[Mark Carney’s] prescription: End through strict regulation and resilience tests the scandal of too-big-to-fail, where “bankers made enormous sums” and “taxpayers picked up the tab for their failures.” Recreate fair and effective markets with real transparency and make every effort — through codes of conduct and even regulatory obligations — to instill a new integrity among traders (even if social capital cannot be contractual). Curtail compensation offering large bonuses for short-term returns; end the overvaluing of the present and the discounting of the future; ensure that “where problems of performance or risk management are pervasive,” bonuses are adjusted “for whole groups of employees.”
Above all, understand that, “The answers start from recognizing that financial capitalism is not an end in itself, but a means to promote investment, innovation, growth and prosperity. Banking is fundamentally about intermediation — connecting borrowers and savers in the real economy. In the run-up to the crisis, banking became about banks not businesses; transactions not relations; counterparties not clients.”
In other words, human beings matter. An age that has seen emergence from poverty on a massive scale in the developing world has been accompanied by the spread of a new poverty (of life and of expectations) in much of the developed world. Global convergence has occurred alongside internal divergence. Interdependence is a reality, but the way it works is skewed. Clinton noted that ants, bees, termites and humans have all survived through an unusual shared characteristic: They are cooperative forms of life. But it is precisely the loss at all levels of community, of social capital, that most threatens the world’s stability and future prosperity.
This is all kinds of badness, and speaks to malware vendors becoming increasingly sophisticated in how they are targeting low hanging fruit (i.e. random users). In essence, the attack involved getting a certificate issued and then using it to create valid digital signatures for .pdf invoice documents. Once individuals opened the invoices the malware associated with the .pdf would burrow into the OS and act as a key logger that targeted banking information.
Unfortunately, I’ve not yet seen a media article discuss the mediocre effectiveness of revoking the certificate used to sign the .pdf. The OCSP protocol is incredibly susceptible to being defeated, especially if malware already resides on the target’s computer or a point in between the target and the revocation server is controlled by the attacker (possible by setting a compromised computer to proxy traffic to a host controlled by the attacker). So, while while the cert has been revoked, this actions does not necessarily stop the malware from functioning, but just reduces the prospective attack surface. Moreover, if browser/operating system CA stores are not updated – again, possible if the attacker already controls the host – then the same attacker can convince the browser or OS to continue trusting an expired certificate.
Ars Technica has reported that a German court has found a victim of a phishing attack liable for successfully being phished. The finding is, at least in part, based on the bank’s position that they had previously warned customers about phishing attacks.
The court’s placement of liability is significant for a variety of reasons. Of course it’s important that the individual was victimized. The liability placement also defers expenses (likely through insurance) that the bank would have to assume were they at least partially liable for the customers’ actions. This said, we can understand (and perhaps disagree…) that, from a liberal position, individual citizens are responsible for their actions.
What is most significant are the consequences of placing liability on the individual. Specifically, it reduces the incentive that banks have to exercise their influence to address phishing. I’m not suggesting that the banks could hope to eliminate phishing by waving a gold-plated wand, but they are financially in a position to influence change and act on a global scale. Individuals – save for the ultra-rich – lack this degree of influence and power. While banks will be motivated to protect customers – and, more importantly, their customers’ money – if banks were found even partially liable for successful phishing attacks they would be significantly more motivated to remedy these attacks.