Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/23/2010
03:12 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Petition To Congress On E-Banking Security

Authentify to ask security pros to get politically active to protect America's SMBs

February 22, 2010 " Chicago, Illinois In November 2009 when executives of Texas-based Hillary Machinery Company discovered $800,000 missing from their online bank account they went looking for answers. What happened next is surprising. Their bank, Lubbock, Texas based PlainsCapital Bank was able to recover some $571,000 of the missing funds, but when Hillary pressed them to make good on the missing $229,000, PlainsCapital Bank filed a pre-emptive lawsuit asking the court to declare the bank's security measures "commercially reasonable" and shield them from further recovery efforts by Hillary. The case has yet to be decided but could have serious ramifications for banks, businesses and the information security industry.

At next week's 2010 RSA Security Conference, Authentify, Inc. will be asking our nation's top security professionals to get politically active to protect America's small and medium-sized businesses (SMBs) from financial ruin at the hands of foreign cyber-criminals. According to an Intelligence Note published November 3, 2009 by the Internet Crime Complaint Center (IC3), cyber-thieves have been attacking the bank accounts of SMBs like Hillary Machinery at an accelerated rate in the past 12 months. Authentify believes this issue is of special concern to our country's security elite. Authentify will ask all RSA 2010 attendees who believe it is not "commercially reasonable" for banks to allow money entrusted to their care to be stolen, to stand up for their beliefs by coming to Booth #732 on the exhibit floor and signing our petition to the Congress. The goal is to force the financial services industry to get serious about their authentication and fraud control procedures or make good on customer losses when those procedures fail.

In response to the proliferation of more-sophisticated malware tools such as Zbot, clampi, and ZeuS, the FFIEC, FDIC, FRB, FTC, FBI, FSLIC, SPIC issued special alerts to financial institutions including FDIC FIL-66-2005 titled "Guidance on Mitigating Risk from Spyware." This document included the following instruction: "Investigate the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer's ID, password and account numbers."

"It's an admonition that many banks seem to have ignored," said Jim Woodhill, Authentify's founder and chairman. Right now, no organization that banks online is safe. The time for 'investigating' how to protect your customers is over. RSA Conference attendees might not realize that our lawmakers have little awareness of the extent of these attacks, much less that there are lawsuits active in federal courts from coast to coast against banks that have failed to protect or reimburse their clients. Authentify believes it's time for "We The People" of America's security community to make our voice heard. We ask all RSA 2010 attendees to join us by visiting Booth #732 on the Expo floor and signing our petition to demand action."

Authentify's petition reads:

"We, the undersigned, demand that all banks who want the cost savings that accrue to them from having commercial organizations transact over the Internet bear all the fraud costs associated with online access. Federal Reserve Regulation E protections must be extended to cover to all commercial accounts that are accessible online."

This petition will be used to urge Congress to write into law what the esteemed Bruce Schneier has previously suggested in his September 23, 2009, Schneier on Security blog post, Eliminating Externalities in Financial Security.

Authentify will hand-deliver the signed and e-signed petitions to the offices of the chairmen and ranking members of the relevant committees in both the U.S. House of Representatives and the U.S. Senate. Subsets of signatures by state and congressional district will also be complied and delivered to the corresponding senators and representatives for those states and districts.

For those who would like to back up their petition signature with a personal message to the Congress, Authentify will also have sample letters to their congressperson on this issue available in its booth or its web site, along with links to learn to whom in the House and Senate such personal communication should be addressed. Readers can sign an online version of our petition beginning March 1st at www.authentify.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
CVE-2021-3197
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.