Category Archives: financial services

eCrime Summit in Prague 25-27 April 2012

These ecrime meetings are always interesting and useful. -jsq

Press release of 29 March:

Containing the Global Cybercrime Threat is Focus of Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27

CeCOS VI, in Prague, Czech Republic, to focus on harmonizing operational issues, cybercrime data exchange, and industrial policies to strengthen and unify the global counter-ecrime effort.

CAMBRIDGE, Mass.—(BUSINESS WIRE)—The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.

CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.

Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.

Key presentations will include:

Continue reading

India, Bank of America, and CyberSURF: December 2011

In for December 2011, worldwide India spammed the most, while Bank of America topped one U.S. ranking, and CyberSURF peaked in Canada, but Cleveland Clinic cleaned up its act.

More on those and other interesting rankings in later posts.


Confusopoly, or Scott Adams, Prophet of Finance

While sitting in a small room perusing a book from the bottom of the stack, The Dilbert Future, I idly looked again at Scott Adam’s prediction #2:
In the future, all barriers to entry will go away and companies will be forced to form what I call “confusopolies”.

Confusopoly: A group of companies with similar products who intentionally confuse customers instead of competing on price.

OK, good snark. But look at the list of industries he identified as already being confusopolies:
  • Telephone service.
  • Insurance.
  • Mortgage loans.
  • Banking.
  • Financial servvces.
Telephone companies of course since then have gone to great lengths to try to nuke net neutrality.

And the other four are the source of the currrent economic meltdown, precisely because they sold products that customers couldn’t understand. Worse, they didn’t even understand them!

It gets better. What industry does he predict will become a confusopoly next? Electricity! And this was in 1998, before Enron engineered confusing California into an electricity-price budget crisis.

For risk management, perhaps it’s worth considering that simply selling something the customer can understand can rank way up there. Certainly for the customer’s risk. And given how much the FIRE companies drank their own Kool-Aid, apparently it’s good risk management for the company itself. Especially given that the Internet now gives the customer more capability to find out what’s going on behind a confusopoly and more ability to vote with their feet.

To actually make a product the customer wants, and then provide good customer service: how old-fashioned! And how less risky and more profitable in the long term.

Class Action Coming for Identity Theft?

zerodaythreat.jpg It wouldn’t be a moment too soon:
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading

Mortgage Confusopoly Disintermediated

gI_logo.gif.jpg Adam Shostack finds a company distintermediating the other half of the house buying confusopoly, mortgages:
SmartHippo today launched the public beta version of the first ever web site that allows individuals to use the power of a community to save money and make better decisions when shopping for rates on financial products and services.

“The lending industry is in a state of transformation,” said George Favvas, President of SmartHippo, “and consumers are demanding more control and transparency in their dealings with banks and mortgage companies.”

SmartHippo allows any individual to post information and feedback on the rate they received, and to compare rates with other members of the community with similar profiles. This lessens the chance of consumers with the same lending and risk profile getting different rates on the same loan, which can happen currently. Launches World’s First Community Comparison Shopping Site for Financial Services at TechCrunch40 Event; Founding Participating Banks Include QuickenLoans and Bank of Internet, PRWeb, 17 Sept 2007

This is different from companies like LendingTree that already facilitate getting multiple bids for mortages in that SmartHippo lets mortgage customers comment on their experiences. Participatory, if you will.


To Insure or Not to Insure?

firewallmovie.jpg Iang reminds me that it was on his blog, Financial Cryptography, that I saw the rough estimate of how much an identity theft costs, that is, about $1,000.

He follows up on my post of yesterday about LifeLock, discussing a company called Integrity which insures identities in Second Life. Or, actually, insures any lawsuits resulting from "inappropriate content", whatever that is.

Then he gets to the real quesion:

How viable is this model? The first thing would be to ask: can’t we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren’t too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.

On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight’s pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?

If Insurance is the Answer to Identity, what’s the Question?, Iang, Financial Cryptography, September 11, 2007

This wraps right around to the original reaction of the person from whom I heard it (hi, Anne Marie) on a list that is silent.

I have several thoughts about this:

Continue reading

ROI v. NPV v. Risk Management

southwestcfo.jpg There’s been some comment discussion in about security ROI. Ken Belva’s point is that you can have a security ROI, to which I have agreed (twice). Iang says he’s already addressed this topic, in a blog entry in which he points out that
Calculating ROI is wrong, it should be NPV. If you are not using NPV then you’re out of court, because so much of security investment is future-oriented.

ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007

Iang’s entry also says that we can’t even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I’ve also been harping on. I bet if many security people knew what NPV was, they’d be claiming they had it as much as they’re claiming they have ROI. Continue reading

Negligence and Breaches

Banks, shops and government departments have exposed thousands in Britain to the risk of fraud through “horrifying” breaches of data protection laws, a watchdog said on Wednesday.

