Great article this week by Brian Krebson about the risks and liabilities of on line banking for businesses, on Brian’s blog: http://www.krebsonsecurity.com/2010/03/ebanking-victim-take-a-number/
But no need to just believe Brian; there are lots of news articles every month about security and privacy breaches of information handlers and service providers for banks and credit card companies as well as for actual banks and credit card companies.
My opinion on the subject of IT security and privacy with regard to on-line banking is: Caveat Emptor: Buyer Beware! There are several sources of security threats with corresponding vulnerabilities beyond the control of most consumers of on-line services. So I strongly advise on-line users to compare the potential cost of impact of a security breach against the time savings of on-line banking.
If the potential losses are large, say $25,000 for a small business, compared to 2 hours per week of time saved at $75 / hour which equates to $7,800 annually, then it may be advisable to take another step in evaluating the risks involved.
Let’s say the user is not technically strong with regards to IT security and therefore needs to make some qualitative, anecdotal assumptions about the risk of on-line banking. The user may consider the following risk factors:
- Banks make errors.
- Users make errors in all sorts of ways, such as; not keeping their anti-virus signatures updated, not keeping their security patches and operating system patches / updates completed in a timely manner; not visiting web sites that may inject malware into their systems; opening email attachments; opening email from unknown individuals; etc. etc.
- Banks may not fully refund funds caused by a security breach during an online transaction.
- Banks may refund funds but not in a timely fashion.
- Do you want to do battle with a bank?
Based upon these and other risks, a user can decide if their risk is high, medium, or low. They could then go a step further and allocate values of 70% – 100% to high risk; 40% – 69% to medium risk; 0% – 68% for low risk.
As a sanity check, they can estimate the impact of one loss as % chance of loss x possible cost of loss. So a user who estimates they face medium risk of 50% and have in their on-line account a maximum of $50,000 at any time, the cost of security breach could be 50% X $50,000 or $25,000.
Perhaps compared with $7,800 in annual savings, it may be a good idea to consider other options, such as:
- Doing only online bank enquiries, ensuring there are no change privileges attached to the account.
- Asking to see the bank’s written policy about how they deal with clients who suffer losses due to a security breach.
- Purchase insurance for losses caused by an online banking error or security breach.
- Dramatically improving the security procedures they follow for protecting the computer(s) and the network on which they reside, for doing e-banking.
What do you think?
Regards, Ron Lepofsky, CISSP
