News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

August 11, 2006 - 8:09 A.M.

Is your bank responsible for protecting you from key loggers?

12 comments

Where does your bank's responsibility to protect you and your online transactions end?  Apparently the HSBC bank of Great Britain knew for 2 years that they had a vulnerability and did nothing about it.  There are very few details about the vulnerability, but one thing is known -- an attacker would already have to have a key logger on the customer's system to take advantage of the vulnerability.  Maybe I'm being naive, but if an attacker has a key logger on the system, I figure your online banking credentials being stolen is just the start of your worries. 

The vulnerability HSBC has is apparently extremely difficult to actually take advantage of, a factor HSBC took into account when they decided to live with it because other concerns were more pressing.  As security professionals, we should understand this balancing act, even if we don't always agree with the decisions that are reached.  The cost to fix the issue was considered to by management to exceed the probability of an exploit multiplied by the possible cost of paying for any such breaches.  Pretty standard business reasoning.

The bank could have put any number of safeguards in place to mitigate the vulnerability, but the question is, should they?  One possibility that comes to mind is your bank having a variation of Network Admissions Control (NAC) that would require you to have up to date patches and anti-virus on your system before you can access your account.  As much as I'd like to see that, I think the first bank to do this is going to face a huge battle with their customers.  I can imagine the calls now, "Mrs. Smith, you have to upgrade your computer to SP4 before you can access your account.  No, I can't offer you support on how to do that."  Not a pretty scenario.

Banks face a tough situation.  They're considered to be the safe house for your money and need to do everything they can to protect it, but at the same time they can't reach into your computer and do what they'd really need to to protect the endpoint.  And unless the endpoint, your desktop, is properly protected, there's no way they can guarantee that the banking transaction is going to be safe.  This is where the unwritten, unspoken contract between the bank and the customer comes into play:  While the money is in the bank's possession, they'll do their best to protect it, but when you are accessing your money, it's on you to do your best to protect your side of the transaction.

What People Are Saying

Add new comment

Hey That's very useful and

Submitted by Gry on July 29, 2007 - 8:00 A.M.

Hey
That's very useful and intresting article
I was searching smth like this :)

Thx for this article
greeting,
portal

Report this comment

Agree with SoftArea51. Bank

Submitted by Hair Care on July 29, 2007 - 7:27 A.M.

Agree with SoftArea51. Bank must have more responsibility. And its not because I'm afraid to exercise responsibility. When customer trusts his money to bank, the last must take care of it.

Pubic Hair and Shaving tips

Report this comment

The bank charges you money

Submitted by SoftArea51 on June 5, 2007 - 4:35 P.M.

The bank charges you money for almost everything and I think if we want to make a correct judgment we can't make it 50-50. I think the bank is 80% guilty and the customer 20% because he is not careful.

Free Software Downloads Archive

Report this comment

I fully support robert and

Submitted by Drone on May 14, 2007 - 4:05 P.M.

I fully support robert and believe that banks should be required to maintain enhanced policies aimed at strengthening the security of its online transactions. Thus, as a customer of one of the banks, which I very much believe in, I can rest for my account, because there are several levels of protection, and even the password from my account will be stolen, the money is there simply is not possible to use it.

cheap software

Report this comment

I fully agree with "The user

Submitted by robert on May 2, 2007 - 9:58 A.M.

I fully agree with "The user and the bank are both responsible", Online banking certainly provides great convenience, however, user need to be vigilant and protect his/her online bank account, some tips like don't be tempted to do online banking in the library or the local Internet cafe, or don't ever try to access your account through an emailed link.

software reviews

Report this comment

These days you can't have

Submitted by Anthony Strange on August 17, 2006 - 10:06 A.M.

These days you can't have the latest and greatest and still be safe. If I went out and downloaded the latest updates for my antivirus and the latest updates for my computer and then went over to my bank's web site, I could still be vunerable to some publicly unknown vunerability that opens my computer up to the world like it was a garage door. Hacks like the one that allowed a spoof of Citibank with two phase authentication when users using the bogus site and their creditials going over to the real site, what can one do? We are sitting ducks.

I think one approach would be digital certificates in addition to a passcode generator is perhaps one approach that has hope, at least right now based on what little I know.

Tomorrow, I am sure this will be the latest hacking. We pay a price for convenience. We all have a false sense of security. Hopefully the next generation of security products will allow us to sleep a little better at night.

Anthony

Report this comment

the original report seems

Submitted by Anonymous on August 14, 2006 - 5:28 P.M.

the original report seems pure FUD, or bs.

The report simply says, access from an insecure system is insecure. bfd.

Worse, the academic researchers not only gave no details of the supposed flaws but also apparently did not contact the bank to initiate any remediation before going public with a headline grabbing non-story. Grossly irresponsible.

Basically, an attacker who has a keylogger installed on the client's system effectively knows every bit of input they generate (if an attacker can penetrate the system sufficiently to install a keylogger they can also monitor mouse clicks or even network I/O if they so choose). Of course they can learn the user login info, including password, pin, anything that requires input from the user - duh.

I don't know who is more to blame for this flap, the researchers for publishing bs or the media for picking it up and reporting it without any responsibility for content. GIGO. Trouble is the public will read this and believe it's credible because the media reported it, not understanding that the reports are published without consideration of the underlying validity.

ARGH!

Report this comment

Working in banking for 20

Submitted by Mark on August 14, 2006 - 10:29 A.M.

Working in banking for 20 years, I'll give you the bank's viewpoint. We do what we can to protect our customers, just like the police do what they can to protect their citizens. Then you have the crooks that are constantly coming up with new ways to get around our protections. And just like the police, sometimes we are out gunned. And just like the police, we make adjustments to compensate. Then on top of this, while we are keeping customer's information private, some of them are giving it out to what seems like anyone that asks for it either online or on the phone.

Report this comment

I think it's not so easy to

Submitted by Asa on August 13, 2006 - 5:04 A.M.

I think it's not so easy to decide whose problem is that. Of course the users are responsible for their computers and anything that is going on with them, but the bank should protect user's account as much as they can. So the user and the bank are both responsible.

Report this comment

If there is a keylogger on

Submitted by Anonymous on August 12, 2006 - 3:42 P.M.

If there is a keylogger on the user's machine, it is the problem of the user, not the bank or any other entity that uses passwords as a means of identification and access. There is a heck of an education program to get people to keep their machines patched, use current anti-virus and anti-spyware definitions, and learn good practices. It will be a long hill to climb, and it is quite possible that one will never reach the top, but individuals need to take responsibilities, and not try to blame everything on someone else, whether it be an individual or corporate entity, or government ("There oughta be a law!").

Report this comment

Related Posts

ACEs ace Turing test? Errr, no.
Do Railhead right or don't deploy until it IS right
Need to discover some open source enterprise apps for your business? You should have been at LinuxWorld
Surveillance video: More than just watching

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.