Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Foam,
Presumably that job is at Qualcomm, one of only two Fortune 500 companies based in San Diego. Ties in well with the DD Wavedreamer and Taxi have been providing in regards to the march forward in MTM adoption.
The presentation by Trusted Logic at the RSA makes me optimistic despite the share price drop. Awk's vision of hardware security in all things digital is taking place quicker than I had imagined. If all these mobile devices can be upgraded to MTM security with over-the-air firmware, a very large switch can be turned on exftremely quickly. That day is rapidly approaching unless a rival, equally or more secure paradigm can be brought forward imminently. Highly doubtful, imo. It's "darkest before the dawn" is an age-old, worn-out cliche', but it may just be applicable here.
Svenm
Hanster,
Thanks for that info and your "boots on the ground DD!" That has special meaning given the fact that 2 of Wave's three large corporate ERAS clients are Euro based.
Svenm
Great find, Awk!
Thanks for all your hard work!
Svenm
Bull, Catch more of those fish and increase the fish oil diet! Can't hurt and it will take your mind off this frustrating slog!
Take care and heal well!
Svenm
theroc66,
Maybe you're a little high on your estimate, at least according to a Taiwanese institute. But I get your drift.
Smartphones will continue to proliferate around the world in 2012 according to new projections released by Taiwan’s Marketing Intelligence & Consulting Institute. While 2011 was supposed to be the year of the tablet, most slates fizzled while just a few models found success in the emerging market segment. Meanwhile, smartphone sales continued to balloon last year. MIC estimates that global smartphone shipments reached about 452 million units in 2011, with Android having captured 46% of the smartphone market. The firm believes shipments will grow 35.8% to 614 million units in 2012, and Android’s market share will grow to 50% compared to Apple’s 19%. MIC also believes Microsoft’s smartphone share will climb to 13% this year. Read on for more.
Svenm
Taxi,
Thanks for another of your very relevant posts! You do a great job of sleuthing!
Svenm
JD, Thanks for that SS article. Maybe he has a new scribe. I think this is one of his better (i.e. clearer) posts.
And thanks for all the other DD you post!
God Jul!
Svenm
Not quite sure how the director is meant to fit in. The facts that according to Wikipedia he mainly presided over the selling off of Novell's pieces and the following news items are hardly encouraging in terms of vision for how to promote a new, sweeping technology. From the New York Times a long time ago:
Flummoxed by the Internet, Head of Novell Resigns
By LAWRENCE M. FISHER
Published: August 30, 1996
* Sign In to E-Mail
* Print
* Single-Page
Robert J. Frankenberg resigned yesterday as chairman, president and chief executive of Novell Inc., ending a two-and-a-half-year tenure in which the company that was once synonymous with computer networking appeared flummoxed by the explosive growth of the Internet.
Current and former Novell executives said that while Mr. Frankenberg performed ably at the operational level, he had failed to communicate a vision and a strategy for the company during a period of sweeping change in the computer industry.
Unit sales have continued to grow for Novell's core product, the Netware software operating system for corporate computer networks, and the company retains more than 60 percent of that market. But Novell has stood by as its rival, the Microsoft Corporation, has dueled with the upstart Netscape Communications Corporation for software leadership of the global Internet.
Svenm
rwk, LOL! If our own industries and federal government hadn't been complicit in their passive (I'm being optimistic here!) response to all of this it would be laughable. It's been unbelievably slow, but hopefully the Sept. 8 DOD memo (and all the other current signposts) calling for trusted computing (hopefully without backdoors!) as part of all solicitations going forward means that we're going to get off the ground before we run out of landing strip.
Best kharm for all Wavoids!
Svenm
Brant Point, Interesting conference but it looks as if the Chinese organizers neglected to schedule their most important presentation: "How to secretly maintain the backdoor access to trusted computers." Perhaps that is scheduled after hours?
Svenm
Internet and Awk,
Thanks for posting that info! The tongue of the glacier is finally reaching the sea!
Svenm
Dig,
I agree that Wave should be on that list. I don't think that is the central question in regard to this RFI. It is more important to me that Wave is eligible, under existing rules, to compete for this business. I would hope that Wave becomes an ESI approved vendor going forward, but it's not first on my wish list of "things-to-do" for Wave. But hopefully Team Wargon is on that case as well!
One million units for the AF would be a good start (thanks Alea for straightening out the total opportunity with the DoD)! One question obviously would be what percentage of this # will need to be covered by COTS central management (hopefully ERAS) and SED's. Mobile is still a total wild card and the FAQ's from the DoD Policy Memorandum from 3/19/2008 addressed that as such.
