Citizens Financial sued for insufficient E-Banking security

Citizens Financial sued for insufficient E-Banking security

Summary: If a fraudulent transaction ever takes place on one of your bank accounts due to their compromise, who's to blame - the bank, for not providing you as a customer with state-of-the-art security mechanisms that could have prevented it, or you, as a customer whose insecure online behavior led to the compromise at the first place?

SHARE:
7

If a fraudulent transaction ever takes place on one of your bank accounts due to their compromise, who's to blame - the bank, for not providing you as a customer with state-of-the-art security mechanisms that could have prevented it, or you, as a customer whose insecure online behavior led to the compromise at the first place?

In the Shames-Yeakels vs Citizens Financial lawsuit, a couple that lost $26,500 due to a compromised account, may have all the good reasons to blame their bank's outdated E-banking authentication process, which in 2009 is a combination of SSL connection next to a user name and a password, with no sign of two-factor authentication in place:

At the time of the theft, Citizens had been in the process of issuing such tokens to customers, but the plaintiffs say they were too slow in rolling out this security measure. They pointed to a 2005 document from the Federal Financial Institutions Examination Council, which concluded that single-factor authentication was inadequate, and said that Citizens lagged behind other banks in offering this feature.

Citizens used a company named Fiserv to provide its online banking services, including information security services, and argued that Fiserv had a solid reputation in the banking industry and that its security measures were not the cause of the money transfer.

Would two-factor authentication have made any difference at the first place? That largely depends on the banker malware/crimeware that the customer gets infected with, since three of the most popular crimeware applications that used to proprietary tools in the arsenal of the sophisticated cybercriminal a couple of years ago, are not just publicly available nowadays, but are all capable bypassing badly implemented two-factor authentication solutions in place.

The success of these crimeware applications is so evident, that the number of managed crimeware services offering access to banker malware infected hosts, or raw logs of their E-banking authentication process for the purpose of session hijacking, is increasing and is therefore lowering the entry barriers into a market segment that used to be reserved for the more technically sophisticated cybecriminals a couple of years ago.

SSL connections combined with "secure user name" and a password can't protect against sophisticated cybercriminals, in fact they can't even protect you from the average ones still relying on outdated approaches of obtaining accounting data through the use of keyloggers. What two-factor authentication and a decent understanding of the current/emerging threats can do, is mitigate a significant percentage of the risk that would have otherwise resulted in a successful compromise with less efforts on behalf of the cybercriminal.

What do you think? Who's to blame for the fraudulent transaction in this case - the couple which apparently was E-banking from a crimeware infected computer, or the bank for not offering two-factor authentication at the first place?

Talkback.

Topics: Malware, Banking, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Blaming the state for not maintaining your car

    This sounds to me like blaming the state highway department for not making roads safer while ignoring the bald tires on your car.

    Or suing the manufacturer of the locks on your house because you "accidentally" left copies of your keys all over town because you didn't know you shouldn't do that.

    By now, everyone should know that they need to keep their computers updated & secured. If they don't know that, they should go buy an abacus.
    s_southern
    • Your analogy is illogical.

      Your analogy is half-true, but what if a company fails to make sure that all components of the web page is properly written with security in mind and sanitized for user input (cross-site-scripting)?
      Grayson Peddie
      • XSS isn't needed..

        ..when you have already taken control over the
        user's computer.
        AzuMao
  • Criminals go for easier targets...

    I won't speculate on whether or not the bank should be held accountable in this scenario, but it is well known that the criminals go for the easiest, widest targets - less secured sessions, Windows over Mac, etc.

    At this stage 2-factor (or something better) should be considered minimum best practice. Can a bank be held accountable for not following best practice? I don't know, but hopefully this lawsuit will encourage banks to take their customer's security, especially some of these weak points, more seriously.

    Michael Argast, Security Analyst, Sophos
    MichaelArgast
  • Blame Split in Half: Online Banker and Citizens Financial

    I wouldn't blame online banker that much, but I would never use online banking in an infected computer, so it's always a good idea to keep Windows and their choice of browser up to date. I'd certainly use Windows Vista if possible, as it provides UAC. Of course, using a limited access account can prove too limiting, as there are programs out there that are badly written for non-administrative users.

    For Citizens Financial, why not use SiteKey, when properly implemented? I'm a customer of Bank of America, and it works very well for me.

    Got "Financial Citizens" mixed up with "Citizens Financial." I think it's helpful to use "CF" but to each their own.
    Grayson Peddie
    • UAC..

      ..won't prevent something from taking over your
      browser. So unless you bank directly from the
      Windows kernel itself, switching to Vista isn't
      going to help much.
      AzuMao
  • RE: Citizens Financial sued for insufficient E-Banking security

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut