Finger Pointing in Commercial Banking

"What’s your take on this? Should commercial banks beef up their security or point the finger at the customers who fall for online fraud?"

A real-life analogy would be if I open up a safety deposit box with a bank and the bank blames me if they allow someone else access to this safety deposit box. How would this be received by customers and potential customers?

The answer is commercial banks should beef up their security. Banks should design and offer systems based on the premise that their customer can have a thousand trojans in his PC, a man-in-the browser and could fall for a man-in-the-middle schemes.

To provide secured systems does not require rocket science.  All is needed is the proper 'motivation' for banks to develop and offer secured systems. In the case payment security, there isn't a lot of 'motivation' for issuing banks to provide the best security because it has often been said that Fraud is just one cost of doing business.

More and more people are sharing their Internet Banking credentials with Mint, Wesabe and other P2FM services who then seamlessly access bank accounts to download transaction statements on a daily basis. While people sharing their credentials trust these services enough not to misuse their privileged access into their bank accounts, surely banks can't be held responsible for any frauds that might happen if cybercriminals hack into these startups' databases and steal usernames and passwords?

Concerning the  Wesabe, Mint...  obviously, a new factor is added into the mix.  Nonetheless, let's not claim that it is an overly complicated matter for banks to provide read-only access versus read-and-update access.

Agree that it should be relatively easy for banks to provide read-only access to accounts. But, I am not aware of any bank that provides such a differentiated access at this point. Until that happens, the fact is, the credentials shared with P2FMs are for read-write access, and the point is, banks can't be held responsible for any cybercrime arising out of that.  

"Until that happens, the fact is, the credentials shared with P2FMs are for read-write access, and the point is, banks can't be held responsible for any cybercrime arising out of that."

It's up to the banks to allow this or not. Because banks can withdraw (ex. Nationwide/Wesabe) their involvement/participation with Mint, Wesabe,... they then should be held responsible for what they allow.

Maybe it's time for someone from a bank's technology / infosecurity team to step in and clarify. But, as far as I've gathered from the websites of Mint and other P2FMs about how this works, once a P2FM obtains a customer's credentials, it can access the customer's account without needing to enter into any arrangement with the bank in question. So, I don't believe that banks are actually signing up to permit P2FMs to access account information. Of course, banks might be able to block proxy access from P2FMs (as the Nationwide/Wesabe example illustrates), but that calls for additional efforts from their side to "close a gate" that they haven't opened in the first place. As a matter of fact, in two countries that I know of, namely India and Germany, banks advise their customers to "never open that gate" by proactively warning their customers never to share access credentials with anyone, not even to a bank employee.  

PFM sites access online banking in one of two ways:

·      OFX gateway - Example Quicken / Money clearly bank enabled for fee access or free

·      Automated login where user provides online banking credentials inclusive of UID / Password - For sites with multifactor the automated login will screen scrape and or replicate the multifactor credential and then allow the user to authenticate real time via the automated login

The weakest link in the chain is the end user and the majority of fraud happens due to lack of end user education on how to protect from fraud. Still the perception in the public is that the financial institution (FI) is always at fault as outlined in the case. This perception should factor in to the FI's risk strategy and included in steps created to build the trust model. The FI can never do enough on the customer’s behalf and must always be an advocate where security is involved.

It can get out of hand as it is in the UK where you have to swipe the card to do anything within online banking - this is nuisance territory, so there is a fine line when it comes to the end user experience and overkill in trying to protect them.

After posting this blog, someone sent me the following news piece:

The victim, Karen McCarthy, owner of Little & King, noticed directly before the fraud incident that her computer was infected with a computer virus, later confirmed to be a Zeus Trojan. The bank says that Mrs. McCarthy is responsible because the computer virus infected her machine, enabling the fraud to occur.

http://ow.ly/1bfwz

"The bank says that Mrs. McCarthy is responsible because the computer virus infected her machine, enabling the fraud to occur."

Well I certainly hope that Mrs. McCarthy counter-sue. 

A Zeus trojan can also be spread through phishing schemes. The general public cannot be expected to know when they are being phished.

I agree. In fact, with Drive by Download, a user no longer has to be careless or stupid to get infected. You just happen to be in the wrong place at the wrong time.

It is funny but the link you included ow.ly is from Libya so I did not click it. Are you testing us Uri? Just kidding - I don't like those URL masking tools as they feel very uncomfortable sometimes.