The cost of a security lapse goes beyond the direct financial losses and the "headline risk" of adverse publicity, as regulators and lawmakers are paying attention as well. "As phishing attacks are indeed a potential risk, regulators examine the processes used to combat such attacks to determine if they are appropriate to the risk," said Robert Wicksell of the U.S. Office of the Comptroller of the Currency (OCC), who said banking regulators are "highly focused on this issue."
A key question is whether financial sites' defenses are adequate against known threats such as cross-site scripting, the technique used to exploit the SunTrust site. A similar weakness was found in the Bank One web site on Thursday. The incidents come five months after numerous e-commerce sites were proven vulnerable to cross-site scripting attacks by an online demo that inserted content into the web sites of MasterCard and Barclays, among others.
At the time we noted that the demonstration "will almost certainly lead fraudsters to seek out banking sites vulnerable to cross site scripting as a refinement on current phishing attacks." While the banking industry has actively stepped up its consumer education about phishing, it's not clear that web site security has responded to the cross-site scripting threat with similar vigor.
"Banks take security very seriously and have policies and procedures to secure their online services," said Sandra Quinn of the Association for Payment Clearing Services (APACS), a UK payments association. "All e-commerce companies need to conduct testing of their web sites to check for such vulnerabilities, but it is the companies' responsibility and nothing that the customer can do directly. Although these kind of cross site scripting attacks point to the importance of performing comprehensive testing, the main risk lies in the customer environment."
When customers are left vulnerable by web site security holes, e-commerce site operators may face heat from regulators tasked with consumer protection. In April, Tower Records settled charges with the U.S. Federal Trade Commission after security holes in its online music store exposed customers' personal information. A new California law requires companies notify customers whenever personal information may have been compromised by a security lapse. Allegiance Telecom cited the law in disclosing a March hacker break-in that compromised account usernames and passwords.
Information technology guidelines for American banks are spelled out by the Federal Financial Institutions Examination Council (FFIEC), which provides guidance for the five government agencies supervising U.S. banks, thrifts and credit unions. "High-risk systems should be subject to an independent diagnostic test at least once a year," the FFIEC says in its compliance handbook, which specifically calls for coding safeguards that would prevent cross-site scripting attacks.
"Protection of servers involves examining input from users and only accepting that input which is expected," the FFIEC writes. Web programmers can prevent most cross-site scripting attacks by validating form input, and ensuring that all user data is correctly encoded before it is displayed or stored.
The OCC's Wicksell said any regulatory responses to a security lapse would depend upon the details of the incident. "The range (of incidents) includes the entire spectrum, from that of being the victim of a previously unknown attack scenario, to failing to react appropriately to well known vulnerabilities," said Wicksell. The possibility of penalties or fines "falls primarily into legal arena, and there is little case law or history to draw upon," Wicksell notes. "There have been some publicized incidents, however most resulted in reputational harm to the business rather than specific fines or penalties."
Direct losses from phishing-related identity theft has thus far been borne by the institutions. "Customers are always protected," said John Hall of the American Bankers Association, the U.S. banking trade group. "If it's an unauthorized transaction, the bank will always make you whole. Banks aren't going to blame or penalize their customers for being victimized."
Hall says the US banking industry has no plans to change that approach. But APACS has said UK banks may eventually deny recovery claims from customers who have ignored safety advice.
To make such a burden-shifting workable, banks will have to get their own house in order, from a security standpoint. Third-party security testing is viewed by some regulators as a key step in adequately protecting consumers' sensitive data. In the Tower case, for example, the FTC mandated that the retailer have its web site audited by third-party security professionals every two years for the next 10 years.
The most prudent organisations, even if they are confident that their systems have been written robustly and tested meticulously, will still have their systems tested by an external organization, which at a minimum delivers an experienced and professional second opinion, and at best saves the day.