Why the onus should be on banks to improve online banking security

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Nov 20 02:12:48 EST 2009 

There's been a near-neverending debate about who should be responsible for
improving online banking security measures: the users, the banks, the
government, the OS vendor, ... .  Here's an interesting perspective from Peter
Benson <peter.benson at codescan.com>, reposted with permission, on why the onus
should be on banks to provide appropriate security measures:

  One of the main reasons to target the banks with accountability is "because
  you can". There is a lot of historical regulation and controls around
  banking, which makes it *relatively* easy to hold them to account. The
  bigger problem, and the next logical step, is how the banks hold suppliers /
  vendors of software accountable for flaws in their systems and software that
  enable the problems to occur in the first place.

  Anyone recognise the following?

  "This software is provided as is, and any expressed or implied warranties,
  including, but not limited to, the implied warranties of merchantability and
  fitness for a particular purpose are disclaimed. In no event shall the
  contributors be liable for any direct, indirect, incidental, special,
  exemplary, or consequential damages (including, but not limited to,
  procurement of substitute goods or services; loss of use, data, or profits;
  or business interruption) however caused and on any theory of liability,
  whether in contract, strict liability , or tort (including negligence or
  otherwise) arising in any way out of the use of this software, even if
  advised of the possibility of such damage."

  Accountability is great, and I fully support it, and would like to somehow
  find the way to push a level of accountability back to various software
  developers / manufacturers. Unfortunately in the current state of Contract
  and Tort law, there is so much protection(ism) of the software industry,
  that its still going to be time consuming and expensive to get a couple of
  decent case studies out there or to change anything. So from a public good
  perspective, unfortunately (realistically), it is the banks that should
  carry the onus.

Peter

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list