Svenm
Alea,
The AF is responsible for implementation of the Enterprise Software Initiative. It applies to all DoD entitities, which is why you're seeing a multiple of the # you would have expected.
Svenm
Re: "Asleep at the Switch" discussion. From the FAQ DoD Policy Memorandum dated 3/19/2008: Is Microsoft’s EFS or Windows Vista DoD-approved for encrypting DAR?
At this time, Microsoft’s Encrypting File System (EFS) and Windows Vista BitLocker are not FIPS 140-2 validated, therefore they should not be used to encrypt unclassified data (not publicly releasable) on DoD mobile computing devices or removable storage media. Several DoD Components have used EFS as a stop-gap measure until the DARTT procurement process was completed, which represented an acceptable use of EFS. OMB and DoD now require FIPS 140-2 compliant encryption products, therefore Components using EFS will have to migrate to approved encryption products. If EFS or Vista BitLocker receive FIPS 140-2 validation, they will become an approved solution for encrypting DoD unclassified DAR. Other products that contain approved NSA cryptographic modules can also be used to encrypt DoD DAR. According to the 21 March 2007 DAR Encryption Acquisition Memo (signed by the Deputy DoD CIO), DAR encryption that is bundled into a larger, inclusive technology (such as BitLocker in Vista OS or Seagate encrypted hard drives in Dell laptops) can be purchased outside of the DARTT Blanket Purchase Agreements. It is an OMB and DoD requirement that all encryption products meet NIST FIPS 140-2 requirements or have an NSA Approval Letter for use in US Government networks.
Back to Questions
Why is the Trusted Platform Module (TPM) being mandated in this memo?
The TPM paragraph was inserted into this memo to ensure all new DoD computer assets have this module since there are many future software products that will use the security features of the TPM. Supporting TPM is a desirable requirement at this time since many DoD components want to leverage its capabilities in the future for the protection of DAR on mobile computing devices. Legacy systems will not be required to be retrofitted with TPM. Based upon Service inputs, TPM is already being mandated by some Services, it’s readily available on the commercial market, and in most cases is standard on new computer equipment.
I was assured by a Wave representative that "DART is not required for SED solutions as it is not software it is an embedded solution MS is also embedded and is not on DART".
Put that in your pipe and smoke it! We may not get all those contracts for 1 M total DoD units, but at least we may be in the running if we wish!
Svenm
Dig,
All wild conjecture, of course. But where do you get the $5/seat from? Is that maintenance fees and you're just ignoring the one time license fee?
Svenm
1260,
Thanks for that input. Actual product sightings are an important confirmation that we're moving forward. Rumors of large deals are always just rumors. News of actual deployment, even if just anecdotes as these, is great confirmation!
Thanks,
Svenm
Thanks JD,
Nice to see that Sargent Major McCrary's tablet was using the optional TPM 1.2. Apparently that Army mandate for TPM's is actually being adhered to. Would be nice to know if Wave was managing it for him, however.
Svenm
Wavedreamer,
Thanks for that description of how we're fitting into the mobile space. Nice job of moving a few trees to better see the forest!
Svenm
Mainstream media is beginning to broadcast the hardware security message. That can't be bad. From the NYT this a.m. Look up the Certified Providers in Open Identity Exchange mentioned in the following article:
SLIPSTREAM
Call It Your Online Driver’s License
By NATASHA SINGER
Published: September 17, 2011
RECOMMEND
TWITTER
LINKEDIN
E-MAIL
PRINT
REPRINTS
SHARE
WHO’S afraid of Internet fraud?
Enlarge This Image
Minh Uong/The New York Times
Multimedia
Weekend Business
Add to Portfolio
Verizon Communications Inc
Google Inc
AT&T Inc
Symantec Corp
Microsoft Corporation
Go to your Portfolio »
Consumers who still pay bills via snail mail. Hospitals leery of making treatment records available online to their patients. Some state motor vehicle registries that require car owners to appear in person — or to mail back license plates — in order to transfer vehicle ownership.
But the White House is out to fight cyberphobia with an initiative intended to bolster confidence in e-commerce.
The plan, called the National Strategy for Trusted Identities in Cyberspace and introduced earlier this year, encourages the private-sector development and public adoption of online user authentication systems. Think of it as a driver’s license for the Internet. The idea is that if people have a simple, easy way to prove who they are online with more than a flimsy password, they’ll naturally do more business on the Web. And companies and government agencies, like Social Security or the I.R.S., could offer those consumers faster, more secure online services without having to come up with their own individual vetting systems.
