Banks could block customers from claiming money back if they are a victim of fraud and it is found they had substandard online security. Following this news, IT security experts from Lieberman Software, ESET, Imperva and AlienVault discuss whether this is a good idea.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
Banks, just like other organisations trying to deliver online services, find themselves between a security rock and a competitive hard place. On one hand, there is a duty on the part of the bank to ensure security. That means forcing stronger passwords on users, having them use codes and computer identification to log in, and asking them to renew their credentials and connections regularly.
While all of this is best practice in security, it’s also a pain in the neck in the eyes of the uneducated online consumer.
On the other hand, banks are under competitive pressures like any other. If one bank makes things too hard on their users from a security perspective, they may decide to simply switch banks. This is doubly so for the younger, mobile, first generation of users that everyone is competing to capture.
When banks say they may ask users to take on some of the risk for using bad security practices, it seems they are saying that they want to split the tab for allowing people to be lazy. The banks won’t force good security on people – which they could – but they will instead say that choosing to opt out of good security is done so at your own, very grave, risk.
Mark James, Security Specialist at ESET:
I think it’s very important that the end user understands they are responsible for their own security. People still think it’s difficult or complicated to protect against fraud or cyber-attacks but the basics are very affordable and easy to implement. Making sure your operating system and applications are patched and on the latest versions along with a good regular updating internet security product would be considered as minimum requirements.
You should also be very mindful of the device you’re accessing any online banking with and ensure you always log out and never save passwords. Whenever there are big breaches or data found on the internet one of the biggest things that still amazes is the fact that users still do not use complex passwords. You really need to have at the very least a unique password for any financial login and ensure it contains enough unique characters to not be easily guessed, this could be a passphrase or even a few words added together with numbers, uppercase and special characters thrown in for good measures. You really are the first defence and can easily make things harder for the bad guys.
Amichai Shulman, CTO of Imperva:
When online banking started a few years ago, this was the standard practice. Banks would have their customers sign waivers that released the banks from any liability in the case of account takeovers or some online fraud. Previously credit card customers also had a hard time getting their money back if their credit card number got compromised. Business drivers and regulations forced banks and credit card issuers to remove the burden from end users and take responsibility for online security. If this hadn’t happened, we would not have witnessed the exponential growth of online commerce and online banking we are seeing today.
Javvad Malik, Security Advocate at AlienVault:
Overall this is a bad idea, purely because the maturity in the market doesn’t exist. It will be difficult, if not impossible to agree what an acceptable baseline of security is. Will banks mandate which operating systems and browser versions are relevant? For example, will they block any visitors running windows XP? If that is the case, then the tables can very easily be turned if, in court, a customer asks a bank to demonstrate that all their systems involved in the online banking ecosystem meet the same level of base security controls. With many banks running legacy systems, it will be a difficult case to make – not to mention can potentially expose confidential information about the bank’s setup.
In the first instance, the banks would be better placed investing in better fraud detection and prevention controls on their own end. The systems should ideally be designed in a manner that even if a customer machine is compromised, it would be difficult for a fraudster to steal credentials.
Ongoing customer education is not to be discounted. Many people still fall victim to phishing or even telephone scams where fraudsters pose as the bank. The customers shouldn’t be victimised twice, once by the fraudster and second by the bank. Rather a collaborative approach is needed with more vulnerable customers perhaps given lower limits or limited functionality on their online banking in order to minimise the impact of fraud.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.