A half-million pound bank robbery is quite a feat, even today. When the heist happens on home computers, as it did with customers of Swedish bank Nordea, it's time to fundamentally review the assumptions on which the banks build our safety.
Consumers must bear some responsibility, but IT security isn't something that can be devolved to Mrs Miggins. Anyone involved in online transactions — including retailers, financial corporates, developers and ISPs — must take on that part of the job they are best suited to do. Those with money, power and expertise win the lion's share of the problem, and will benefit most from a better system.
Yet banks say that the current level of consumer online fraud is acceptable, and that the cost of strengthening security would be more than the losses they currently suffer. Such cold calculations overlook not only the misery and inconvenience involved for their customers, but the chilling effect such experiences have on online commerce in general. Markets are built on confidence. Little is saved if that is lost.
The first and most important step is to take online security seriously. That means we must see the environment for what it is — a concentrated global attack by organised crime on the fundamentals of commerce — and react accordingly. Cross-industry international co-operation to set common cause and common goals is essential. There is no room for company politics or industry rivalry.
There are any number of possible approaches to improving online security: consumer education and services, multi-factor systems, even custom secure OS distributions running in virtual machines or from non-volatile storage. An industry that took these matters seriously would be pooling its resources to actively research these and other options, with the aim of improving security for all across the board.
This is not what we currently see. Consumers are stuck with an insecure operating system, anti-malware companies keener on snake-oil than safety, and a multiplicity of approaches from the banks and other organisations they need to trust. In a battle between organised crime and disorganised commerce, the bad guys will always win. We can't afford that, no matter how much money it saves.
Talkback
The crooks think link us bankers thought in the past which is way too parochial. So the future requires novel thinking. I think the big IT solutions of software to fight software, or worm wars, is a loss. Big IT cannot protect PCUs and central server platforms without keeping the PIN and private data offline. That path is the only viable one.
At center here are IT chunckers who are offshore of the crime. Chunkers are the guys who hire themselves out to cyber crime syndicates just to do one thing are all white collar criminals. They don't ask who, what or why and they are paid usually in offshore accounts set up for one transaction only often using offshore gold dealer card agencies which have the patina of respectability.
Chunkers started originally out of Russian where there were more PhD's and Master Degrees in programming without a viable economic
infrastructure to support them so they hired themselves out to various mafias on a per task basis.
This started the present global crisis. Then a trend in the U. S. of A. is students don't want to be programmers anymore so a lot of hi tech engineers are now immported from Arab and Asian countries.
All a programmer has to do is buy systems upon which proprietary programming is designed and put a worm in it allowing him access and voila, worm wars. Any ID online is not secure for this reason.
What is to stop terrorists from hiring a chunker for theft, sabotage or money laundering and not telling him why as if a chunker would care. It is foolish to assume this isn't happening. The Swedish theft could be anyone and used by anyone for anything already blocked.
Furthermore, as I say on my blog "Abdul Tawala Alishtari" in ZDNet UK, the answer is keeping private ID and PIN numbers off the Internet.
This was granted in July 22, 2003 in the U. S. A. by the USPTO to a predecessor company now owned by IDPixie LLC. That patent number is US 6,598.031 B1 to Mr. Jeffrey Ice, Inventor, for "APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK" i.e. Internet, phones or any electronic medium in the U. S. of A.
Orbiscom of Scotland, owned by JPMorganChase bank has a similar patent though it does not hand the offline device part but works with central servers. The answer is keep the data that allows theft from the thieves. It cannot be too hard to do if we all do it.