Marketing Security as a Competitive EdgeInterview with Author Joseph Menn on Fighting Banking Fraud
"They should put serious security in place - and then advertise it," Menn says. "Get this competition going on the basis of security. That will gain them customers, in my opinion."
Menn's comments follow his recent keynote address at the FDIC symposium on cyber fraud. In an exclusive interview, Menn discusses:
- What banks and businesses can be doing to fight fraud;
- How banking institutions can market their security measures;
- What needs to happen next to protect consumers and businesses alike.
Menn's third book, "Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet," was published in the US in January 2010 and in the UK in February 2010 by PublicAffairs Books. Part true-life thriller and part expose, it became an immediate bestseller, with Menn interviewed on national television and radio programs in the US, Canada and elsewhere. Menn has spoken at major security conferences on his findings, which include hard evidence that the governments of Russia and China are protecting and directing the behavior of some of the world's worst cyber-criminals.
Menn has reported on technology for more than a decade at the Financial Times and the Los Angeles Times, mostly from his current base in San Francisco. His coverage areas for the FT include technology security and privacy, digital media, and the PC industry. He is a two-time finalist for the Loeb Award, the most prestigious in financial journalism, for coverage of Microsoft and the Hollywood writers' strike. Earlier, he won a "Best in Business" award from the Society of American Business Editors and Writers for tobacco coverage at Bloomberg News, where as legal editor he directed stories that revealed the landmark settlement talks between the cigarette companies and the states.
TOM FIELD: What are the key messages about detecting and deterring fraud? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm talking today with Joseph Menn, a journalist and author who addressed this topic at the FDIC Symposium last week. Joe, thanks so much for joining me today.
JOSEPH MENN: Thanks so much for having me.
FIELD: And just for context, for our audience, tell us a little bit about yourself, and your most recent workplace.
MENN: Oh, sure. So, I've been a reporter, mainstream press, for a couple of decades now. I've covered information security since 1999. Currently, my day job is at The Financial Times, and I've done three books, and the most recent is called Fatal System Error, The Hunt for the New Crime Lords Who are Bringing Down the Internet. That came out earlier this year.
FIELD: Now, Joe, you delivered a keynote at the FDIC Symposium on online crimes last week. What were your main messages there?
MENN: Well, first that they are up against some pretty nasty people. And not just nasty people, but an ecosystem that seems to have many more advantages over the good guy ecosystem. And then, you know, I also was pretty tough on the banks, because I think they have helped dig themselves into a deeper hole by pretending that online banking is as safe as garden variety banking, and it's just not.
FIELD: Well, you make a good point. It took some months for the FDIC to address this publicly, and for some of the banking institutions to acknowledge it. How do you find your messages were received by the regulators and the bankers, alike.
MENN: Well, I think I'm actually sort of in sync with the regulators on this. I mean, obviously, the symposium was one step toward imposing additional rules, and that seems to be the direction that they are going in. Two-factor authentication is no longer enough, and not everybody has inducted two-factor authentication. The Zeus toolkits that are out there, some of them, allow the bad guys to piggyback on a legitimate transaction, even with one-time passwords being used. And it's just not enough. I mean, I think that it is pretty clear that there needs to be out-of-band confirmation of transactions, or other rules set up. And you know, I'm pretty sure that even that is not going to be enough to defeat this entirely.
FIELD: So, we have seen businesses and communities alike that have just been fleeced by some of these criminals. In your opinion, who bears the burden for properly detecting and deterring the kind of incidents that we have seen in the past year, or so?
MENN: That's a hard question, but I think somebody has to. Somebody has to is the bottom line. Because right now, you've got a situation where small businesses are going bankrupt, they're suing the banks, the banks are suing the businesses, saying it's their fault that they had a virus on their PC. And as long as there is uncertainty, we are going to have very big problem. One way to get around this -- well, there are two things that just happened. One is the feds have to come down pretty clearly and say who is responsible. I think they could extend the guarantees that banks make to individual consumers, and say that should apply to small businesses, as well. That would solve part of the problem. I'm sure the banks wouldn't like it. But what would really be nice is if the banks stopped saying that everything is fine, and in fact, started competing on the basis of security. You know, I have a personal credit card with Citibank, and one of the reasons I stay with Citibank is they call me when something is out of whack. Security, you know, can be a selling point. None of the banks have wanted to go first, because that raises the level of fear for everybody. But I think they should. They could offer guarantees, they could put in out-of-band confirmation on their own and then say, "Look, we do this, and as long as you do X, Y and Z, we will make you whole, as long as we don't suspect you personally of fraud."
FIELD: Joe, so you can say that the Symposium last week, at least brought acknowledgement to some of these issues that we have been aware of. What has to happen beyond acknowledgement, to really curtail the types of fraud incidents that we have been seeing?
