Why the onus should be on banks to improve online banking security

Damien Miller djm at mindrot.org
Sun Nov 22 01:48:14 EST 2009

On Fri, 20 Nov 2009, Peter Gutmann wrote:

> There's been a near-neverending debate about who should be responsible for
> improving online banking security measures: the users, the banks, the
> government, the OS vendor, ... .  Here's an interesting perspective from Peter
> Benson <peter.benson at codescan.com>, reposted with permission, on why the onus
> should be on banks to provide appropriate security measures:
>   One of the main reasons to target the banks with accountability is "because
>   you can". There is a lot of historical regulation and controls around
>   banking, which makes it *relatively* easy to hold them to account. The
>   bigger problem, and the next logical step, is how the banks hold suppliers /
>   vendors of software accountable for flaws in their systems and software that
>   enable the problems to occur in the first place.
>   Anyone recognise the following?
>   "This software is provided as is, and any expressed or implied warranties,
>   including, but not limited to, the implied warranties of merchantability and
>   fitness for a particular purpose are disclaimed. In no event shall the
>   contributors be liable for any direct, indirect, incidental, special,
>   exemplary, or consequential damages (including, but not limited to,
>   procurement of substitute goods or services; loss of use, data, or profits;
>   or business interruption) however caused and on any theory of liability,
>   whether in contract, strict liability , or tort (including negligence or
>   otherwise) arising in any way out of the use of this software, even if
>   advised of the possibility of such damage."
>   Accountability is great, and I fully support it, and would like to somehow
>   find the way to push a level of accountability back to various software
>   developers / manufacturers. Unfortunately in the current state of Contract
>   and Tort law, there is so much protection(ism) of the software industry,
>   that its still going to be time consuming and expensive to get a couple of
>   decent case studies out there or to change anything. So from a public good
>   perspective, unfortunately (realistically), it is the banks that should
>   carry the onus.

It is a lazy argument that the banks should be held responsible just
because it is easy to regulate them. Moreover, it seems like magical
thinking that they would then suddenly start demanding liability
warranties from their software vendors. For a start, it is probable that
the majority of the problems are in their clients' software and not the
banks', so demanding liability insurance would from banking software
vendors would have little effect. Furthermore, the cost of liability
warranties may well be less than the cost of fraud.

Also, exactly how is second paragraph of the BSD license evidence of
protection(ism) of the software industry? It seems like no-liability is
an equilibrium that the software market has settled to without assistance
from government - is there evidence to the contrary?

A much better argument for the banks being responsible for the security
of customers' money is that this is exactly what we pay them for.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list