In the October issue of eSecure you refer to the story regarding the theft of customer account information that hit some ABSA clients in Belville. You accuse some of the media of hyping the story to death, saying it "is not going to help anyone address the real, underlying risks."
You are dead right on that last bit, but for the wrong reasons. The reason the hype is not going to help is that it is largely ill-informed and barking up the wrong tree. Most of the media writers do not understand the problem; and most of the spokespersons quoted fall into one of three categories: vendors pushing whatever they have on their shelves as the ultimate solution, software publishers trying to prove it was not their fault if their software was full of vulnerabilities, or bank representatives dealing with a PR problem and not in the least interested in the real issues.
All three groups, wilfully or out of ignorance, ignore the core issues.
There is a global problem with software in general, and security in particular. Software publishers have managed to build the belief that software does not have the same responsibility to work safely and reliably that just about every other thing produced and sold has. This is blatant enough when you are dealing with overt failures, such as programs that crash or simply do not do what they are supposed to do. It is more insidious, but even more dangerous, when they more-or-less work but are so complex and badly engineered that they are impossible to secure against deliberate attack.
The next culprits are the vendors who offer all kinds of solutions that have some superficial plausibility as guarding against certain classes of security risk, but seldom guard against real and present dangers. It is as if people were being pushed into buying protection systems that protected their cars against meteor strikes and rampaging wild rhinoceroses, but failed to address the risks of car hijacking and collision with other cars.
The third, and, in the post-ABSA frenzy, most culpable group is the banks who made a great show of reacting to a security threat which has received huge publicity - and hence has potential to wreak PR damage on a large scale - but cynically ignore more serious risks. First off, the cures offered for the ostensible problem, namely keyboard loggers intercepting IDs and password for personal Internet banking, are of very limited use to the average user.
But leaving that aside, ask the question: which is more important, to protect personal bank accounts from being attacked, or business bank accounts? Business bank accounts typically have more money available, and the PCs used to access them are vulnerable to all the same threats plus others: they are more accessible to more people with either physical or network access. Yet, the banks have generally done zero to enhance their business banking security.
Business electronic banking has further risks: None of the major banks offer any way of effecting that transfer with true security: they all require the user to export a file from one system and load it into a banking software client. That means the data has to live for a time on a hard disk on a PC or a network server, arguably one of the most insecure environments around.
The real problem we have with security is that no-one really cares unless and until they can be held accountable, and at present software vendors are bullet-proof. When it comes to banking, the banks are in a position where they can dump the problem in your lap in spite of making it nearly impossible to secure yourself adequately if you want to use their electronic banking services.
Until there is legal liability, everyone is in either "it is not my problem, I am not going to put myself out" mode, or peddling solutions, many of which are little more than snake oil or flood insurance for a Bedouin. And the media, with very few exceptions, ride the bandwagon to fill space.
What we need is for responsible media to take a more objective and reasoned look at the problems and try to pressurise the Goliaths of the business world into providing solutions to the real-world problems rather than the ones that somebody hopes to make money out of, or which provide lurid copy.
Dr Chris Crozier
[This letter has been shortened - Ed.]