“What if states had a better way to authenticate your identity online, so that you didn’t have to make a trip to the D.M.V.?” says Jeremy Grant, the senior executive adviser for identity management at the National Institute of Standards and Technology, the agency overseeing the initiative.
But authentication proponents and privacy advocates disagree about whether Internet IDs would actually heighten consumer protection — or end up increasing consumer exposure to online surveillance and identity theft.
If the plan works, consumers who opt in might soon be able to choose among trusted third parties — such as banks, technology companies or cellphone service providers — that could verify certain personal information about them and issue them secure credentials to use in online transactions.
Industry experts expect that each authentication technology would rely on at least two different ID confirmation methods. Those might include embedding an encryption chip in people’s phones, issuing smart cards or using one-time passwords or biometric identifiers like fingerprints to confirm substantial transactions. Banks already use two-factor authentication, confirming people’s identities when they open accounts and then issuing depositors with A.T.M. cards, says Kaliya Hamlin, an online identity expert known by the name of her Web site, Identity Woman.
The system would allow Internet users to use the same secure credential on many Web sites, says Mr. Grant, and it might increase privacy. In practical terms, for example, people could have their identity authenticator automatically confirm that they are old enough to sign up for Pandora on their own, without having to share their year of birth with the music site.
The Open Identity Exchange, a group of companies including AT&T, Google, Paypal, Symantec and Verizon, is helping to develop certification standards for online identity authentication; it believes that industry can address privacy issues through self-regulation. The government has pledged to be an early adopter of the cyber IDs.
But privacy advocates say that in the absence of stringent safeguards, widespread identity verification online could actually make consumers more vulnerable. If people start entrusting their most sensitive information to a few third-party verifiers and use the ID credentials for a variety of transactions, these advocates say, authentication companies would become honey pots for hackers.
“Look at it this way: You can have one key that opens every lock for everything you might need online in your daily life,” says Lillie Coney, the associate director of the Electronic Privacy Information Center in Washington. “Or, would you rather have a key ring that would allow you to open some things but not others?”
Even leading industry experts foresee challenges in instituting across-the-board privacy protections for consumers and companies.
For example, people may not want the banks they might use as their authenticators to know which government sites they visit, says Kim Cameron, whose title is distinguished engineer at Microsoft, a leading player in identity technology. Banks, meanwhile, may not want their rivals to have access to data profiles about their clients. But both situations could arise if identity authenticators assigned each user with an individual name, number, e-mail address or code, allowing companies to follow people around the Web and amass detailed profiles on their transactions.
“The whole thing is fraught with the potential for doing things wrong,” Mr. Cameron says.
But next-generation software could solve part of the problem by allowing authentication systems to verify certain claims about a person, like age or citizenship, without needing to know their identities. Microsoft bought one brand of user-blind software, called U-Prove, in 2008 and has made it available as an open-source platform for developers.
Google, meanwhile, already has a free system, called the “Google Identity Toolkit,” for Web site operators who want to shift users from passwords to third-party authentication. It’s the kind of platform that makes Google poised to become a major player in identity authentication.
But privacy advocates like Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation, a digital rights group, say the government would need new privacy laws or regulations to prohibit identity verifiers from selling user data or sharing it with law enforcement officials without a warrant. And what would happen if, say, people lost devices containing their ID chips or smart cards?
“It took us decades to realize that we shouldn’t carry our Social Security cards around in our wallets,” says Aaron Titus, the chief privacy officer at Identity Finder, a company that helps users locate and quarantine personal information on their computers.
Carrying around cyber IDs seems even riskier than Social Security cards, Mr. Titus says, because they could let people complete even bigger transactions, like buying a house online. “What happens when you leave your phone at a bar?” he asks. “Could someone take it and use it to commit a form of hyper identity theft?”
For the government’s part, Mr. Grant acknowledges that no system is invulnerable. But better online identity authentication would certainly improve the current situation — in which many people use the same one or two passwords for a dozen or more of their e-mail, e-tail, online banking and social network accounts, he says.
Mr. Grant likens that kind of weak security to flimsy locks on bathroom doors.
“If we can get everyone to use a strong deadbolt instead of a flimsy bathroom door lock,” he says, “you significantly improve the kind of security we have.”
But not if the keys can be compromised.
A version of this article appeared in print on September 18, 2011, on page BU4 of the New York edition with the headline: Call It Your Online Driver’s License.
