Who should be responsible in a security breach of an on-line banking account?
There is an ongoing case of a couple suing a bank (Citizens Financial) saying the bank did not have strong enough protection to secure their account. The user name and password were hacked and eventually $26,000 dollars was stolen from the couple. The couple is claiming that the bank should have offered token authentication to protect them or some form of multi factor authentication.
Without knowing the details of how the account was actually compromised I can't comment on this particular case but it does bring up a very interesting debate. Who should be responsible if an online account gets hacked and money is lost?
The bank's are heavily regulated and whether they offer tokens (which don't guarantee anything) or some other extra protection behind the scenes the government agencies make sure that they meet the latest FFIEC guidelines for protecting customers. However, some banks do more than others in going above and beyond to try and protect the online customer.
On the other hand, the bank can put many protections in place but if the customer gives out all their information or at least does not take some basic steps to protect themselves it makes it hard to stop. In the end, it is a partnership between the financial institution and the customer to work together as a team to ensure the safety.
The bank should have advanced protection and monitoring to do all that they can to have the best security possible while the customer should become educated on the basics and protect themselves against hackers with up to date anti-virus, spyware and many other simple steps to improve their security. For example, should the customer be logging in to financial sites on the same computer that their kids are using which increases the chance of virus and malware significantly?
In the end, I think consumers can vote with their money to make sure that banks do all that they can to protect their clients. Find out about the security your bank has in place to protect you before depositing your money. The banks that don't take security seriously will be forced to change or go out of business. Keep in mind though that the banks, financial institutions or any other web site you use will not be secure unless the consumer does their part too to protect themselves.
What do you think? Who should be responsible to pay in a breach?
Monday, September 28, 2009
Friday, July 24, 2009
On-line Aggregators and security
Back in 1999 when we were first building VirtualBank I went on a business trip to visit a company named Vertical One to discuss a new idea called account aggregation. We sat in a presentation on account aggregation and listened to how it works and saw a demo that pulled together bank accounts, air line travel awards and credit card information all in one nice summary. It was very impressive and then I asked how do you get the data?
They answered that the user gives us their username and password and then they go out and screen scrape the data each night. I stopped the presenter and said wait a minute, you mean to tell me that users will come to you and give you all their usernames and passwords for all their financial and other web sites? He said yes. I remember saying to myself that will never work. People won't trust anyone but banks and well known financial institutions with their credentials. Well we did a deal (with mixed results) with what turned out to be Yodlee Corp in a merger that occurred in 2001 and of course I was wrong about people handing out their credentials.
Fast forward 10 years later and we now have many new financial web sites in the market place like Mint who are putting banks to shame with what they are doing and the way they are innovating. Of course underlying, Mint is using account aggregation to collect their financial data and putting it together in a very meaningful way.
Now there are many new players in the financial web 2.0 market with strange names like Jwaala, Wesabe, Geezeo and others and people are giving their credentials out to them. To be fair many of the sites do not store the credentials which are passed through to their aggregators. Have people forgotten that they are giving their credentials out to a non regulated entity or have all the security breaches at banks and financial institutions made them think that it can happen to anyone? This seems to be the one area that has not changed much in 10 years.
Don't know if consumers realize that when they give out their username, password, PIN, secret questions or whatever else is required that if it these credentials are compromised they are handing out the full transaction keys to the kingdom. I am not saying there are not other controls in place but it's scary the way aggregation works behind the scenes. For many sites the task to extract the data from a financial web site is sent off to India (or similar country) where they generate the code needed to access your accounts. If a financial institution changes their web site and something breaks almost just as quickly the code is updated to keep it grabbing data from the website.
The problem is that there is no accepted, inexpensive, open standard yet for safely exposing financial data for aggregators. I am not sure aggregators would want it anyway since they are getting paid for each user they collect data on. A safe standard that incorporates a common data format and a token based authentication would make it easy for companies like Mint to simply collect the data themselves if they chose too.
One approach we are rolling out at VirtualBank is a download only set of credentials. The client will be able to log into our on-line banking and generate a username and password that can be handed to the aggregators. This set of credentials allows only limited permissions needed to download the data without exposing any sensitive data that would compromise a user's identity or account.
While this does improve security it doesn't solve the long term problem, no standard. We are considering some other simple ways of exposing the data for the aggregators using some proposed simple standards as well. The problem is not hard to solve since it is not a technical challenge. It is the way the industry is right now though. It would be a nice problem to solve for consumers, banks and just about everybody else.
They answered that the user gives us their username and password and then they go out and screen scrape the data each night. I stopped the presenter and said wait a minute, you mean to tell me that users will come to you and give you all their usernames and passwords for all their financial and other web sites? He said yes. I remember saying to myself that will never work. People won't trust anyone but banks and well known financial institutions with their credentials. Well we did a deal (with mixed results) with what turned out to be Yodlee Corp in a merger that occurred in 2001 and of course I was wrong about people handing out their credentials.
Fast forward 10 years later and we now have many new financial web sites in the market place like Mint who are putting banks to shame with what they are doing and the way they are innovating. Of course underlying, Mint is using account aggregation to collect their financial data and putting it together in a very meaningful way.
Now there are many new players in the financial web 2.0 market with strange names like Jwaala, Wesabe, Geezeo and others and people are giving their credentials out to them. To be fair many of the sites do not store the credentials which are passed through to their aggregators. Have people forgotten that they are giving their credentials out to a non regulated entity or have all the security breaches at banks and financial institutions made them think that it can happen to anyone? This seems to be the one area that has not changed much in 10 years.
Don't know if consumers realize that when they give out their username, password, PIN, secret questions or whatever else is required that if it these credentials are compromised they are handing out the full transaction keys to the kingdom. I am not saying there are not other controls in place but it's scary the way aggregation works behind the scenes. For many sites the task to extract the data from a financial web site is sent off to India (or similar country) where they generate the code needed to access your accounts. If a financial institution changes their web site and something breaks almost just as quickly the code is updated to keep it grabbing data from the website.
The problem is that there is no accepted, inexpensive, open standard yet for safely exposing financial data for aggregators. I am not sure aggregators would want it anyway since they are getting paid for each user they collect data on. A safe standard that incorporates a common data format and a token based authentication would make it easy for companies like Mint to simply collect the data themselves if they chose too.
One approach we are rolling out at VirtualBank is a download only set of credentials. The client will be able to log into our on-line banking and generate a username and password that can be handed to the aggregators. This set of credentials allows only limited permissions needed to download the data without exposing any sensitive data that would compromise a user's identity or account.
While this does improve security it doesn't solve the long term problem, no standard. We are considering some other simple ways of exposing the data for the aggregators using some proposed simple standards as well. The problem is not hard to solve since it is not a technical challenge. It is the way the industry is right now though. It would be a nice problem to solve for consumers, banks and just about everybody else.
Subscribe to:
Posts (Atom)