The 'secret': Banks are freaked out by security

The 'secret': Banks are freaked out by security

Summary: Last week's blog on why consumers might be confused by contradictory messages on computer security from banks drew a few objections from interested parties — ones that I thought would be worth responding to this week.

SHARE:
4

Last week's blog on why consumers might be confused by contradictory messages on computer security from banks drew a few objections from interested parties — ones that I thought would be worth responding to this week.

Perhaps I didn't make my point clear enough, or perhaps the people who contact me are nitpicking pedants with a marketing plan in hand. So I'll state my position again: I have no problems with banks giving away security software; I do, however, have a big problem with exaggerating what it will do for you. Why? Exaggerated claims about the efficacy of security products muddy what is already a confusing topic for many consumers.

ING Direct in the US is offering its customers free security software made by the vendor, Trusteer. ING and Trusteer claim the product Rapport creates a secure pipe between the PC and the bank, protecting against "sophisticated attacks", including phishing and man in the middle attacks.

Mickey Boodaei, the CEO of Trusteer, emailed me to disagree that ING Direct is blinding its customers to the reality of malware by making such claims.

"ING Direct realises that regardless of how careful the user is, malware can still find its way to the desktop," he wrote in an email to me, which he says is his personal position on this matter.

Well why doesn't ING Direct say that? It's quite normal for a person who feels safe, to act as if they are safe and take extra risks because they think they're totally protected. And if you make them feel safe when you know that they're not, then their behaviour won't reflect the risks they face, potentially leading to a worse outcome.

Boodaei also believes that media and security experts should support ING "for its bold move and out of the box thinking... After all, most banks are too afraid to do anything (afraid of support calls, afraid of user reaction, afraid of negative media) and this plays right into the attackers' hands," he continued.

Really Mickey? The CEO of McAfee, Dave De Walt, reckons there are better things to worry about than "negative media" — like customers ready to sue their bank's pants off for lying and breaching customer privacy.

"[Banks and telcos are wrestling with] how much liability can they take on by recommending a security product to you and how invasive can they be to help protect your computer transaction. Typically, to be very strong, they have to actually download something to your computer to help secure the transaction, but they potentially could breach data privacy laws by putting something on your computer," he said.

And as for those support calls? I think ING has covered that too: "ING Direct is not responsible for, nor do we guarantee, the content or services associated with this product. All problems, questions or concerns regarding Trusteer Rapport should be directed to support@trusteer.com." As with most financial products, read the fine print.

To me this smells like a company that's able to make claims about the efficacy of a product without having to stand by those claims if and when something goes wrong.

And, Mickey, like I said, last week, if consumer education is what will truly offer secure computing, why not start with a few home truths just like you gave me about security?

A more honest representation — rather than covering your rear with fine print — might be: "Dear customer, feel free to download this security software. It will make you *more* secure, but in reality, unless you unplug your computer and wrap it in a lead box, nothing will make you totally, 100 per cent secure. These are the unfortunate facts of our time. Happy banking and stay safe online."

The CEO of security company Prevx left an essay in the feedback section of my last blog about the plight of banking security from a banker's perspective and banks needing to take a holistic stance on "Customer Security Management" (sic). I appreciate most forms of feedback, including the negative, but Mel, use your own blog page for spruiking.

But Mel did make one relevant comment, and actually, it could make a neat footnote to the Commonwealth Bank's claim that its CA security suite will "eliminate" the threat of malware:

"If a PC is under the control of a kernel level rootkit then nothing running on that PC is safe, nor can anything running on it create a safe harbour without detecting and removing the rootkit."

Topics: Security, Banking, Malware

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Banking Secutity

    We have millions of non-expert users trying to use a flawed operating system that constantly requires firewall, anti-virus and other security software to even approach some level of safety. This software and the operating system itself need to be continuously updated to keep, just behind the attackers.

    The problem with bank-provided software is that it too will will need continuous catch-up. Banks will probably "forget" to make a Mac and Linux version thus alienating customers who have taken their own precautions.
    anonymous
  • mmm so ? use livecds

    Ok Sure. Lets agree on something - it is likely that a system will have malware on it. Ok so we have a few options. One. Do nothing (not really workable is it ?)

    Or two. Do as good admins should do / recommend and use multiple operating systems. For electronic banking simply handing out an ubuntu or other live cd (i don't think windows can do this as easily / legally).

    Three is trust your antirvirus software... but if you are rookited ...? / there is an unknown threat you have problems.

    I prefer the second option.
    anonymous
  • In addition

    In addition, it is a joke having to run unsigned binary (or even signed) code. This just opens up more attack vectors. What about the recent dns / dhcp trojan / other in general network problems / compromises that mean that would mean you might download a rootkit instead of the security software.

    Like who honestly thinks that the problem is just software on the computer. It is not. This is just a big security lie.
    The solution is VERY simple. For every large / user / bank defined transaction, an sms /phone / other (offline / not based on that host) is required.

    Like in one of your previous articles - more code is more problems. I do not trust my banks it, what if they have an employee who gets fired and takes down 50,000 customers computers ?
    That is a possible situation (they would just push out an update which identified core parts of the windows operating system as hostile).


    The solution is more likely, outside the box if the box is not able to be secured. (we all can't / its not practical to run openbsd on the desktop etc).
    anonymous
  • yeah...

    um. banks can just give out a customised ubuntu live cd with firefox....
    Or is that just me ;)
    anonymous