Why the onus should be on banks to improve online banking security
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Nov 20 02:12:48 EST 2009
There's been a near-neverending debate about who should be responsible for
improving online banking security measures: the users, the banks, the
government, the OS vendor, ... . Here's an interesting perspective from Peter
Benson <peter.benson at codescan.com>, reposted with permission, on why the onus
should be on banks to provide appropriate security measures:
One of the main reasons to target the banks with accountability is "because
you can". There is a lot of historical regulation and controls around
banking, which makes it *relatively* easy to hold them to account. The
bigger problem, and the next logical step, is how the banks hold suppliers /
vendors of software accountable for flaws in their systems and software that
enable the problems to occur in the first place.
Anyone recognise the following?
"This software is provided as is, and any expressed or implied warranties,
including, but not limited to, the implied warranties of merchantability and
fitness for a particular purpose are disclaimed. In no event shall the
contributors be liable for any direct, indirect, incidental, special,
exemplary, or consequential damages (including, but not limited to,
procurement of substitute goods or services; loss of use, data, or profits;
or business interruption) however caused and on any theory of liability,
whether in contract, strict liability , or tort (including negligence or
otherwise) arising in any way out of the use of this software, even if
advised of the possibility of such damage."
Accountability is great, and I fully support it, and would like to somehow
find the way to push a level of accountability back to various software
developers / manufacturers. Unfortunately in the current state of Contract
and Tort law, there is so much protection(ism) of the software industry,
that its still going to be time consuming and expensive to get a couple of
decent case studies out there or to change anything. So from a public good
perspective, unfortunately (realistically), it is the banks that should
carry the onus.
Peter
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list