In his annual report, Information Commissioner Richard Thomas, whose office enforces the Data Protection Act, said firms must do more to secure people’s private details.

“The roll-call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,” he said in the report.

Privacy watchdog warns of “horrifying” breaches, The Scotsman, Reuters, 11 July 2007

He’s not talking terrorism, so we can hope this is not just more FUD. Continue reading

Passport Friction

Ben Hyde has an interesting bunch of thoughts about verification friction:
We recently got new passports, a project that was at least a dozen times more expensive and tedious than doing my taxes. I once had a web product that failed big-time. A major contributor to that failure was tedium of getting new users through the sign-up process. Each screen they had to step triggered the lost of 10 to 20% of the users. Reducing the friction of that process was key to survival. It is a thousand times easier to get a cell phone or a credit card than it is to get a passport or a learner’s permit. That wasn’t the case two decades ago.

Friction, by Ben Hyde, Ascription is an Anathema to any Enthusiasm, 10 May 2007

He mentions some cases where friction may actually be socially useful, as in making it harder to get liquor and easier to get condoms, or some automobile traffic engineering. Then he gets to the especially interesting part. Continue reading

FedLine: Advantage or Menace?

This story in the New York Post has been all over the net:



August 15, 2004 — With little fanfare, the Federal Reserve will begin transferring the nation’s money supply over an Internet-based system this month — a move critics say could open the U.S.’s banking system to cyber threats.

The Fed moves about $1.8 trillion a day on a closed, stand-alone computer network. But soon it will switch to a system called FedLine Advantage, a Web-based technology.

The story is quite confused. What is “a Web-based technnology”? Is it one that uses web pages for entry? Or is this typical confustion of the web with the Internet? And does FedLine actually run over the public Internet, or does it simply use Internet protocols over private leased lines?

The story doesn’t answer any of these questions. It also says:

“Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution.

“Of course, we will not discuss the specifics of our security measures for obvious reasons,” she said. “We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intru sion detection and Federal Reserve conducted reviews.””

Somehow I’m not comforted by the first and most frequently mentioned method being security by obscurity. And the mention of firewalls would seem to indicate that this service does run over the public Internet. Let’s see what Fed has to say about FedLine Advantage:

FedLine Advantage is coming!

“In recent years, we have announced our strategy to provide access to all Financial Services using web technology. We are pleased to announce FedLine Advantage, the Federal Reserve Banks’ next generation of service access, is on the horizon.

“FedLine Advantage will extend the use of web technology to provide access to critical payment services such as Fedwire Funds Service, Fedwire Securities Service and FedACH Services. In addition, FedLine Advantage will also enable the use of financial services that are currently accessible via FedLine Web, making it the access method of choice for Federal Reserve Financial Services.“

That Fed web page in turn links to a PDF of Volume 2 Issue 2 of the newsletter Fedfocus,
which is dated May 2004. Hm, it appears this is old news.

Fedfocus May 2004 defines Virtual Private Network (VPN) and Frame Relay, notes how
the former works over a public network and the latter does not, plus various kinds of encryption such as SSL, and various kinds of user authentication, such as passwords or USB. However, it never quite seems to say which of these technologies FedLine Advantage will use.

That issue of FedFocus does emphasize conversion from an MS/DOS earlier version. So it seems to be largely a user interface move. Which would indicate a change to a web interface, perhaps using the same underlying physical links as before.

If I had to guess, I’d say that they’d probably start with Frame Relay, and offer VPN service to those who want to risk it. And I’d guess that convenience would increasingly win out, resulting in many more VPN customers than FR ones.

Even if it stays completely on leased lines, there’s still the issue of the computers that are used to use the web interface. The Fedfocus issue mentions that an old version of Internet Explorer will no longer be supported for FedLine Web (a service currently in use) but newer versions of IE will be supported. What if someone compromises IE on such a computer?

I suppose what happens is that some transactions may get compromised. Of course the same thing can already happen if you use IE to access your bank account over the Internet, although the scale may be bigger. In other words, it’s the usual tradeoff of more convenience for somewhat more risk. Maybe this change will promote enough additional commerce through convenience to offset any losses from the increased risk.

That’s many smallish risks; not one huge risk of the entire Federal Reserve system being compromised all at once, as the newspaper article might lead one to believe. Well, probably not. I wonder if the Fed practices software diversity and topological and physical distribution of resources?

We’re moving into Tom Clancy territory here, and it’s already late as I type, so I’ll leave more on this to another day.

Suffice it to say that this is yet another case where technology alone will not completely manage risk, and non-technological means are also needed.