2005-02-23

Secure Online Banking and Another take on Microsoft and Malware

In this article, I have a few comments on two recent Information Security-related news items.

In a previous article titled "Microsoft's role in the battle against spyware," I commented on the irony of Microsoft profiting from a problem they played a big role in creating. It seems I'm not alone in this sentiment. Gartner's Neil MacDonald, speaking at the RSA conference this week, noted "Microsoft's overriding goal should be to eliminate the need for AV and AS products, not simply to enter the market with look-alike products at lower prices." Many of his comments were absolutely on-point, especially those demanding spyware/adware solutions from Anti-Virus companies as part of their current product offerings, not a separate product. TechWeb has a good summary of his speech that I recommend. While I don't always agree with Gartner, particularly since their irresponsible comments about IDS being dead, what Mr. MacDonald says here is exactly what the industry needs to hear.

In another recent bit of news, a businessman has filed lawsuit against Bank of America, claiming
$90,000(US) was wired out of his account without his permission. After my experience in a Fortune 500 financial institution, this only surprises me because it hasn't already happened. In our organization, there were impressively-tight security controls from a system and network perspective, but the information security team had little to no say in what went on at the application level, particularly for line-of-business applications developed in-house. Due to the perceived role of the information security team, warnings about shortcomings in online banking applications (such as authentication only by card number and pin) fell on deaf ears. It's a shame that things like this have to happen before financial institutions begin taking threats to their customers' accounts seriously. Hopefully other corporations will learn from this mistake so other online banking customers don't fall victim.

No comments: