The bank fraud blame game
Leichter, Jerry
leichter_jerrold at emc.com
Wed Jun 27 13:46:18 EDT 2007
| "Leichter, Jerry" writes:
| -+-----------------------
| | As always, banks look for ways to shift the risk of
| | fraud to someone - anyone - else. The New Zealand
| | banks have come up with some interesting wrinkles on
| | this process.
| |
|
| This is *not* a power play by banks, the Trilateral Commission,
| or the Gnomes of Zurich. It is the first echo of a financial
| thunderclap. As, oddly, I said only yesterday, I think that
| big ticket Internet transactions have become inadvisable
| and will become more so. I honestly think that the party
| could be over for e-commerce, with eBay Motors as its
| apogee....
Actually, we don't really disagree with the rest of your message, and
I'm not claiming some kind of conspiracy. This isn't really a power
play because the banks hold all the cards. Perhaps We're reading
different parts of the message I forwarded. Consider:
Liability for any loss resulting from unauthorized Internet
banking transactions rests with the customer if they have "used
a computer or device that does not have appropriate protective
software and operating system installed and up-to-date, [or]
failed to take reasonable steps to ensure that the protective
systems, such as virus scanning, firewall, antispyware,
operating system and antispam software on [the] computer, are
up-to-date."
OK, I could live with that as stated. But:
The code also adds: "We reserve the right to request access to
your computer or device in order to verify that you have taken
all reasonable steps to protect your computer or device and
safeguard your secure information in accordance with this code.
"If you refuse our request for access then we may refuse your
claim."
The delay between when you were defrauded and when they request
access is unspecified. Who knows what's happened in the meanwhile?
Perhaps as a result of my experience, I stopped using on-line banking,
and as a result decided it wasn't worth keeping all the (obviously
ineffective) software up to date. This is just too open-ended a
requirement. "All reasonable steps?" Just what *are* all reasonable
steps? I think I know more than most people about how to keep systems
secure, but I'd be at a loss to make a list that could reasonably
be called "all reasonable steps". (Actually, my list would probably
include "don't use IE or Outlook". Is that "reasonable"?)
"Bank customers who are unhappy with the new rules may choose to
dispense with electronic banking altogether, and return to
dealing with tellers at the bank. But it seems that electronic
banking and in particular Internet banking has become the
convenient choice for consumers," Davidson says.
On-line access is on its way to become a necessity. EZ-Pass in New York
(electronic toll collection) now charges $2/month if you want them to
send you a printed statement - go for all on-line access, and it's free.
Hardly a "necessity" yet, but this is a harbinger. (Meanwhile, the
percentage of EZ-Pass only lanes at toll plazas keeps rising. You don't
*need* to use EZ-Pass, if you're willing to incur significant delays.)
The code also warns users that they could be liable for any loss
if they have chosen an obvious PIN or password, such as a
consecutive sequence of numbers, a birth date or a pet's name;
disclosed a PIN or password to a third party or kept a "written
or electronic record" of it. Similar warnings are already
included in the section that deals with ATM and PINs for Eftpos
that was issued in 2002.
There is nothing in this clause allowing an electronic record to
be held in a password-protected cache -- a facility provided by
some commercial security applications.
This is not just wrong, it's *dangerously* wrong.
The code allows banks to use unsolicited email among other media
to advise of changes in their arrangements with the customer,
but Davidson says they should only utilize their web-based mail
systems.
"It is hardly surprising that some people fall victim to
phishing email scams when banks use email as a normal method of
communication, and therefore email can be perceived as a valid
communication by end users," he says.
As we've discussed here many times, banks' mail messages are incredibly
hazardous, and teach entirely the wrong things.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list