Posted by: Tdudeguy
Financial Fraud, Security Design
Yesterday, I sanctimoniously proclaimed that we all must manage our accounts better. Tonight, let’s explore another angle: the growing convenience factor decreasing actual security.
Wired had an excellent article on a hacker who was, he alleges, an FBI informant. In this story, one I can’t find, there is a sub-plot that revealed how a man had his investments stolen by a different hacker, one who monitored the investor’s life, through the his online postings and emails. Once the man left for a trip, the hacker realized s/he had opportunity to take the money from the distracted investor. And that’s what happened.
How did this happen? How is it so many thousands of dollars can be vacuumed away in an online session lasting minutes?
We’ve exchanged many traditional safeguards for online convenience. Paper checks are destroyed, not returned. Paper checks themselves, once physical records for transactions, are seldom used, in favor of ‘authorized’ electron flows. Financial and banking systems are created and designed with big dependencies on ‘consumer’ online systems, systems outfited with consumer-grade security, (such as challenge questions whose answers lie littered on your Facebook page). Credit card fraud and identity theft crimes only grow in frequency and in damage, but so long as easily faked cyber transactions produce money, no one says, “Stop!”
What does happen are those frequent sanctimonious writings, like mine, chiding us all for weak or dated passwords; all the while no one challenges the notion that critical financial systems can be secured reasonably with artifacts as ancient as user-maintained passwords. New passwords that guard your finances, that critical bundle of transactions that take the place of physical records (and equally physical authentications at the local branch); these new passwords and reset codes are sent to email systems that may or may not lock an account out after repeated password guessing attacks.
What We All Need to Do is think through where the responsibilities for secure systems lie. Is the problem common people who make common mistakes, or does the responsiblity lie with financial security experts, experts who knowingly trade off established security systems and principles for convenience and cost savings for the financial institution?