The growing prevalence of malware that infects users’ computers has had a significant impact on the finance industry. “Financial Institutions must assume the client, their customers rather, are compromised (infected with malware) and they must continue doing business anyway,” writes Jeremiah Grossman, founder and CTO of WhiteHat Security.
In a blog post yesterday, Grossman discussed some of the challenges that face the financial industry regarding culpability and liability in the event of compromises caused by infected client computers.
“The prevalence of man-in-the-browser attacks force FIs to make very tough business decisions. If a client PC infection is detected, do they continue to allow transactions with the customer while trying to detect and minimize fraudulent transactions?,” writes Grossman. “Further, are the FIs obligated legally or ethically to inform the customer of the infection? Or, do they suspend all transactions and incur support costs to help the customer fix their PCI before allowing money to move?”
For Grossman, these questions are problematic, no matter what the answer is.
“What really concerns me is the premise itself. If we operate with this assumption, that the client is compromised (again not unreasonable), then the good guys have ceded victory in the desktop security battle,” he writes.