-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ben Scott Sent: Tuesday, 11 March 2014 11:02 AM To: [email protected] Subject: Re: [NTSysADM] RE: One of those dumb things...
On Mon, Mar 10, 2014 at 7:22 PM, Ken Schaefer <[email protected]> wrote: >>>> Mainly due to the legacy mainframes\"old systems" that are used by many of >>>> these institutions. >>> >>> 'cause it's a technical impossibility to put a more modern >>> front-end/gateway on a public-facing web interface. >> >> What's the cost of doing that? > > I have no idea. I work for a 120-person manufacturing company. > You're always talking about how you work in the megacorp space. > What's your guess? > > What's the cost of having security measures from the 1950s? > > What's the cost in loss of customer trust, after the breach? > > Maybe Target Corp can tell you the answer to the last one. Just because your password is limited to 8 characters, doesn't mean that the entire banking platform's security is from the 1950s...mitigating measures can still be put in place (very simple measures, like IPS/IDS for example, or account lockouts, or tracking the remote IP addresses attempting to login, or adding OTP). Secondly, someone managing to guess your 8 character password isn't a systemic breach that exposes everyone else's financial position to risk. I doubt there'd be much reputational risk involved. For something to expose the *entire* bank's (or a substantial subset of the bank's customers), a breach other than via your IB password is going to be the issue. Thirdly, security is a weak as the weakest link. Internet banking (and I'm guessing here, since I'm not in that area) is not the weakest link - humans are. I'm guessing that for a determined attacker, social engineering a call centre employee or fooling a bank employee is probably far easier and rewarding than attempting to "hack" modern IB. Though, there would be correspondingly more risk. Lastly, as for the cost - for a decent sized bank, a new online banking platform would cost a couple of hundred million dollars, at least - based on seeing two such projects. I can only speculate at the cost for the really large banks you have in the US - my guess is well over half a billion dollars. And that's assuming that the whole thing actually goes well. There is significant program risk in undertaking such a piece of work *and* the risk that you introduce *new* vulnerabilities. That whole risk/reward trade-off is probably why CIOs don't launch online banking refreshes every other year. Cheers Ken
