Security:
Adam Shostack has been tracking the immense volume of recent bank
disclosures of compromised customer data.
Bruce Schneier has also commented, and an interesting question arose
in his posting’s comments — why are there seemingly no similar problems
with European banks?
One responder points to a WSJ article
which broadly misses the point. It discusses the additional layers of
security imposed by European banks above the usual username/password
combo. This is true — Eurobanks generally have higher security at the
‘front gate’; for example, I recall Bank of Ireland even issued
SecurID-type tokens in its earliest online banking system. However, that
misses the ‘insider’ attack, as in the most recent case of these 676,000
accounts, so I think it misses the point.
Bruce Schneier’s take:
Personal data is 1) not collected as widely, and 2) much less valuable as
a tool to commit fraud. The second reason is far more important.
I think he’s partially right. Access to new and existing accounts in the
US often requires little more than an SSN or similar trivial,
easily-discoverable, data which is used in common across multiple
institutions, and can be performed online; whereas in Europe, one requires
documentary proof of address, ID, and the act must be performed in person
at a bank branch. (This is often exceedingly annoying, of course. ;) In
general, identity theft seems to be at a greater level in the US, and this
is one reason why, I’d guess.
Adam Shostack
has another take: these disclosures have all arrived on the heels of
California’s SB 1386. It’s very unlikely that these kind of breaches
never occurred before this, and suddenly began recently — it’s more
likely that they’ve always gone on, but are unreported in Europe (and of
course were unreported in the US, pre-SB 1386).
I’d add another point — the US has a large population of targets, with
banks sharing financial systems across the entire country. Europe, by
contrast, has many individual countries which each have their own set of
banks and banking systems, and less interoperability and cross-state data
flow. The potential return from ID theft fraud is increased by the larger
pool of candidate victims in the US, compared to what an attacker could
achieve in each individual European country. This means both that (a) an
attack will affect a smaller number of victims in Europe than the US, and
(b) widening the scale of an attack becomes significantly harder when the
attacker must deal with new systems. It’s the ’security monoculture’
issue again, applied to banking instead of operating systems.
Tags: bank, course, customer, online, point, reason, security, take, the, volume
