lesson is that even if you never ever shop online, you can have your card details stolen and abused. So all the breathless advice about looking out for the padlock is moot.
I’m frustrated by the excessive emphasis on user education and awareness. It’s a subtle form of blame shifting, possibly a precursor to banks enforcing PC security so they won’t reimburse losses if a user’s PC is not up to code. [The problem with that is the difficulty proving where a given stolen record was stolen from.]
In other walks of life we don’t put all the onus on user education. Think about car safety. Yes good driving practices are important, but the major thrust is on legislated quality standards for automotive technology and enforceable road rules. In contrast, Internet security is dominated by a wild west, everyone-for-themselves mentality, leading to a confusing patchwork of security gizmos, proprietary standards and no common benchmarks.
Cheers, Steve Wilson.
2 Jay Heiser May 14, 2010 at 2:24 pm
Most organizations cannot even discipline their sysadmins to use a dedicated workstation for priviliged access (as dramatically evidenced by some of the recent reports of phishing attacks against technology vendors).
I continue to feel very strongly that this is yet another moral hazard problem. The credit-granting institutions are doing a poor job of identity authentication, and have inadequate financial motivatation to tighten up their processes. While they probably are shouldering the majority of the costs of card theft today, this recent FDIC event suggests that banks want the ownership of this risk to remain somewhat ambiguous.
The cost for outright ID theft, a less commmon but far more damaging sort of fraud, is primarily paid for by individuals. I hesitate to refer to them as ‘consumers’, because unlike those whose credit card numbers have been appropriated, victims of ID theft don’t even have a relationship with the bank that granted credit to fraudulent applicants. It remains a travesty of justice that these victims are considered guilty until they themselves, often over a difficult period of years, prove that they are innocent.
3 Avivah Litan May 17, 2010 at 10:56 pm
Well said Steve and Jay. Thanks for the insights!