Home > Identity Theft > What Responsibility Does an Account Holder Have In Avoiding Identity Theft?

What Responsibility Does an Account Holder Have In Avoiding Identity Theft?

September 7, 2009 arthurbadger Leave a comment Go to comments

As reported on Wired.com, an Illinois district court has allowed a couple to to sue their bank on the novel grounds that it may have failed to sufficiently secure their account.

Trust and Untrust

This case is rife with issues of trust and untrust

Frankly, although I sympathize with the plaintiff, I think this is a winnable case for the defendant.

At some point in the past, the bank implemented technology that would allow their customer to access her account information and provide account-related instructions to the bank via a publicly-accessible electronic method (i.e. a website).

When the bank made that technology available to their customers, they understood the importance of user authentication. In other words, they understood that they needed a reliable way to ensure that customer accounts could only be accessed by the legitimate account holder. They chose what was at the time an accepted industry-standard method: unique account passwords.

Based on the language quoted from their online user agreement, the bank also understood that the the need for user authentication presented them with a moral hazard problem.

Once the customer has chosen a password known only to her, she has a responsibility to protect that password from other persons. If the customer faced no potential financial harm resulting from her own negligence in protecting that password from exposure, there would be at least a tendency to behave less diligently with respect to protection of the password, thereby exposing the bank to greater potential losses.

This is a classic case of moral hazard.

The bank addressed their moral hazard problem through the provision of their online user agreement quoted in the article, stating to the customer that it would “have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.”

If that provision is lawful in the jurisdiction(s) under which the contract was executed, then the bank should win this case. Although they might be well-advised to settle, to avoid the chilling effect on their relationship with all of their customers.

What Is This Case Really About?

I would argue that none of the participants in this process (including, and perhaps especially the judge, based on her comments) really understand the fundamentals of the disagreement.

There is an argument about the efficacy and sufficiency of the authentication method, and whether the bank ought to have migrated all of their customers to a stronger method. But there is also an argument about the responsibilities of each of the parties as participants in the security system.

It should be noted that, while a multi-factor authentication method is obviously significantly less susceptible to impersonation, this does not change the fact that both parties still have responsibilities as participants in the security system.

With multi-factor authentication, the bank still has the same moral hazard problem, they likely have a similar contract provision (which now says “PIN and token” instead of “password”), and the account holder still has a responsibility to protect those authentication factors from unauthorized access.

What happens when the same case is brought against a bank where the fraudulent impersonation occurs because an attacker has acquired both the PIN and the physical token? Who will be at fault then? The account holder whose own inadequate security measures led to that, or the bank who is accepting those authentication factors?

What responsibility does the account holder have in avoiding identity theft?

Another important question the judge is not asking: Whose security failed? And how can the court know whose security failed? Should the court order a forensic assessment of the banks systems and the account holder’s systems (i.e. their home PC) to determine how the attacker obtained the password?

If the impersonation occured because the account holder wasn’t diligent in protecting her password, how does this automatically equate to a failure on the bank’s part?

Who trusted who here? Which systems did the bank trust? Which systems did the customer trust? And which systems turned out to be untrustworthy?

add to del.icio.us :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook


Categories: Identity Theft
  1. No comments yet.
  1. No trackbacks yet.