This weekend, in my quixotic going-on-20-year effort to fully automate my financial life, I’ve again been banging my head on Quicken and other Intuit and banking silliness. Nobody I encounter seems to care about these things the way I do, but I just have to throw this out to the world’s consciousness.
This Quicken Q/A leads me to the following two conclusions:
1. The fact that Intuit doesn’t support the OFX standard that it helped to standardize (they support only their own variant of it) represents one of the most egregious monopoly abuses ever to occur in the US (I’m not accusing anyone of a crime, this is just my opinion).
2. There should be a standardized method using 2-factor authentication for a person to access their own banking transactions through a UI, and there should be a standardized method (e.g. OAUTH) for a person to safely authorize a service to access their own banking transactions via an API. These should be supported by every banking institution doing business anywhere in the world. The fact that we have these things in the year 2014 for services like Gmail and Twitter, but not for banking, should be considered the silliest thing to have happened in the information age thus far.
Firesheep makes it trivially easy for even non-advanced users to highjack authenticated web sessions being transmitted over wifi networks under the following circumstances:
- If you’re using a non-https site (i.e. Twitter, Facebook, and lots of others)
- If you’re using an https site with poor session management (such as redirecting some of the site to http and transmitting cookies for the authenticated session over http). Lots of sites that use https put https protections at risk by mis-handling session cookies.
Not using https and/or not using good session/cookie management have been calculated/mitigated risks or just laziness on the part of site designers. For lots of medium sensitivity sites (like social network sites), users who understand the choice have been ok with not using https as a mitigated risk. Then of course there are lots of users who don’t understand the choice.
The thought process has basically been that it’s hard enough to intercept traffic in most usage scenarios and the sensitivity of the data is low enough (i.e. it’s not like its your banking site) that it’s a good security tradeoff. It’s been regarded as secure enough, and the rate of incidents of session highjacking could be expected to remain low.
The availability of something like Firesheep changes this equation considerably on open wifi networks. The rate of incidents of session highjacking on sites not using https or using https with poor session/cookie management and being accessed via open wifi networks can be expected to become much higher in pretty short order.
Open wifi isn’t the problem in particular. Poor website security design is the problem. The same basic risk of interception of sensitive data exists as your web session traffic moves across the various intermediate networks between your computer and the website you’re using. But the interception of traffic on those networks is much more difficult and is generally exposed to a much smaller set of potential bad actors. With firesheep, on open wifi networks the degree of difficulty has been reduced to the point that the risk of session highjack is much, much higher.
I’ve seen the following information posted on Facebook by a few of my friends:
- “Facebook launched Facebook Places yesterday. Anyone can find out where you are when you are logged in. It gives the actual address & map location of where you are as you use Facebook. Make sure your kids know! Go to”Account”,”Account Settings”, …..”Notifications”, then scroll down ……to ……”Places” and …un-check the 2 boxes. Make sure to SAVE changes and re-post this!!”
That post is actually not remotely accurate, and I’ve written this post to hopefully help dispel these myths.
Facebook Places allows you to share your location if you’re using a mobile device that supports it, and if you choose to do so, and only with those you choose to share it with (Friends Only, Friends of Friends, Everyone, or Custom, it’s entirely up to you). You have to deliberately perform a “check-in” on a location-aware device in order for you to share your location with anyone, and by default you would be sharing this with Friends Only.
It also includes a feature that allows your friends to share your location with others. The default setting allows your friends to check in somewhere (i.e. share their location) and also “tag” you at that location (i.e. say that you are there with them). This is the default behavior that many people understandably have an issue with. But, it’s very easy to disable this capability entirely in your privacy settings, and it’s very easy for you to remove the tag if someone has done this before you disable it (not to mention the fact that you would also be free to un-friend someone who did this to you in a manner that you found offensive).
Changing your notification settings for Places (as the above post recommends) is not a good idea, because then you won’t get a notification if someone has tagged you somewhere. What you need to do is adjust your Privacy settings for Facebook Places according to your preference.
If you decide that you want to share your location with your friends, you can also choose whether that information is or is not available to applications your friends choose to use.
This is what it takes to keep my Dell Precision M4400 from going into heat-induced paralysis when the temp hits 95 in Seattle (and that’s a fan-cooled pad it’s sitting on too).
This post is slightly off topic, but it does have some connection to my blog topic of trust, and is something I wanted to speak out about.
I recently had the shock of logging into my mobile provider’s website (T-Mobile) to review and pay my most recent statement, and realized that my current bill which is normally in the $100 range had exploded to $685. This after I had recently changed plans and was expecting my bill to be even smaller than it had been recently.
So I got to looking at the details and realized that the majority of the excess amount resulted from a single charge for “roaming data services”. It was at this point that I remembered that I had made a business trip to Winnipeg during that statement period.
I called my provider to inquire about this charge, and learned that I had been charged a premium rate for data services used while roaming, that the unlimited rates for data and SMS included in my service plan do not cover roaming charges, that I should have known this, and they could have helped me avoid these charges if I had called them prior to international travel. Despite various degrees of complaining, railing, and pleading on my part, they are not going to reduce the charge, and I will have to pay it. They did offer to set up a payment plan for the excess charge to be paid over several billing periods (gee, thanks).
Here’s what’s going on
Mobile providers need to engage in capacity planning. Like any service provider they need to be able to operate their networks with some logical relationship between revenue and cost that results in a profitable business. I have no problem with this.
