The bank fraud blame game

Leichter, Jerry leichter_jerrold at emc.com
Wed Jun 27 13:46:18 EDT 2007 

| "Leichter, Jerry" writes:
| -+-----------------------
|  | As always, banks look for ways to shift the risk of
|  | fraud to someone - anyone - else.  The New Zealand
|  | banks have come up with some interesting wrinkles on
|  | this process.
|  | 
| 
| This is *not* a power play by banks, the Trilateral Commission,
| or the Gnomes of Zurich.  It is the first echo of a financial
| thunderclap.  As, oddly, I said only yesterday, I think that
| big ticket Internet transactions have become inadvisable
| and will become more so.  I honestly think that the party
| could be over for e-commerce, with eBay Motors as its
| apogee....
Actually, we don't really disagree with the rest of your message, and
I'm not claiming some kind of conspiracy.  This isn't really a power
play because the banks hold all the cards.  Perhaps We're reading
different parts of the message I forwarded.  Consider:

	Liability for any loss resulting from unauthorized Internet
	banking transactions rests with the customer if they have "used
	a computer or device that does not have appropriate protective
	software and operating system installed and up-to-date, [or]
	failed to take reasonable steps to ensure that the protective
	systems, such as virus scanning, firewall, antispyware,
	operating system and antispam software on [the] computer, are
	up-to-date."
OK, I could live with that as stated.  But:

	The code also adds: "We reserve the right to request access to
	your computer or device in order to verify that you have taken
	all reasonable steps to protect your computer or device and
	safeguard your secure information in accordance with this code.

	"If you refuse our request for access then we may refuse your
	claim."
The delay between when you were defrauded and when they request
access is unspecified.  Who knows what's happened in the meanwhile?
Perhaps as a result of my experience, I stopped using on-line banking,
and as a result decided it wasn't worth keeping all the (obviously
ineffective) software up to date.  This is just too open-ended a
requirement.  "All reasonable steps?"  Just what *are* all reasonable
steps?  I think I know more than most people about how to keep systems
secure, but I'd be at a loss to make a list that could reasonably
be called "all reasonable steps".  (Actually, my list would probably
include "don't use IE or Outlook".  Is that "reasonable"?)

	"Bank customers who are unhappy with the new rules may choose to
	dispense with electronic banking altogether, and return to
	dealing with tellers at the bank.  But it seems that electronic
	banking and in particular Internet banking has become the
	convenient choice for consumers," Davidson says.
On-line access is on its way to become a necessity.  EZ-Pass in New York
(electronic toll collection) now charges $2/month if you want them to
send you a printed statement - go for all on-line access, and it's free.
Hardly a "necessity" yet, but this is a harbinger.  (Meanwhile, the
percentage of EZ-Pass only lanes at toll plazas keeps rising.  You don't
*need* to use EZ-Pass, if you're willing to incur significant delays.)

	The code also warns users that they could be liable for any loss
	if they have chosen an obvious PIN or password, such as a
	consecutive sequence of numbers, a birth date or a pet's name;
	disclosed a PIN or password to a third party or kept a "written
	or electronic record" of it. Similar warnings are already
	included in the section that deals with ATM and PINs for Eftpos
	that was issued in 2002.

	There is nothing in this clause allowing an electronic record to
	be held in a password-protected cache -- a facility provided by
	some commercial security applications.
This is not just wrong, it's *dangerously* wrong.

	The code allows banks to use unsolicited email among other media
	to advise of changes in their arrangements with the customer,
	but Davidson says they should only utilize their web-based mail
	systems.

	"It is hardly surprising that some people fall victim to
	phishing email scams when banks use email as a normal method of
	communication, and therefore email can be perceived as a valid
	communication by end users," he says.
As we've discussed here many times, banks' mail messages are incredibly
hazardous, and teach entirely the wrong things.

							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list