MENN: Well, the problem is, again, that the bad guys have so many advantages. They have a better capitalist system than we do. They reinvest their phishing profits in research and development to. The feedback system is very efficient. So, in these password-protected underground forums and websites, you know, you, you have this thriving community, these thriving communities, where you have some people that are expert virus writers, other people have botnets for hire, other folks have necessary government and mob protection, and so forth, and it's all coordinated very well. And there's feedback, like there is on eBay. If you have too many negative comments on a given seller or say, credit card data, then nobody will do business with them anymore. It's really good. On top of that, whereas, in contrast, in the U.S., the Chief Security Officer has a very hard time convincing the CEO to spend more money on something, because it's very hard to make a cost benefit analysis. The CEO is liable to say, "Well, we didn't get hacked last year, so why should I up your budget this year?" On the bad guy side, you also have the power of very serious organized crime, and on top of that, you've got the equivalent of an industry. These countries are deliberately supporting some of the worst criminals on the planet because they are useful for a competitive advantage and for military purposes. My book makes it pretty clear; it's got some pretty damaging evidence that some of the kingpins of the phishing economy are protected by the Russian FSB, which is the successor agency to the KGB, because the same network of people and machines is being used to attack enemies of the Kremlin, be it Estonia in 2007, Georgia in 2008, or even internal dissidents within Russia.
FIELD: So, a two-part question for you, Joe. The first part is, what gives you optimism that we'll succeed in cutting back on some of these incidents?
MENN: Well, it's definitely a cautious optimism. What we have now that we didn't have before is a window of opportunity. Because there is so much attention being paid in Washington. Now, not all of this is directly on point. Lately, a lot of this, it was the prospect of cyber war. Richard Clarke has a new book out called "Cyber War." The former Director of National Intelligence, Mike McConnell, says we are already fighting a cyber war and losing it. And the U.S. just stood up an Army, well, a military, a U.S. Cyber Command under the Strategic Command, where there is going to be a focus on all kinds of defensive cyber arms. So, there is a lot of attention to that, and it's sort of easy to get headlines and TV time when you talk about planes falling out of the sky and trains being derailed, and all these horrible things that an enemy state could do to us through cyber war. I personally don't think that any of that is likely to happen. Yes, China and Russia could do bad things to our electric grid. We could do bad things to their electric grid. The same is true of nuclear weapons, though, and you know, nobody is about to launch a nuclear weapon. I think the more serious, looming threat, if less dramatic, is sustained economic espionage from places like China, where stealing intellectual property appears to be a key tenet of national strategy. But, because there is additional attention being paid to all of this, there are some bills making their way through Congress that would do some interesting things. The FDIC feels more empowered to do things. The FCC feels empowered to do things. And I think there is a growing realization that the hands-off regulation-free approach to the Internet worked really well for a really long time, but we're nearing a tipping point here, where consumers are not going to feel safe doing any business online, and frankly, they shouldn't at this point. And that's a danger to the national economy, a very serious danger to the national economy. So, I think there is some chance that there will be, for example, I know that there's going to be a national strategy for authenticated transactions that Howard Schmidt is going to release next month for comment. There are going to be a number of steps forward that I think will increase the nation's defenses. But, we really need a lot more. And, at least people are talking about it now. Part of that has to do with Google going public with the attacks on it from within China. But, this is a complicated issue. It's a technology issue, it's a business issue, a law enforcement issue, and probably more than anything else, a foreign policy issue. And I think people are beginning to realize how serious this all is.
FIELD: So, flip side of that question, what makes you pessimistic that we will get this done?
MENN: Well, because it is so interdisciplinary, so many different people have to be pulling together. Because the critical infrastructure is majority and private hands here, which it is not in all other countries, and because the Internet was just not designed for what it is being used for. I don't think that TCP/IP can be fixed. One of the things I call for in my book is a massive investment program, to come up with a protocol that would be used for more sensitive communications online. More than 50% of PC's are compromised now, and the proportion of those that are compromised with banking Trojans or key loggers, the worst kind of malware, is going up dramatically. You know, as I said, the bad guy ecosystem, you have probably the worst enemy we could face, and we are charged with defending the most open network that the world has ever known. It's a really bad combination.
FIELD: Joe, last question for you. Based on your experience with the FDIC Symposium last week, if you could boil down advice to the regulators and the banking institutions, what can they do now to help their consumer and their commercial customers avoid being victims of the fraudsters?
MENN: I think they need to be more honest about the, on the industry side, there should be a lot more honesty about the risks. They should figure out how many of their losses are due to, you know, loans going bad, and how many are due to the fact that the person taking out the loan wasn't the person he said he was? There should be disclosure of how much is outright fraud, and that would increase awareness of the issue. They should, in my opinion, consider, they should put serious security in place, and then advertise it, and get this competition going on the basis of security. That will gain them customers, in my opinion, that would outweigh any of the costs. And they shouldn't resist regulation that makes everybody else have to spend money to make their customers more secure, as well.
FIELD: Joe, wonderful insight. I appreciate your time and your thoughts today.
MENN: Thank you very much.
FIELD: We've been talking with Joseph Menn. The topic has been fighting fraud. For Information Security Media Group, I'm Tom Field. Thank you very much.