Last week's blog on why consumers might be confused by contradictory messages on computer security from banks drew a few objections from interested parties — ones that I thought would be worth responding to this week.
Perhaps I didn't make my point clear enough, or perhaps the people who contact me are nitpicking pedants with a marketing plan in hand. So I'll state my position again: I have no problems with banks giving away security software; I do, however, have a big problem with exaggerating what it will do for you. Why? Exaggerated claims about the efficacy of security products muddy what is already a confusing topic for many consumers.
ING Direct in the US is offering its customers free security software made by the vendor, Trusteer. ING and Trusteer claim the product Rapport creates a secure pipe between the PC and the bank, protecting against "sophisticated attacks", including phishing and man in the middle attacks.
Mickey Boodaei, the CEO of Trusteer, emailed me to disagree that ING Direct is blinding its customers to the reality of malware by making such claims.
"ING Direct realises that regardless of how careful the user is, malware can still find its way to the desktop," he wrote in an email to me, which he says is his personal position on this matter.
Well why doesn't ING Direct say that? It's quite normal for a person who feels safe, to act as if they are safe and take extra risks because they think they're totally protected. And if you make them feel safe when you know that they're not, then their behaviour won't reflect the risks they face, potentially leading to a worse outcome.
Boodaei also believes that media and security experts should support ING "for its bold move and out of the box thinking... After all, most banks are too afraid to do anything (afraid of support calls, afraid of user reaction, afraid of negative media) and this plays right into the attackers' hands," he continued.
Really Mickey? The CEO of McAfee, Dave De Walt, reckons there are better things to worry about than "negative media" — like customers ready to sue their bank's pants off for lying and breaching customer privacy.
"[Banks and telcos are wrestling with] how much liability can they take on by recommending a security product to you and how invasive can they be to help protect your computer transaction. Typically, to be very strong, they have to actually download something to your computer to help secure the transaction, but they potentially could breach data privacy laws by putting something on your computer," he said.
And as for those support calls? I think ING has covered that too: "ING Direct is not responsible for, nor do we guarantee, the content or services associated with this product. All problems, questions or concerns regarding Trusteer Rapport should be directed to firstname.lastname@example.org." As with most financial products, read the fine print.
To me this smells like a company that's able to make claims about the efficacy of a product without having to stand by those claims if and when something goes wrong.
And, Mickey, like I said, last week, if consumer education is what will truly offer secure computing, why not start with a few home truths just like you gave me about security?
A more honest representation — rather than covering your rear with fine print — might be: "Dear customer, feel free to download this security software. It will make you *more* secure, but in reality, unless you unplug your computer and wrap it in a lead box, nothing will make you totally, 100 per cent secure. These are the unfortunate facts of our time. Happy banking and stay safe online."
The CEO of security company Prevx left an essay in the feedback section of my last blog about the plight of banking security from a banker's perspective and banks needing to take a holistic stance on "Customer Security Management" (sic). I appreciate most forms of feedback, including the negative, but Mel, use your own blog page for spruiking.
But Mel did make one relevant comment, and actually, it could make a neat footnote to the Commonwealth Bank's claim that its CA security suite will "eliminate" the threat of malware:
"If a PC is under the control of a kernel level rootkit then nothing running on that PC is safe, nor can anything running on it create a safe harbour without detecting and removing the rootkit."