So for mobile operators this means that providing services for roaming subscribers of other mobile operators is a big unknown in their cost model. They know how many subscribers they have on their own network and they have lots of usage data that they can use for capacity planning, in order to arrive at a logical revenue model that drives what they then charge their subscribers. It’s difficult to know how much roaming usage they need to plan for. The solution is to charge a high wholesale rate to a roaming user’s home operator when they provide services to roaming subscribers. The home operator in turn marks up that wholesale rate to arrive at a retail rate charged to their subscriber. Which in my case noted above, resulted in a rate in excess of $10 per Megabyte.
The problem is, it appears to me, that this system has become exploitative and predatory in practice. Instead of being a cost/revenue projection problem, it has clearly now turned into a huge revenue stream for mobile operators.
In my mind there are three key elements that make this an egregiously exploitative and predatory business model: first, the wholesale rates being charged are far in excess of the foreign operator’s actual costs; second, the markup being earned by the home operator is excessive; and third, these rates are being paid without any notification to the subscriber at the time of consumption. Is there any other situation where an individual consumer makes a purchasing decision in the range of hundreds to thousands of dollars without knowing he is making that decision? Not many that I know of.
So the European Union has figured out that this is a problematic practice that needs to be addressed. The European Regulators Group has passed regulation, which goes into effect in early 2010, providing limits on wholesale roaming rates, and requiring notification to subscribers when they first initiate a connection subject to a roaming rate. Glad to see this, and hoping to see North American regulation follow suit.
Meanwhile, I’ve determined how to set my phone to avoid roaming for data services. For anybody interested, on a G1 it is as follows:
Settings -> Wireless Controls -> Mobile Networks -> Data roaming (connect to data services when roaming)
- Let every eye negotiate for itself and trust no agent. – William Shakespeare
- No way of thinking or doing, however ancient, can be trusted without proof. – Henry David Thoreau
- Trust not yourself, but your defects to know. Make use of every friend and every foe. – Alexander Pope
- Watch a cat when it enters a room for the first time. It searches and smells about, it is not quiet for a moment, it trusts nothing until it has examined and made acquaintance with everything. – Jean-Jacques Rousseau
- You must trust and believe in people or life becomes impossible. – Anton Chekhov
- Every kind of peaceful cooperation among men is primarily based on mutual trust and only secondarily on institutions such as courts of justice and police. – Albert Einstein
- Se non è vero, è ben trovato (Translation: “If it’s not true, it’s a good story.”) – Italian Proverb
- R2-D2, you know better than to trust a strange computer! – C-3PO, in The Empire Strikes Back
- Trust? You want me to trust you? Do me a favor, Ed, don’t use big words you don’t understand. – Erin Brockovich
As reported on Wired.com, an Illinois district court has allowed a couple to to sue their bank on the novel grounds that it may have failed to sufficiently secure their account.
Trust and Untrust
This case is rife with issues of trust and untrust
Frankly, although I sympathize with the plaintiff, I think this is a winnable case for the defendant.
At some point in the past, the bank implemented technology that would allow their customer to access her account information and provide account-related instructions to the bank via a publicly-accessible electronic method (i.e. a website).
When the bank made that technology available to their customers, they understood the importance of user authentication. In other words, they understood that they needed a reliable way to ensure that customer accounts could only be accessed by the legitimate account holder. They chose what was at the time an accepted industry-standard method: unique account passwords.
Based on the language quoted from their online user agreement, the bank also understood that the the need for user authentication presented them with a moral hazard problem.
Once the customer has chosen a password known only to her, she has a responsibility to protect that password from other persons. If the customer faced no potential financial harm resulting from her own negligence in protecting that password from exposure, there would be at least a tendency to behave less diligently with respect to protection of the password, thereby exposing the bank to greater potential losses.
This is a classic case of moral hazard.
The bank addressed their moral hazard problem through the provision of their online user agreement quoted in the article, stating to the customer that it would “have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.”
If that provision is lawful in the jurisdiction(s) under which the contract was executed, then the bank should win this case. Although they might be well-advised to settle, to avoid the chilling effect on their relationship with all of their customers.
What Is This Case Really About?
I would argue that none of the participants in this process (including, and perhaps especially the judge, based on her comments) really understand the fundamentals of the disagreement.
There is an argument about the efficacy and sufficiency of the authentication method, and whether the bank ought to have migrated all of their customers to a stronger method. But there is also an argument about the responsibilities of each of the parties as participants in the security system.
It should be noted that, while a multi-factor authentication method is obviously significantly less susceptible to impersonation, this does not change the fact that both parties still have responsibilities as participants in the security system.
With multi-factor authentication, the bank still has the same moral hazard problem, they likely have a similar contract provision (which now says “PIN and token” instead of “password”), and the account holder still has a responsibility to protect those authentication factors from unauthorized access.
What happens when the same case is brought against a bank where the fraudulent impersonation occurs because an attacker has acquired both the PIN and the physical token? Who will be at fault then? The account holder whose own inadequate security measures led to that, or the bank who is accepting those authentication factors?
What responsibility does the account holder have in avoiding identity theft?
Another important question the judge is not asking: Whose security failed? And how can the court know whose security failed? Should the court order a forensic assessment of the banks systems and the account holder’s systems (i.e. their home PC) to determine how the attacker obtained the password?
If the impersonation occured because the account holder wasn’t diligent in protecting her password, how does this automatically equate to a failure on the bank’s part?
Who trusted who here? Which systems did the bank trust? Which systems did the customer trust? And which systems turned out to be untrustworthy?