Silent blogger on Silentbanker trojan
Where does the time go? Seems that I blinked and now it’s mid-February and my last post was late October! Outrageous! My apologies for either being away so long or coming back so quickly depending on your opinion of my blogging.
Anyway, thought I’d point out a couple links on what was a raging media topic a couple weeks ago: the Silentbanker trojan. I was interviewed by several folks about this topic and if you want to read or listen to any of that you can do so: here (Wall Street & Technology article quoting me) or here (NetworkWorld Security podcast streamed through your browser [15 mins]).
One additional point I’d make is that while this was hot news, nothing about this trojan or attack should be a surprise. We’ve been chatting about man-in-the-browser attacks for the last year and know from our contacts in Europe that these types of attacks have been used in the real world there for quite some time. Why this should be such a hot news item in the U.S. tech and financial press is disconcerting. Of course as a bit of a curmudgeon about online financial institution security practices, I point to this as just how little U.S. financials are paying attention to protecting their customers. Of course, there are certainly some numbers being used by the FI’s to back their smugness about what they are doing so far. This post is a good case in point of how bankers point to how effective their weak approaches to date have been. At least George Tubin, widely quoted throughout the article admits the data is “based on anecdotal observations, he said, because many bankers are reluctant to share their fraud rates”.
Really?! Well then whose anecdotal evidence trumps who’s? or is that who’s anecdotal evidence trumps whom’s? Dang, really shoulda paid more attention in grammar. Anyway, you get the idea. I don’t know if Gartner’s updated their statistic from last year that there are 9 million internet users sitting on the e-commerce sidelines because of security fears. Why are identity theft and phishing attacks still top of mind as we are barraged with daily reports of personal and group stories of fraud? Javelin’s report from Feb 2007 showed a second straight year of falling fraud rates (good synopsis here), great news. So maybe I’m being too harsh on the FIs?
I don’t think so. First, I’m not even being offered reasonably effective protections while the banks primarily cover their own assets. Second, I expected to be able to do far, far more powerful and meaningful e-commerce transactions in 2008 than it turns out I can now that we’re here. Aside from truly strong authentication, I expected back in 1998 to shortly be able to digitally sign and encrypt documents and never have to hear the word “fax” again in my life. I expected to have maybe a handful of logins to do all I needed to do on the internet, not the 300+ I have in my Roboform database. I expected all e-mail to be able to be signable and encryptable without being a PKI wonk. I’m reminded of a favorite song from my college days back in the 80s called “It’s the Eighties So Where’s Our Rocket Packs?“. If I was musically capable, I’d write a song, “It’s 2008, why do I need to come to the bank and use a pen?”
I am amazed at the lack of innovation in this entire area and eagerly await the first players to really bring me what I think of as e-commerce 2.0, which would be truly more powerful and impactful IMO, than the whole social-networking-web-2.0 thing has been.