The Field Report
There are 18,000 banking institutions in the U.S., and somebody has to blog about their breaches, concerns and security successes.
Banking Information Security Blogs
Comments (2)
Read All Posts (106)
Customer Accountability: Where does it Start?
June 24, 2008 - Tom Field
The first topic is about responsibility - accountability, really. At what point should a banking institution's customer be held accountable for basic computer security?
 |
At what point should a banking institution's customer be held accountable for basic computer  |
Could such a notion fly in the U.S.? We raised that question, and among the responses we received:
"It's about time someone stood up and pointed out the elephant in the room."
"The problem is really training and awareness. How do you train the average citizen? If you make him or her too concerned about security, they will stop using their computers. That isn't in anyone's best interest."
"Making banks liable for customers' home computers makes as much sense as saying auto makers are responsible for everyone's speeding tickets."
Clearly, we touched a nerve. Subsequently, I spoke with one security vendor that's interested in partnering with banks to offer basic PC protection services free-of-charge to customers. Kind of like what my home internet service provider does now, offering me antivirus protection at no additional charge.
On one hand, this step does show that the business has made a conscientious effort to plug a major security hole.
But on the other, can't you see that first lawsuit filed by a breached customer saying "Hey, you gave me this stuff and said my PC was safe ...?"
Interesting debate - how much responsibility should the customer bear? Which side do you take?
 |
 |
 |
 |
|
 |
Having worked in the banking sector a few years and dealt with customers on the front line, customers, in their true form, are rarely up to the challenge of accepting responsibility or accountability. Trusting their money in the bank's hands gives them the scope that they are, for one, free of harm since it's a bank. Now, which is quite unfortunate, their eyes wide shut are open to the fact that the bigger the bank, the harder they can be hit and fall. All that's within it, including customers, are prime targets. Basic computer knowledge of most banking customers is abysmal as to where they need to be.
Speaking from experience, and this might be a bit embarrassing since I'm of the Generation Y category, but only until recently have I religiously used online banking. Much to say, it's not 100% my fault, but if I didn't tell the browser to remember my password on a "public" or family-used computer, my parents or brothers or sisters won't be able to log into the site of my online banking application and leisurely peruse my history. Now I say its not 100% my fault because maybe I'm 50%, one for being vigilant enough, while the other 50% goes towards these browsers that want to make everything so efficient that having to remember 14343567 (random number :-) passwords is futile.
In closing, I believe that the banking institution needs to take full responsibility in training their customers of computer security. The customer, in turn, needs to accept full accountability for exercising what they've learned or now know. So where does my stance lie? I'd say the institution needs to bear a 60-40 split with the customer...
Speaking from experience, and this might be a bit embarrassing since I'm of the Generation Y category, but only until recently have I religiously used online banking. Much to say, it's not 100% my fault, but if I didn't tell the browser to remember my password on a "public" or family-used computer, my parents or brothers or sisters won't be able to log into the site of my online banking application and leisurely peruse my history. Now I say its not 100% my fault because maybe I'm 50%, one for being vigilant enough, while the other 50% goes towards these browsers that want to make everything so efficient that having to remember 14343567 (random number :-) passwords is futile.
In closing, I believe that the banking institution needs to take full responsibility in training their customers of computer security. The customer, in turn, needs to accept full accountability for exercising what they've learned or now know. So where does my stance lie? I'd say the institution needs to bear a 60-40 split with the customer...
Posted by PLuhadiya on June 27, 2008 @ 10:49 AM
I believe there may be a case for customer accountability if the bank has provided adequate training and awareness on information security to the customer.
Posted by jean69 on June 26, 2008 @ 11:17 AM
Topics of Interest
Identity Theft
- Man-in-the-Middle Attacks: Helping to Eliminate the Threat Without Impacting the Business
- Pinpointing and Preventing Internal Fraud Risk: It's an Inside Job
Fraud
- How to Prioritize Risk & Justify Security Investments
- Understanding Man-in-the-Browser Attacks and Addressing the Problem
Privacy
Latest Tweets & Mentions
Posts By Category
- ACH
- Agencies
- Anti-Money Laundering
- Application Security
- ARRA/HITECH
- ATM
- Authentication
- Bank Secrecy Act
- Banking Today
- Biometrics
- Budgeting & Funding
- Business Continuity & Disaster Recovery
- Check
- Cloud Computing
- Collaboration & Interagency
- Committees and Testimonies
- Compliance
- Confidence In Banking
- Congress
- Cybersecurity
- Data Loss
- Debit, Credit, Prepaid Cards
- Defense Department
- Emerging Technology
- Encryption
- Endpoint Security
- FACTA
- Federal Deposit Insurance Corp
- Federal Reserve Board
- Federal Trade Commission
- FFIEC
- FinCEN
- First Party
- Fraud
- Governance & Standards
- Governance, Risk & Compliance
- Government Accountability Office
- Gramm-Leach-Bliley Act
- GRC
- Homeland Security Department
- HR
- ID & Access Management
- ID Access & Management
- Identity Theft
- Identity Theft Red Flags Rule
- Incident Response
- Information Security Compliance
- Information Sharing
- Insider
- Insider Threat
- IT Audit
- Law Enforcement
- Laws, Regulations & Directives
- Leadership & Management
- Legislation
- Messaging
- Mobile & Wireless
- Mobile Banking
- Mortgage
- National Credit Union Admin.
- Network & Perimeter
- Network/Perimeter
- Office Comptroller of Currency
- Office of Management & Budget
- Office of Thrift Supervision
- Pandemic Preparation
- Payments
- PCI DSS
- Phishing
- Physical Security
- Privacy
- Remote Capture
- Risk Assessment
- Risk Management
- Sarbanes-Oxley Act
- Security Leadership
- SIM & SEM
- SIM/SEM
- Skimming
- Social Engineering
- Social Media
- Staff & Recruitment
- Storage
- Technology
- Training & Education
- Unified Threat Management
- Vendor Management
- Virtualization
- Web Security
- White House
- Wire
Authors & Blogs
-
The Agency Insider
From the FDIC to the NCUA, banking institutions take guidance from myriad government agencies and regulations. Here's where we make sense of it all.
Secure Marketspace
A look into how the security and privacy concerns of consumers and citizens impact institutions and government agencies.
Information Technology Risk Management
Not all risks are created equal. Understand, manage and transfer risks, as necessary. Ignore none.
-
-
The Public Eye
Keeping tabs on federal government efforts to protect citizens' privacy
-
Industry Insights
Insights and opinions from the thought-leaders who represent the industry’s services and solutions providers.
Career Insights
Insights from advisors, consultants and practitioners who know what it takes to be a successful security professional
The Fraud Blog
Tracking fraud incidents and trends wherever -- and however -- they occur.
Recent Comments
"While it is only a slight benefit, I always use my debit card as a credit and NEVER dilvulge my PIN. I also recommend..."
Read Post | Jump to Comments"This just seems a reiteration of any other "it's time for EMV" post bobbing around the web. By the number of accounts..."
Read Post | Jump to Comments"Great post. An eye-opener in terms of looking outside manufactured technology for authentication, but, instead,..."
Read Post | Jump to Comments