Cheers,
Svenm
Weby,
Good article! There's a lot of commonsense packed into that. It's going to be interesting to see how this HP move plays out. It may have an immediate positive effect on Wave's income statement (e.g. a sale to Dell or Acer of their enterprise division) or very little (say, sale of consumer division only). As always, the waters are murky. One thing is certain, though: security is playing an ever-larger role in the digital device business, and I don't think that can be bad!
Cheers,
Svenm
Alea & tkc,
Thanks to both of you for your posts today. One would think that these points are obvious to all, but apparently not. A fortune has been spent on developing this needed technology and dream but a fortune will not be made by shareholders unless product is sold and outsized growth is accomplished. So obvious it hardly bears repeating but it is surprising to me to hear otherwise reasonable posters dissing opinions that don't happen to coincide with their hopes.
Svenm
From Bloomberg just now: Hackers Take $1B a Year as Banks Blame Clients
Q
By Greg Farrell and Michael A. Riley - Aug 3, 2011 9:01 PM PT
inShare
10More Print Email
Enlarge image
Valiena Allison, chief operating officer of Experi-metal poses in Sterling Heights, Michigan. Photographer: Aly Darin via Bloomberg
Valeina Allison got a call from her bank on a busy morning two years ago about a wire transfer from her company’s account. She told the manager she hadn’t approved the transfer. The problem was, her computer had.
As Allison, chief executive officer of Sterling Heights, Michigan-based Experi-Metal Inc., was to learn, her company computer was approving other transfers as she spoke. During hours of frantic phone calls with her bank, Allison, 45, was unable to stop this cybercrime in progress as transfer followed transfer. By day’s end, $5.2 million was gone.
She turned to her bank, a branch of Comerica Inc. (CMA), to help recover the money for her metal-products firm. It got all but $561,000 of the funds. Then came the surprise: the bank said the loss was Experi-Metal's problem because it had allowed Allison's computer to be infected by the hackers.
“At the end of the day, the fraud department at Comerica said: ‘What’s wrong with you? How could you let this happen?’” Allison said.
In increments of a few thousand dollars to a few million per theft, cybercrooks are stealing as much as $1 billion a year from small and mid-sized bank accounts in the U.S. and Europe like Experi-Metal, according to Don Jackson, a security expert at Dell SecureWorks. And account holders are the big losers.
“I think they’re losing more now than to the James Gang and Bonnie and Clyde and the rest of the famous gangs combined,” said U.S. Senator Sheldon Whitehouse, a Rhode Island Democrat who chaired a Select Committee on Intelligence task force on U.S. cybersecurity in 2010.
Eastern European Crooks
Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by insurance as individual accounts are.
“If everyone knew their money was at risk in small and medium-sized banks, they would move their accounts to JPMorgan Chase,” said James Woodhill, a venture capitalist who is leading an effort to get smaller banks to upgrade anti-fraud security for their online banking programs.
JPMorgan Chase & Co. (JPM), the second-largest U.S. bank, is the only major U.S. bank that insures commercial deposits against the type of hacking that plagues smaller banks, Woodhill said. JPMorgan spokesman Patrick Linehan declined to comment.
Smaller banks as well as many of the victims tend not to make the thefts public, according to interviews with the customers and experts such as Woodhill. As the threat becomes better known, small-business customers and other target entities may shift their business to large, national banks, which can better absorb the losses to maintain customer relations and which have better security policies to protect clients from such crimes.
‘Frightening’
“It’s frightening for small businesses because they have no clue about this,” said Avivah Litan, an analyst at Stamford, Connecticut-based Gartner Inc., which does computer analysis. “They just don’t have any clue, and everyone expects their bank to protect them. Businesses are not equipped to deal with this problem, and banks are barely equipped.”
Customers used to being made whole when they are victims of credit-card fraud or ATM thefts have had to sue small and medium-size banks to recover losses after being blamed by their branches for permitting the crime, as Allison was.
The traditional help of law enforcement hasn’t been there either for such customers. In the heyday of bank robberies in the 1930s, the FBI became famous for Tommy-gun shootouts with the bad guys, who were put on the Most Wanted list. In most cases, the identities of the John Dillingers and Pretty Boy Floyds of the 21st Century aren’t known because of online anonymity, and the bureau doesn’t disclose statistics on how much these cybercrooks are stealing.
The Victims
Victims in the last two years have ranged from Green Ford Sales, a car dealership in Abilene, Kansas, to Golden State Bridge Inc., a construction company in California wine country. No need to use a mask or gun. These criminals can steal millions from the comfort of their homes dressed in their pajamas.
