Why don’t banks use digital signatures to stamp out phishing?

Ever wondered why banks don’t offer optional digital signatures on all of their messages to you, or even full encryption of messages? My ISP does it, why not banks? This has the potential to stamp out Phishing scams for good. It’s backwards compatible too. The processing power required is not a huge issue nowadays.

But, it’s not in the bank’s best interest to stamp out these scams. Why you ask? The answer is simple. Contrary to popular belief, cases of external hacks getting to sensitive bank data are very, very, very, rare. So rare as to be almost impossible. What is more prevalent is compromise involving some human, internal element. The public’s perception that external Phising or hacking attempts are responsible for data being compromised, cards being cloned, accounts being accessed, is an extremely useful diversion for the banks because it makes the average person assume that the threat is external and the bank is hence still trustworthy and safe. This is, however, not the case. Bank staff are no more trustworthy or immune to coercion and blackmail than anyone else. If inteligence organisations can be compromised, private companies can be compromised easier. In my entire time working in the security field I have never seen an external attack on a secure system succeed.

So, back to our phising. If the bank can blame an issue on phishing, you continue to trust your bank with your money, which is very important to their continued profit.

The same goes for credit and debit card fraud. I was told by my bank that most fraud happens because armies of people in the third-world are paid to type in random credit card numbers all day. This is simply not true. Most credit card numbers are compromised either at the retailer or at the bank, full stop.

So, consider this. Does your bank really care about your security? Absolutely not, what they care about is profit. Security can be reduced down to a risk on paper. They can insure against a risk, quantify it, budget for it and continue to make profit. Properly securing against these threats is expensive, more so than accepting the risk, so they accept the risk and carry on, much as a supermarket factors the cost of theft into product prices. They continue to make profit, so the board is happy.

Remember: banks don’t care about you, they care about your money, end of story.

Leave a Reply