Seems recently there has been a spate of incidents involving small/medium businesses where malware has opened the doors to fraudulent money withdrawals through bank web sites, or the guessing of credentials/security questions, or the tricking of customer support staff. Krebs has several articles in this topic. Rather than link around, I’m being lazy on a Friday and you’ll just have to take my word that I feel like I’m seeing these stories pop up more often this month.
We’re being taken for a ride through the same convenience that users are wanting. Convenient banking for mom at home is convenient banking for an attacker in Latvia who can get credentials. That, combined with the infancy of many of the authentication mechanisms for online banking, the infancy of security awareness by users (really, don’t do banking from the same system you view porn), and the immaturity of the banking establishment to seemingly do much about it, makes for a volatile environment.
We have a very litigious society, one that is quick to point fingers and shift blame. But we’re unfortunately all in this together. Convenience with money is not any one person’s or group’s fault. In the end, the end user needs to be more educated about computer security and not just throw their hands in the air and blame the bank when their browsing habits led to an issue.
(Then again, it’s still everyone’s fault if they were just browsing ESPN which happened to be pwned with malicious script that silently installed malware through an unpatched IE6 hole that was known about but not fixed or publicly disclosed…)