The crime profits can be staggering and the risks minimal. Jackson, the security expert, said three sophisticated gangs each haul in at least $100 million a year. That dwarfs the $43 million taken in all conventional bank heists in the U.S. last year, from stick-ups to burglaries, according to the FBI.
“A $100 million hit on a bank or a series of banks,” Whitehouse said. “That’s a pretty big bank robbery. And it doesn’t even make the press. It just trickles through in FBI tip sheets.”
New Priority
To law enforcement officials, cybercrime is a new priority. Both the Federal Bureau of Investigation and the U.S. Secret Service, which has jurisdiction over financial crimes, have boosted manpower to combat computer-enabled robberies and have formed partnerships with foreign law-enforcement agencies.
Those efforts have been swamped by the explosion in e-commerce, said Chris Swecker, a former FBI assistant director who advises companies on cybersecurity. As millions of customers have shifted online, criminals have followed, their hacking tools and nimble criminal organizations racing ahead of old- school law enforcement models.
“Through cybercrime, transnational criminal organizations pose a significant threat to financial and trust systems,” including banking, stock markets and credit-card services, according to a National Security Council report issued in July.
Cybercrime has risen to the level of a national security threat, according to the report, citing a “critical shortage of investigators with the knowledge and expertise to analyze the ever increasing amounts of potential digital evidence.”
Better Malware
The banking industry’s reluctance to confront this problem head-on has allowed criminals to reinvest some of their booty to create better, more effective malicious software, known as malware, according to Woodhill.
Malware is what hurt Earl Goossen, business manager for Green Ford Sales, when he logged on to the company’s payroll account at First Bank Kansas at 7:45 a.m. central standard time on Nov. 3, 2010. Just two days earlier he’d used his computer to arrange for the bank to send out the $63,000 payroll to employee accounts. Everything went smoothly at first. Goossen responded to a follow-up e-mail request from First Bank Kansas to okay the payroll, just as he did on the 1st and 15th of every month.
Unbeknownst to Goossen, malicious software had infected the computer with a so-called worm, which had the ability to grab passwords, user names and credit-card data.
Some malware allows hackers thousands of miles away to take remote control of machines it infects, as if they were sitting at the keyboard. This malware is affordable and easy to obtain. A basic version sells for less than $5,000, Jackson said. Many models, licensed like commercial software from Microsoft Corp. and Adobe Systems Inc., even come with tech support, he said.
Phony Payroll
The worm on Goossen’s machine allowed thieves to log onto the website of the auto dealer’s bank using Goossen’s credentials and set up a second payroll batch for the usual amount for nine non-existent employees. The additional payroll was sent out overnight by First Bank.
The software allowed the hackers to grab Goossen’s e-mail password and banking details. All they had to do was change the notification e-mail address to a name under their control.
When an amount like Green Ford’s $63,000 is taken from a bank by gun-toting robbers, the FBI would typically dispatch special agents to cordon off the crime scene and interview witnesses. No agents arrived in Abilene on Nov. 4, and no one at the company was ever interviewed by the bureau about the theft.
DIY Detective
Green Ford’s owner, Lease Duckwall, filled out a report with local police, who don’t have a cybercrime unit. The Kansas Bureau of Investigation examined his computer and found nothing of use. Frustrated, Duckwall turned detective, interviewing bank employees, victims of similar crimes and whoever knew anything about cybertheft. In the end, the trail went cold.
Representatives of the FBI and the Secret Service insist they are not overwhelmed.
“I don’t think it’s right to conclude that because there are not a lot of arrests that law enforcement is not doing its job,” said Gordon Snow, the FBI’s assistant director of the cyber division.
The FBI and Secret Service have increased the number of agents dedicated to fighting cybercrime. Last September, as part of “Operation Trident Beach,” U.S. prosecutors in Manhattan arrested a gang of money mules in connection with a wide-ranging cyberfraud ring that had stolen $70 million from banks and tried to grab another $150 million in the U.S. and Western Europe. No ringleader was arrested, even though five were questioned by police in Ukraine, according to the FBI.
Frustration
The inability to put handcuffs on suspects in Eastern Europe is a source of frustration for law enforcement, according to representatives of the FBI and Secret Service.
“We can’t let that stop us from continuing to move forward,” said Pablo Martinez, who heads the cybercrime unit at the Secret Service. “You have to go after every target.”
Mules, used by hackers as cutouts, are an obvious target, even the unwitting ones. When thieves stole the money from Duckwall’s dealership, some of the money first went to Shawn Young’s account in upstate New York. Young thought it was a legitimate transaction -- at first.
