There's been a near-neverending debate about who should be responsible for improving online banking security measures: the users, the banks, the government, the OS vendor, ... . Here's an interesting perspective from Peter Benson <peter.ben...@codescan.com>, reposted with permission, on why the onus should be on banks to provide appropriate security measures:
One of the main reasons to target the banks with accountability is "because you can". There is a lot of historical regulation and controls around banking, which makes it *relatively* easy to hold them to account. The bigger problem, and the next logical step, is how the banks hold suppliers / vendors of software accountable for flaws in their systems and software that enable the problems to occur in the first place. Anyone recognise the following? "This software is provided as is, and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability , or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage." Accountability is great, and I fully support it, and would like to somehow find the way to push a level of accountability back to various software developers / manufacturers. Unfortunately in the current state of Contract and Tort law, there is so much protection(ism) of the software industry, that its still going to be time consuming and expensive to get a couple of decent case studies out there or to change anything. So from a public good perspective, unfortunately (realistically), it is the banks that should carry the onus. Peter --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com