The bank fraud blame game

[dan at geer.org]

[ This may well be OT; I leave that to the moderator. ]




"Leichter, Jerry" writes:
-+-----------------------
 | As always, banks look for ways to shift the risk of
 | fraud to someone - anyone - else.  The New Zealand
 | banks have come up with some interesting wrinkles on
 | this process.
 | 

This is *not* a power play by banks, the Trilateral Commission,
or the Gnomes of Zurich.  It is the first echo of a financial
thunderclap.  As, oddly, I said only yesterday, I think that
big ticket Internet transactions have become inadvisable
and will become more so.  I honestly think that the party
could be over for e-commerce, with eBay Motors as its
apogee.

Now what I think I know and what I am about to say are all
based on hearsay.  It is surely wrong in part, but until I
am corrected in public it is true enough for lemonade
making.

The story begins with E-Trade's 10-Q filing of 17 November,
which filing is at [1] and elsewhere.  In that 10-Q, we have
this paragraph:

> Other expenses increased 97% to $45.7 million and 55% to
> $101.9 million for the three and nine months ended September
> 30, 2006, respectively, compared to the same periods in
> 2005. These increases were primarily due to fraud related
> losses during the third quarter of 2006 of $18.1 million, of
> which $10.0 million was identity theft related. The identity
> theft situations arose from recent computer viruses that
> attacked the personal computers of our customers, not from a
> breach of the security of our systems. We reimbursed
> customers for their losses through our Complete Protection
> Guarantee. These fraud schemes have impacted our industry as
> a whole. While we believe our systems remain safe and
> secure, we have implemented technological and operational
> changes to deter unauthorized activity in our customer
> accounts.

In other words, remote exploitation of individual customer's
computers, doubtless many of them home machines and the
laptops of road warriors, eventually lead to a loss for
E-Trade that was material enough to appear on the 10-Q.
This is not a pump&dump scheme where rubes are snookered
into buying some worthless stock.  No, it is the actual
entry of trades into legitimate trading systems by
legitimate users, only with the special case that those
users are actually the alien malware using the captured
credentials of the legitimate user and entering the trades
from the legitimate users' legitimate machine.  As I
understand it, some of this malware is clever enough to
piggyback sessions that are opened by the legitimate user
using the much vaunted 2-factor authentication; thus proving
that 2-factor auth is a mere palliative.

As you are well aware, stealing data is now and everywhere
the name of the game, and "we" have lots of supporting
evidence that such theft is fully professionalized.  As one
example, the APWG has already shown that phishing e-mails
are transmitted in a pattern that suggests the transmitters
are enjoying a conventional 5-day work week, and there are
many other examples.  Mike D'Anseglio, Security Program
Director at Microsoft, said two interesting things in the
last six months: (1) that 2/3rds of all PCs have "unwanted"
software running on them and (2) that state-of-the-art
attack tools cannot be eliminated without a clean install
from the raw iron up.

Well, ironically due to SOx, as the loss amounts get bigger
-- and bigger is an assured eventuality -- then those losses
will hit Earnings Per Share, and disclosure from the
governance and the financial points of view is thus made
requirement as those losses are material.  Data security has
nothing to do with the disclosure as the disclosure is
purely driven by the materiality.

So, let's do a little math.  E*Trade, call symbol ET, has an
approximate market cap of $9.66B with approximately 440M
shares outstanding.  Their estimated annual earning per
share is $1.36.  Since the fraud loss goes directly the
bottom line, an $18M loss in the one quarter is a $0.04 hit
in earning per share for the quarter, which on an expected
quarterly earning of $0.34/share is a 12% hit to the
quarter.  This is sufficiently material that it MUST be
disclosed, and thus we have, like it or not, data sharing
about the impact of digital security lapse -- even if we do
not have data sharing about the mechanism of digital
security lapse.

What some of the banks now want to do is to have you
download fresh code each time you go to trade, code that
would "theoretically" protect the bank from the fact that
your (user's) machine is almost surely compromised.  To get
that protection, such ideas as seizing control of the 
keyboard from the operating system so that keylogging
can't happen while trades are being booked, are being
floated.  Think about what that would mean -- training
users to use their Admin privilege to accept ActiveX
controls that strip the OS of this or that subsystem,
and to do so in the name of security.

--dan

P.S., The S.E.C. tackling some Estonian clown for $353,609 [2],
is an irrelevant side show at the scale I am talking about: It's
not material to anyone who matters; invested at 10% it wouldn't
even pay the salary of the PR flack who issued the press release.


[1]
http://yahoo.brand.edgar-online.com/fetchFilingFrameset.aspx?dcn=0001193125-06-
226723&Type=HTML

[2]
http://www.securityfocus.com/news/11431

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com