Young, 35, was officially an assistant manager for R.E. Company Back Office. He got his job in October through a Careerbuilder website ad that said an Australian office services company was looking to expand into New York state. He was selected to scout locations in the Binghamton area. It did seem odd his new employer never asked for his Social Security number, he said in an interview.
A Mule’s Job
Part of his job was to transfer payments made by some of the company’s U.S.-based clients to various programmers. He corresponded with his boss, Samantha Simons, exclusively through the company’s intranet site.
At 8:45 a.m. on Nov. 3, Young got his first payment-related assignment. He logged into the R.E. Company Back Office intranet site and learned from his supervisors that $4,975 had been deposited into his account at M&T Bank in Endicott, New York. The sender was Green Ford Sales.
His boss said he could keep $145 of the money if he acted quickly. Within 10 minutes, he withdrew the funds and drove to the closest Western Union office, a few miles away. Young pulled into the Western Union parking lot and his cell phone rang. It was a manager from the M&T Bank branch where he’d made the withdrawal. She said the bank had discovered the wire transfer wasn’t authorized. It was only then that Young realized something might be wrong, he said.
Transfer Problem
On his way back the bank, his phone rang again. It was Simons, calling from a Syracuse telephone area code to see if there was a problem with the transfer. Young, who had never spoken with his boss, told her he’d been asked to return the funds. In a matter-of-fact manner, Simons said OK and hung up, he said.
After learning from his bank that the wire transfer from Green Ford had been unauthorized, Young tried to log into the R.E. Company Bank Office website, but his access had been terminated.
“I was lucky I did not send the money,” Young said. “I dodged a bullet there.”
Unwitting money mules like Young aren’t the only ones to have gotten wake-up calls in the new world of bank cybercrime. Customers sometimes find their friendly bank has become an adversary, quoting the fine print of account contracts about who is responsible for what.
Patco Incident
On May 7, 2009, cyberthieves hacked into the bank account of Patco Construction Inc., based in Sanford, Maine, and initiated a series of wire transfers totaling $56,594. Some transfers bounced back, causing Ocean Bank to send owner Mark Patterson a routine return notice via the U.S. Postal Service.
Over the next several days, the crooks continued to transfer money out of Patco’s account, removing almost $500,000 before Patterson received the mailed letter from Ocean Bank. The bank eventually recovered a portion of the transfers, leaving Patco with a loss of $345,444, according to Patterson.
Patterson said Ocean Bank rebuffed his attempts to reach a settlement, so in January 2010 he sued. He argued the bank should have done a better job monitoring the company’s bank account. Ocean Bank argued that its protections were “commercially reasonable,” in keeping with general guidance issued by the U.S. banking industry in 2005.
In May, a federal magistrate judge in Portland, Maine, found for Ocean Bank, now known as People’s United Bank, a unit of Bridgeport, Connecticut-based People’s United Financial Inc. (PBCT)
‘Hopeful’
“We’re hopeful the court will affirm the magistrate’s decision,” said Brent DiGiorgio, a spokesman for People’s United, referring to a pending appeal.
That decision infuriated Woodhill, who co-founded Authentify, a cybersecurity firm, in 1999. He is trying to change the law governing liability in hacking cases.
“I can’t fathom how one could consider a security procedure that makes it easy for people to steal money from school districts, churches and small businesses to be commercially reasonable,” Woodhill said.
Woodhill faulted banks for downplaying or hiding the scope of bank heists, a posture he attributes to fear of undermining confidence in an online banking system that saves financial institutions tens of millions of dollars a year in transactions that don’t have to be processed by a human teller.
Last year, Woodhill came to the rescue of Karen McCarthy, whose marketing firm was victimized by hackers in February 2010. McCarthy, who made one wire transfer on the same day every month, for $1,000, noticed a problem with her computer on Feb. 10. The screen had turned blue and appeared frozen, while other computers in her firm seemed to function normally.
McCarthy’s Plans
In the weeks leading up to the frozen-screen episode, McCarthy had reached an agreement to sell her firm, Little & King. She’d bought out her lease, sold her office equipment and supplies and was preparing to join the new company as an employee, leaving behind the worries of business ownership.
After her computer froze, she printed out statements from Toronto Dominion Bank in preparation for the sale of her company. Over the Feb. 13-15 Presidents Day weekend, she couldn’t figure out discrepancies between recent bank statements and the amount in her company’s checking account. Finally, on the Monday evening, a national holiday, she checked her online banking account and saw five unauthorized wire transfers.
