Citibank e-mail looks phishy

[Perry E. Metzger]

"James A. Donald" <jamesd at echeque.com> writes:
> Before computers, people had a lot of procedures that they routinely
> and ritualistically followed to prevent fraud, faithfully following
> the required procedures without ever thinking much about why things
> were done that way.  It seems that some time during the seventeenth
> and early eighteenth century, various captains of finance laid down
> the law "It shall be done thus", so very firmly that for the next few
> hundred years, no one deviated.
>
> But right now, we are inventing things, and we have not yet figured
> out how to do stuff right.  Further, the tools available do not really
> fit the task at hand, so it is unsurprising if people keep using them
> upside down and backwards.

I'm not sure this is the problem -- the problem may be a lack of object
lessons to provide negative reinforcement.

Every twenty years or so, a major accounting firm implodes in a
scandal. In the 1980s it was Laventhal and Horvath. A few years ago it
was Andersen. At intervals, the institutional memory of what can go
wrong vanishes, someone pushes the edge, and it takes a bit of blood
in the streets for people to remember why they were supposed to
follow the rules. (By the way, this is a good reason why people should
oppose the reduction of individual liability for partners in
accounting firms -- it is an important check on accounting scandals.)

At intervals, there are also major explosions in other parts of
finance. For example, everyone remember how Barings melted down
because of lax controls? There have been failures of this sort at
intervals in trading operations -- Askin detonated even though it had
correct models of the CMO market because the market remained
irrational longer than it could remain liquid. Twenty years later, the
memory forgotten, Long Term Capital Management had a similar problem.

I think that failures of this sort are, for good or ill, part of the
natural order of things. Unless there are object lessons around,
people forget what the reason for the controls. Right now, the systems
technologies in use are too new for there to have been major failures,
so many people in management do not understand why the technical
people have pushed for certain kinds of controls. I suspect the
failure of a major bank as a result of deep penetration of their
systems or some similar failure will be rather educational for the
ones that remain. Unfortunately it will also cause a lot of damage,
but I'm not sure there is any way to help this.

Some folks have said "perhaps this is a failure of regulation" but I
don't know that regulation can be made better. It is difficult for
regulators to understand all the intricacies the operations of every
firm they watch, and it is difficult in some cases for them to remain
at arms length from the people they regulate, since regulation
agencies depend on people with intimate knowledge of a given industry
who are inevitably previous insiders. There is also, inevitably, far
more lobbying by a regulated industry than by third parties, because
the regulated have a far greater incentive to shape the regulations
than outsiders do and thus spend more time and money on it.

Ultimately, I think we're going to have to see the collapse of a major
banking institution before this is dealt with.


Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com