[fc-discuss] Financial Cryptography Update: Blaming the Banks won't work

iang@iang.org iang@iang.org
Fri, 7 Oct 2005 16:39:56 +0100 (BST)

(((((( Financial Cryptography Update: Blaming the Banks won't work ))))))

                            October 07, 2005




Bruce Schneier outlines some of the factors behind phishing and then
tries to <a
ick it on the banks</a>.  Sorry, won't work - the Banks are victims in
this too, and what's more they are not in the direct loop.

Make Banks Responsible for Phishers

Push the responsibility -- all of it -- for identity theft onto the
financial institutions, and phishing will go away. This fraud will go
away not because people will suddenly get smart and quit responding to
phishing e-mails, because California has new criminal penalties for
phishing, or because ISPs will recognize and delete the e-mails. It
will go away because the information a criminal can get from a phishing
attack won't be enough for him to commit fraud -- because the companies
won't stand for all those losses.

If there's one general precept of security policy that is universally
true, it is that security works best when the entity that is in the
best position to mitigate the risk is responsible for that risk. Making
financial institutions responsible for losses due to phishing and
identity theft is the only way to deal with the problem. And not just
the direct financial losses -- they need to make it less painful to
resolve identity theft issues, enabling people to truly clear their
names and credit histories. Money to reimburse losses is cheap compared
with the expense of redesigning their systems, but anything less won't

You can't push all of the responsibility onto the FIs.	Here's why:

1.  Phishing is an attack on the user primarily and only secondarily on
the FI.  Consider what happens:  the phisher sends a request (by email)
to the user to have her send her details to him (using her browser). 
The parts in parentheses are optional but key:	phishing is an attack
on the browser using email to deliver the phish.  We can more or less
change the email to chat or SMS for example, but it is harder to change
the browser component.

What's constant about all those issues is that the banks aren't in that
primary loop as yet.  So even if they have all the responsibility they
are strictly limited in how they tell the user to "not do that."

2.  FIs aren't the only target of phishing.  Amazon and eBay are both
big targets.  So any attempt to stick it to the banks is just going to
shift the attention to all sorts of other areas.  Expect Amazon and
every other merchant to prefer not to have that happen.

3. If you want to stick it to anyone, go looking for where this came
from.  The banks picked up this security model from somewhere.	Here's
where:	the browser security model that was built on a miscast threat
analysis, the server security model that was subject to big company's
agendas, and the client security model which is simply best described
as "Insecurity by Microsoft."  All of these elements are broken, in the
security jargon.

If you want someone to blame for phishing in the wider sense, look to
who pushed the tech (Microsoft, three times over.  RSADSI, Verisign,
Netscape for the browser security model.  For server side, Sun, IBM,
and thousands of security experts who said that as long as you buy our
firewall you'll be OK.	And don't forget whoever audited these systems
and said they were secure.  Yes, you four, or is it three... you know
who I'm talking about.)

Ask this long list of beneficiaries how much liability *they* have for
a breach.  The answer may surprise:  Nix, zip, nada, zilch.  Zero in
all currencies.  So if you stick it to the banks, guess who's next on
the list?

4.  Taking a risk truism and extending it to a particular case is
dangerous.  It may be that security works best when those in the best
position take on responsibility for those risks they can best mitigate.
 And it's clear that the banks are the larger party here and well
capable of doing something to address phishing.

But if you put *all* the responsibility onto one party, not only do you
have a measurement problem, you'll also have a moral hazard problem. 
Users will then shop and hook with gay abandon.  How are banks supposed
to keep up with attacks by both users and phishers?  Turn off online
banking is the only answer I can think of.

Powered by Movable Type
Version 2.64