She called TD Bank in a panic. Because of the holiday, she was told no one was available. The next morning she marched into her TD Bank branch, in Massapequa, New York, and asked an assistant manager for help.
Calls Not Returned
At first the manager told her the bank would get her money back, she said. Once it became clear the funds were stolen, the bank stopped returning her calls, McCarthy said.
The theft derailed the sale of McCarthy’s company, forcing her to raid her children’s college funds for needed cash. Of the $164,000 stripped from her account, TD Bank recovered almost $95,000, leaving her about $70,000 in the hole -- and without an office or equipment, she said.
When she learned TD Bank was to hold a fraud-prevention seminar on May 13, 2010, in Burlington, Vermont, she hopped on a plane and slipped into the meeting. During the morning presentation, when an expert in wire transactions was talking about ways that small businesses could protect themselves from the dangers posed by cybercriminals, McCarthy raised her hand.
Why wasn’t TD Bank doing a better job protecting its small- business clients, she asked. How had TD Bank allowed $164,000 to be wired out of her account even though she hardly every made wire transfers? As the speaker tried to respond, McCarthy kept peppering him with questions about his bank’s responsibilities to its clients.
Let’s Talk Outside
Two bank representatives, including TD Bank’s head of corporate security and investigations, walked over to McCarthy’s table and suggested they continue the subject outside. McCarthy told the head of security it was good to meet him finally, since she’d been calling him for weeks following the robbery and had never gotten through.
Jennifer Morneau, a spokeswoman for TD Bank, confirmed that there was such an incident involving a “woman from Long Island” at one of its anti-fraud seminars, and didn’t have any further information.
“We constantly monitor and assess the security of our systems,” Morneau said in an e-mailed statement. “We also believe that educating our customers is one of the best ways to help them defend against online fraud and identity theft, because even the best security measures can only prevent fraud if customers are also vigilant about employing the necessary safeguards to protect their information.”
Anti-Bank Website
With Woodhill’s support, McCarthy started a website she calls www.yourmoneyisnotsafeinthebank.org and has organized other cybercrime small-business victims across the country. In industry presentations, Woodhill uses her as an example in describing what’s wrong with online banking and the current rules governing the commercial accounts of small businesses.
“If every small-business account holder in America knew what Karen McCarthy had gone through, there would be a run on the banks,” he said.
Last year Woodhill supported a proposed law, introduced by U.S. Senator Chuck Schumer, a New York Democrat, that would have extended protections enjoyed by individual bank depositors to publicly funded entities such as school districts and town governments. Congress adjourned before any vote was taken.
Woodhill is now pushing for a federal law that would require regional and community banks to warn their commercial clients explicitly of the dangers of cyber fraud. He’s hired former Louisiana congressman Billy Tauzin, a Democrat turned Republican who chaired the House Energy & Commerce committee, to represent him.
Bank Opposition
The American Banking Association has opposed attempts to extend cyberfraud protection from depositors to small-business clients. Until recently, the association’s position has prevailed.
Then came the Experi-Metal lawsuit brought by Valiena Allison against Dallas-based Comerica. In June, U.S. District Judge Patrick J. Duggan ruled in Detroit in favor of Allison and Experi-Metal, agreeing Comerica’s response to the fraud didn’t meet standards of good faith and fair dealing. Comerica agreed to pay Allison almost the entire amount stolen.
Other cybercrime victims have taken note of this precedent, said Brian Krebs, who has written about the Little & King case and other cyberthefts on his blog (www.krebsonsecurity.com).
Village View, an escrow company based in Redondo Beach, California, that was robbed of $465,558 by cyberthieves in March of 2010, sued Professional Business Bank just two weeks after the Experi-Metal decision.
Bank Attitudes
The last thing community banks want is to be at odds with their clients, said Doug Johnson, a senior policy analyst for the American Bankers Association.
“Banks don’t like to sue their customers and customers don’t like to sue their banks,” he said. “When disputes occur, it’s best to try to work together for an appropriate result.”
Woodhill said the banking industry is behind the curve on this matter, just as it was in 1978 when it opposed the Electronic Funds Transfer Act, which protects consumer bank deposits from fraud.
“That’s one of the biggest favors Congress ever did for banks, even though they were against it,” he said. “Banks truly do not understand what their own interests are. Corporate lobbyists only play defense.”
