Saturday, November 15, 2008

More on online banking security

There is a very interesting series of comments on my post about online banking security. You should pop over to take a look.

Chris Byrne stopped by, and since he's the technical architect for this sort of thing, he brings a lot to the discussion. I wanted to sleep on this before replying, because it's an important topic, and my first post was wrong in presenting this as a technical problem. It's not - it's a risk management problem.

Now most of us are pretty good at risk management for some things - wear your seatbelt, change the batteries in the smoke detectors, stay out of bad neighborhoods at night. Concealed Carry is really another form of risk management, too.

Risk Management isn't about eliminating risk; it's about managing risk. All the actions that I take to mitigate my risk could fail. I could get killed in a car crash even if I'm wearing my seatbelt. So I make sure that I have life insurance so that the family is taken care of should I shuffle off this Mortal Coil. I can't eliminate the risk, but I can to some extent control how much it will effect me.

Online activities are a lot harder for most folks. They typically don't understand the ins and outs of the technology (most don't want to). Even if they did, they don't own the server or the application that they're visiting, so there's not a whole lot they can do, in a technical sense. However, the most important problem people have with online security is in estimating risk and estimating consequence.

And this brings things to why I'm still leery of online banking: I'm not at all sure what would happen if something were to go BUMP in the net. Chris left a great comment that cuts to the heart of this, in a reply to a question about should someone use a debit card for online transactions:
Very definitely. Never let your debit card out of your sight, or use the number online.

You are not liable for fraud executed against your credit card.

Unfortunately, electronic funds transfers and debit card transactions are not nearly as protected. It is up to the discretion of the issuing bank as to how much they can recover for you on a fraudulent transaction, if any.
Now as I've said, I was professionally trained at Three Letter Intelligence Agency to be paranoid, so I'm not quite normal here. However, I'm moderately well versed in how the banking system works, and I'm pretty well versed in Internet Security, and I'm still not at all sure what would happen if someone emptied my bank account. At the same time, I am sure what would happen if someone started using my credit card for fraudulent transactions, because I've gotten calls from them asking me if I had just bought something from Russia.

Now I think that my bank would cover me. I quite like my bank, although a lot of this is Heather at the local branch. But I'm not sure, and if I weren't dealing with Heather, I'm a lot more unsure.

So the issue here isn't technical, really at all. The issue is that I find it terribly difficult to estimate the risk in online banking, or the consequences if something goes south.

And this is pretty unfair to guys like Chris. While all of the stuff he and his team do is important (careful design, code reviews, 3rd party review, penetration test, etc), we're now in the realm of bank policy. If my bank would offer the same guarantees that my credit card company does, my objections would pretty much disappear. I'd still be less than entirely happy, because I am paranoid, but the risk would be manageable.

Maybe the bank already offers this, and I just don't know. In this case, the problem is a disconnect in the marketing department.

UPDATE 15 November 2008 20:18: Very informative comment by Chris Byrne on the regulatory situation for banks. IANL (not sure if Chris is, either), but this gives really important context. I'd excerpt, but it's long and very informative. If you're interested in the subject, RTWT.

So bottom line (summarizing my two posts and Chris' three comments), you will way reduce your risk if you:
  1. Don't ever use your debit card online. Use a credit card instead.
  2. If you do bank online, do it directly at your bank, and not a third party.
  3. If you really have to bank online (sigh), then you should really, really follow the suggestions in the Two Simple Rules of Safer Browsing.

1 comment:

AnarchAngel said...

Ted,

That is EXACTLY correct, it is a risk management issue; and if you cannot judge either the severity or likelihood of the risk, you cannot manage it.

The fact is, banks are actually limited in what they can and cannot do by law.

Credit card companies are legally allowed to chargeback on a fraudulent transaction; or even if the transaction was authorized and there was a non-performance issue with the item purchased (as well as fraud of course). Credit card companies can usually do so within 30 days, and either never pay out into the merchant accounts in question, or reclaim funds paid into those accounts. Also, credit card companies are allowed to write off unrecovered chargebacks as a direct expense.

Banks are FAR more limited under law; basically because the laws that govern us were mostly written before these issues were ever thought of.

We cannot issue chargebacks against authorized transactions at all. In fact, technically we cannot issue a chargeback at all.

Though we can attempt to recover funds transferred without lawful authorization, it is extremely difficult, and requires the co-operation of the receiving institution; which they are not always legally required to give (even if we can prove fraud). If the funds have been removed from the receiving account, there is nothing we can do at all; and the receiving institution has no obligation to do anything.

Also, we MUST honor any valid negotiable instrument presented against a funded account. Credit card companies can decide to deny a charge they believe is fraudulent, even if proper ID and signature is presented, we cannot. What is a valid instrument is set down in law in every states as well as federally, and we cannot simply decide not to honor them.

Oh and electronic signatures are legal and binding. So if a company or another bank presents us with valid account info, for an amount that is in your account, and a digital signature stating you authorized it; we are required by law to honor it (unless it's from a foreign bank, where we have some discretion).

Finally, we are not allowed to expense such losses as credit companies are. They are carried differently on our books (as bad debt).

Taken altogether, this makes it very difficult for us as banks to manage our systemic risks. In turn it makes it difficult for us to help the customer manage their risks.

Generally speaking, if you can show clear fraud, we will do our best to make you whole. However, legally, there is very little we can do except make it up out of our own pocket.

If there is anything other than clear fraud going on, we can't even do that though; because then we would be legally in the position of actually paying you back for what isn't technically fraud. That would mean we were not giving you a refund but actually giving you income, and that's not allowed.

If the charges were authorized and you never received the goods, or the services were shoddy etc... There is nothing we can do about it.

If you authorized a contracted charge (like a website subscription) and the company multiplies their fees by 10x and cleans you out, there's nothing we can do about it.

Basically, any kind of authorization at all, and what little we could do is reduced to zero.

We really do do whatever we can. It's bad customer service, and bad customer relations to do otherwise.

Every customer that we lose to fraud is reckoned to be worth as many as 100 customers never gained; in a business where the cost of acquiring new customers is generally as high as the first 5 years of profits from each customer.

We try to make up as much as possible, right up to the point where we are legally limited; and we will work with you as much as possible, but there is only so much we can do.