Yesterday I blogged about Panda Security‘s recent study regarding the lack of safety at American wire transfer services. Briefly, researchers at Panda inspected PC’s at these multi-service businesses around the country and found a startling percentage were infected with some type of malware. This malware could very easily be used to intercept transfers.
This morning someone sent me a link to other coverage of the same study which contains a response from one of the wire transfer services. If you read the following paragraphs carefully, then you can learn the horrifying consequences of having a non-security expert comment on security.
industry played down the threat. David Landsman, executive director of
the National Money Transmitters Association, pointed out that most
transactions are for less than $300, which makes the hassle of
intercepting a transfer and forging an ID and getting someone in place
to steal the delivery potentially more costly than the crime is worth.
thief is looking for waters to troll in, these would not be very rich
waters,” Landsman said. “It’s not that we’re not concerned about our
customers’ data being secured. We just don’t think this is a likely
target. It wouldn’t make sense.”
industry’s security policies are sufficient. He noted that the big
money-transfer companies are heavily regulated by state auditors,
including their computer security. The money transmitters usually
provide encryption technology and proprietary software on remittance
agents’ machines, to shield the transfers themselves from prying eyes,
though oversight after that is limited.
Mr. Landsman is clearly living a life that is completely ignorant of the methods and economy of Internet fraud. What’s worse is that he’s offering up a quote that positions himself as an expert in the field of Internet fraud. Not only is he not an expert, but he is so thoughtless that in the effort to protect his own association’s credibility he has completely sacrificed it.
Think about it: Panda Security conducted a multi-year research study and found these flaws. They can prove their results are accurate. Mr. Landsman responds with a sort of common sense off the cuff answer. Which sounds more credible? He has nothing to back up what he said. Part of his argument hinges on the idea that no one in Mexico would want to go through the effort to steal a measly $300. I’m not sure if you’ve ever been to Mexico, Mr. Landsman, but those of us who have are aware that $300 is a lot of money. For that matter, it is a lot of money in any developing country. On top of that, you are entirely ignorant of the scale of Internet fraud. It’s not about stealing $300. It’s about stealing $300 millions of times. If this seems like it isn’t worth it to you, then please send part of your salary my way.
This sort of behavior is partly to blame for the prevalence of Internet fraud. Business leaders who immediately deny that security issues exist foolishly lead their companies astray. The security community altruisticly identifies these flaws so that they can be corrected before the problem gets worse. To simply deny that the flaw exists because of some misguided sense of defense posture is the worst disservice that can be done. The right answer would have been, “I’m not currently aware of the problem. However, this study appears sound. Thank you for informing us of these weaknesses. We will correct them as soon as we can in order to protect our customers.”
Mr. Landsman, when an ostrich sticks his head in the ground is he safe?
By denying that the problem exists you are saying that your business’s image is more important than your customers’ safety. That’s a sure recipe for disaster.