Shostack + Friends Blog Archive


Is That Lack of Data Keeping You Safer?

tufte-screams-in-pain.jpgBob Sullivan has an interesting article, “Is that picture keeping your money safer” in which he takes dueling quotes over the Bank of America Sitekey deployment. Rather than arguing again about Sitekey (see “Easy Pickings for Bank Robbers,”) I’d like to ask why a respected and competent reporter like Bob can’t get a straight answer to his question?

Why is he reduced to quoting experts? Where are the facts that buttress an argument? Avivah Litan makes apparently good security arguments, and the response is “trust us:”

Orad refused to discuss details of these invisible security measures at Bank of America, but he agreed to talk generally about RSA products sold to several banks.

“We have deployments at dozens of banks, and the average is an 80 percent reduction in online fraud,” said. He declined to provide additional details, citing confidentiality agreements with the banks.

So, the basic question remains unanswered: Do banks that deploy SiteKey see a reduction in fraud? The only answer comes from a vendor, who says yes. Some might note a small conflict of interest, stemming from their $44.7 million dollar acquisition of Passmark. Why can’t we have a reasonable answer?

Does the data exist? Are the banking regulators collecting information about incidence and magnitude of the thefts? These are not thefts that hurt only Bank of America. They hurt Bank of America’s customers, and those customers are denied access to data to help them make good decisions. We as an industry have an idea of how bad it is, but we’re not sure if our ideas are accurate.

More data would be awfully nice.

Image credit: Natural Resources Defense Council, Toxaphene in breast milk. Graph shows ng/g.

4 comments on "Is That Lack of Data Keeping You Safer?"

  • Vin McLellan says:

    Hi Adam,
    With your experience working for financial institutions, I suspect you don’t really expect banks to strip and reveal all. It’s not in their nature or culture to do so, except under external compulsion.
    In the absence of full confessions, however, you might find an independent third-party report from Javelin Strategy & Research about their efforts to probe the defenses of the top 24 US banking institutions useful and informative. Bank of America, JP Morgan Chase, and Washington Mutual got top rankings.
    Javelin reported on its research in a presentation to the American Banker’s 3rd Annual Identity Theft and Fraud Symposium last month in SF. See Joris Evers’s C/Net article at:
    I’m a long-term consultant to RSA, obviously biased, but I don’t understand why a number of security pros put up Sitekey as an ultimate defense strawman. No one with brains would claim that this — or any other single defense — is a silver bullet. It is, however, a security barrier that effectively bars many criminals, even if it tempts others to make a much more sophisticated MitM attack which is potentially identifiable by other defensive systems.
    (And there are protocols being considered by the IETF which could make MitM attacks much much more difficult.)
    Of course, as you well know, any even partially effective barrier sends many attackers off to pick up the low hanging fruit from insitutitons which don’t require so much effort.
    Thanks for the blog. It’s always stimulating!

  • Adam says:

    Hi Vin,
    My real point was not to question sitekey, but rather to ask the question which headlines the post: Is a lack of data making us safer? I know how the banks feel. My real point was to ask, is that optimal, or are we stuck here because no one wants to be the first to change?

  • Your Friend says:

    Well, I’ll tell you what – Multi Factor does not significantly reduce *risk* to the bank outside of keeping the OCC off their back.
    It may or may not help consumers, but in terms of pure economic decision by the bank – from the data I’ve seen it makes very little sense to spend seven figures on additional authentication methods.

  • Your Friend says:

    Oh, and the “2.7 billion” in fraud from the Gartner report referenced in the linked article? That’s not necessarily Phishing – and likely over-valued if my work with banks is of any indication.

Comments are closed.