A recent report by a global anti-virus user group identifies online banking as a major target for spyware and highlights several areas where banks should take more action.
While banks have procedures in place to deal with routine virus and bug patches from Microsoft, they lack foresight when implementing patching strategies that deal with more complex security threats like browser and application protocol exploits, the group said. The report, which calls on users, government and software companies to pay more attention to spyware, was authored by the Anti-Virus Information Exchange Network (AVIEN).
The AVIEN report comes just as two public interest organizations, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and the Center for Democracy and Technology (CDT) have announced that they will file complaints with the Canadian Competition Bureau on Thursday and with the Americal Federal Trade Commission against an unnamed Canadian technology vendor that is allegedly distributing spyware on the Internet. This action marks what the organizations are touting as the first filing of a spyware complaint in Canadian history.
Ken Bechtel, Avien adjunct administrator, said spyware is a lot like viruses were in the mid-1990s in that a lot of people had little awareness of the problem. While people who deal with spyware on a daily basis recognize the extent of it, the tricky part is convincing upper management to spend the cash to go beyond routine virus and bug patches.
“Until it becomes a perceived larger problem management is doesn’t like to devote the money to it because it is a cost versus risk analysis process,” said Bechtel.
Awareness aside, the minefield of privacy laws and compliance regulations that have come into effect over the last few years are creating communication problems within financial institutions on the proper protocol for handling and controlling spyware.
A former employee of one of Canada’s top five banks said legislation like Sarbanes-Oxley and PIPEDA here are creating paranoia around implementing patches. Paul Wing, now an independent consultant who is based in Toronto, added the Royal Bank fiasco last year that affected millions of customers has also got banks taking extra caution when going about software upgrades.
“They’d like to be able to do it faster but prudence says you don’t just go and willy-nilly implement it on your servers,” said Wing. “The challenge becomes is that decision being made at the right level.”
While banks might benefit from being upfront about situations like that, they are often reluctant or have policies in place that forbid them to share information that could help other banks avoid such problems in the future.
“They’ve got to work within the organizations that exist and share more information so that other organizations don’t fall prey to the same situation,” said Bechtel.
That said, considering spyware affects nearly everybody, the public needs to understand that not even banks can always prevent these attacks from happening.
“Just because a bank robber walks into my local branch and holds up the teller I don’t distrust the bank because they just put in a SWAT team at every branch,” said Bechtel. “You’ve got to be more open with the public and admit that you’ve failed and answer how you’re addressing the problem in the future.”
Wing, however, said one of the reasons why banks aren’t more forthcoming with their data is that the public isn’t demanding enough and the banks don’t want to make an issue of it. “If we cared enough we would not accept four-digit PINs that we haven’t changed for over 20 years,” said Wing. “That in itself leads to a whole bunch of threats and a whole bunch of risks. We’re not insisting on better authentication mechanisms.”
Even if customers had better authentication mechanisms available to them to guard against threats like spyware and pharming, they probably wouldn’t want to use them as they are often more intrusive and less convenient, Wing added.
Avien, however, is encouraged by the increasing number of new bodies like APWG and APACS-UK doing more research on the topic.
Comment: [email protected]