Category Archives: Banking

Confusopoly, or Scott Adams, Prophet of Finance

While sitting in a small room perusing a book from the bottom of the stack, The Dilbert Future, I idly looked again at Scott Adam’s prediction #2:
In the future, all barriers to entry will go away and companies will be forced to form what I call “confusopolies”.

Confusopoly: A group of companies with similar products who intentionally confuse customers instead of competing on price.

OK, good snark. But look at the list of industries he identified as already being confusopolies:
  • Telephone service.
  • Insurance.
  • Mortgage loans.
  • Banking.
  • Financial servvces.
Telephone companies of course since then have gone to great lengths to try to nuke net neutrality.

And the other four are the source of the currrent economic meltdown, precisely because they sold products that customers couldn’t understand. Worse, they didn’t even understand them!

It gets better. What industry does he predict will become a confusopoly next? Electricity! And this was in 1998, before Enron engineered confusing California into an electricity-price budget crisis.

For risk management, perhaps it’s worth considering that simply selling something the customer can understand can rank way up there. Certainly for the customer’s risk. And given how much the FIRE companies drank their own Kool-Aid, apparently it’s good risk management for the company itself. Especially given that the Internet now gives the customer more capability to find out what’s going on behind a confusopoly and more ability to vote with their feet.

To actually make a product the customer wants, and then provide good customer service: how old-fashioned! And how less risky and more profitable in the long term.

Phishing Verified

jeremy_clarkson.jpg Or is it really phishing when the victim first broadcasts his bank account details?
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a “storm in a teacup” after falling victim to an internet scam.

The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham.

He also gave instructions on how to find his address on the electoral roll and details about the car he drives.

However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association.

The charity is one of many organisations that do not need a signature to set up a direct debit.

Clarkson stung by fraud stunt, Guardian Unlimited, Monday January 7 2008

He admits he was wrong, but nonetheless tries to pin the blame partly on a privacy law:
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” he said. “I was wrong and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for going after the perpetrators.


PS: Seen on BoingBoing.

ROI v. NPV v. Risk Management

southwestcfo.jpg There’s been some comment discussion in about security ROI. Ken Belva’s point is that you can have a security ROI, to which I have agreed (twice). Iang says he’s already addressed this topic, in a blog entry in which he points out that
Calculating ROI is wrong, it should be NPV. If you are not using NPV then you’re out of court, because so much of security investment is future-oriented.

ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007

Iang’s entry also says that we can’t even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I’ve also been harping on. I bet if many security people knew what NPV was, they’d be claiming they had it as much as they’re claiming they have ROI. Continue reading

Banks Passing the Buck

It’s good that banks are trying to fight identity theft and other online fraud, but:
Internet advocacy group InternetNZ and the NZ Consumers’ Institute have both come out swinging over the New Zealand Bankers Association’s (NZBA) decision to allow victims of Internet banking fraud to be potentially held liable for losses.

New Zealand: Consumer Advocates to Fight Banking Online Fraud Liability Code, Paul Ferguson, Fergie’s Tech Blog, Tuesday, July 24, 2007, quoting Brett Winterford on ZDNet Australia.

Hm, maybe passing the buck isn’t the best way for banks to do this.


Passport Friction

Ben Hyde has an interesting bunch of thoughts about verification friction:
We recently got new passports, a project that was at least a dozen times more expensive and tedious than doing my taxes. I once had a web product that failed big-time. A major contributor to that failure was tedium of getting new users through the sign-up process. Each screen they had to step triggered the lost of 10 to 20% of the users. Reducing the friction of that process was key to survival. It is a thousand times easier to get a cell phone or a credit card than it is to get a passport or a learner’s permit. That wasn’t the case two decades ago.

Friction, by Ben Hyde, Ascription is an Anathema to any Enthusiasm, 10 May 2007

He mentions some cases where friction may actually be socially useful, as in making it harder to get liquor and easier to get condoms, or some automobile traffic engineering. Then he gets to the especially interesting part. Continue reading

IT Seat Belts

Over on the ongoing comment thread about IT Security: Unnatural Industry (which started on Schneier on Security and is also on Spire Security Viewpoint and 1 Raindrop), Pete Lindstrom asked a question I hadn’t yet answered:

Why didn’t people sue their banks for fraud? Why did congress need to write a law about behaviour that is already covered by contract law and fraud?

Well, I think that’s mostly a question about personalities, customs, and precedents.

Continue reading

British Phantom ATM Withdrawals

One reason U.S. regulators are so suddenly be advocating two-factor authentication for U.S. financial tranactions may be that they doubtless know about what happened in the U.K. with one-factor ATM cards some years ago:
This is the story of how the UK banking system could have collapsed in the early 1990s, but for the forbearance of a junior barrister who also happened to be an expert in computer law – and who discovered that at that time the computing department of one of the banks issuing ATM cards had “gone rogue”, cracking PINs and taking money from customers’ accounts with abandon.
How ATM fraud nearly brought down British banking Phantoms and rogue banks, By Charles Arthur, The Register, Published Friday 21st October 2005 09:52 GMT
This problem had been going on since the 1980s, and there has been a class action lawsuit in process since 1992 trying to force the affected banks to replace the money stolen from their customers. Why have we only heard about it now? Continue reading

Stronger Onlne Bank Security

The AP reports that U.S. federal regulators have sent a letter to banks saying they should go beyond passwords to two-factor authentication by the end of 2006. There are all sorts of possibilities for what the other factor might be, from cell phone acks to a physical gizmo that emits a code to use. I’m betting banks will ask what your last payment for x purpose was.

Dan Gllmor reports a bank he used only a few years ago still used social security number as logn name. He says:

I don’t keep much money at that bank anymore.
Banks are probably worried that more people will do what Dan did, thus limiting their online reach.


Stopping Phishing

Banks are tired of phishers fooling their customers into revealing information so the phishers can mimick identities and steal money. Last year banks and other financial instituations banded together to do something about phishing. The first phase of this initiative involved

“… educating customers, outfitting customer desktop PCs with anti-spam-protection software, and working with law-enforcement authorities and Internet service providers to identify and stop phishing attacks while they’re in progress.”
Phishing Expedition Set To Enter Second Phase,   Oct. 29, 2004  By Steven Marlin InformationWeek

There’s a report out now on Phase I, Financial Services Technology Consortium Counter-Phishing Initiative: Phase I. Several reports, actually, ranging from definitions of terms (it wasn’t even clear before what phishing was) to categorizing vendors solutions according to an FSTC Phishing Attack Lifecycle and Solutions Categorization.

Many of the FSTC recommendations sound like good risk management in general, for example:

“ Ensure that phishing preparedness plans (staff responsibilities, incident response plans, procedures, etc.) are appropriate, frequently reviewed, and updated as necessary. FSTC’s Phishing Life Cycle Model and Attack Taxonomy can be used to structure concrete planning activities and assess adequacy.”

The first of the next steps FSTC will be investigating illustrates a basic feature of this work:

“Investigate and adopt better mutual authentication practices.”

Although the FSTC report says that institutions acting alone can do these things, it’s not clear that that is possible for something that is mutual.  As the report also says, the industry acting as a whole can do these things.

In other words, collective action is needed for an aggregate threat.


Ensuring Business Continuity for Banks

Here’s an interesting passage from a document published by the Basel committee called “Risk management principles for electronic banking

Legal and Reputational Risk Management

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. The bank must have the ability to deliver e-banking services to all end-users and be able to maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimise operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers’ expectations, banks should therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.

The document also says that the reason it sets forth principles instead of rules or even best practices is that it expects that innovation will outmode anything even as specific as best practices.