To contact the reporters on this story: Greg Farrell in New York at gregfarrell@bloomberg.net; Michael Riley in Washington at michaelriley@bloomberg.net
To contact the editor responsible for this story: Michael Hytha at mhytha@bloomberg.net
Thanks Taxi, Your DD is much appreciated!
Svenm
J_D,
Thanks for that data sheet. That's an easy and compelling read for a prospective sale. I'm as frustrated and surprised as any here, but there's no question that the market psychology is turning toward hardware security. Hopefully our turn will come as a few more holes open up in the dam of software "security."
Svenm
Weby,
Nice find! Thanks for sharing!
Svenm
ExPat, Count me in. Given the number of shares held by Wavoids this should be achievable. The BOD definitely needs rejuvenation.
Svenm
From the Financial Times today. It is clear from the mainstream press that push is beginning to give way to pull. In this article Mike McConnell doesn't explicitly refer to hardware security, but given his credentials it is probable that he is referring to it.
Please respect FT.com's ts&cs and copyright policy which allow you to: share links; copy content for personal use; & redistribute limited extracts. Email ftsales.support@ft.com to buy additional rights or use this link to reference the article - http://www.ft.com/cms/s/0/078bf734-6e9b-11e0-a13b-00144feabdc0.html#ixzz1Kbi3ZJ00
To win the cyberwar we have to reinforce the cloud
By Mike McConnell
Published: April 24 2011 20:03 | Last updated: April 24 2011 20:03
Many challenged my grim assessment early last year, when I called for America to develop a new strategy to address the kinds of cyberattacks that could cripple our nation’s infrastructure. If there were a cyberwar, I told Congress, we would lose. The unfortunate truth is that, a year later, we are no better prepared – and the stakes have risen.
Since then more details have emerged on the early 2010 attacks on Google and two dozen other companies, connecting them to China. Alongside the revelations about the Stuxnet attack on Iran and the WikiLeaks saga, the question today is no longer whether the cyberthreat is real – that was last year’s discussion. The challenge now is what to do about it, while balancing security, privacy, openness and innovation.
EDITOR’S CHOICE
In depth: Cyberwarfare - Feb-04
Electricity grid vulnerable to cyber attacks - Apr-19
Credit card fraud at 10-year low - Mar-09
US probes Anonymous plans for attack on marines - Mar-08
Cyber attackers target G20 documents - Mar-07
Opinion: Stuxnet was about what happened next - Feb-16
We should immediately focus on protecting critical infrastructure – the power grid, financial networks, air traffic control and other transport infrastructure –– by realigning their use of the internet. To do this we must create new “protected lanes” inside the global superhighway. I call this potential area “dot.secure”: a series of highly protected lanes for those operating vital infrastructure, within the free and open world of the .com global network.
The WikiLeaks saga has generated intense debate about whether the release of classified government information is in the public interest. To be clear, I am not an advocate of doing away with the freedom of our citizens and their use of the internet. But I would also argue that we are a nation of laws, and everyone is entitled to privacy – individuals, businesses and, yes, government. To do its business effectively the government must be able to exchange information with other governments in private. Businesses must be able to protect innovation and patented information; individuals must be able to keep the ownership of their new ideas.
There also need to be defined areas of the internet where that can take place – where individuals can post to blogs, create videos, comment on the news and be completely anonymous – and other places where access to specific data is restricted. Equally, we must develop access systems for sensitive business where an individual is limited to data essential to his or her task.
Highly secure and open areas of the internet do exist today. The defence department runs “.mil,” a domain with limited gateways, military grade encryption, perimeter security and support from the National Security community to identify foreign threats. The government’s “.gov” domain has a similar goal of limited gateways, but will also benefit from high-grade encryption.
On the other side of the information highway, the .com lanes are open with easy movement and access, requiring only the level of security that an individual or business requires for themselves. These open lanes are less costly to maintain, and will benefit even more from the economies of cloud-computing, a powerful, cost-efficient shared computing environment.
What’s missing is the middle ground: dot.secure. The nation’s finance, electric, power, water, land transport, air traffic control, industrial control systems must be protected within the security of the restricted lanes. Each month, we understand more about how to heighten security in the “cloud”, and our technicians develop more nuanced approaches to security architecture. Beyond that, cloud operators can focus on network intrusion prevention and response to protect information and its users.
We need to apply the evolving knowledge of cloud-security to our infrastructure through a new government/private partnership. The administration and Congress know the seriousness of cyberthreats, but they are not moving fast enough to address them.
We must remember that cyberspace is more than just the internet. It is a domain itself. For America to protect our economy and way of life as we have in the other domains, we cannot wait for the next big attack to shock us into action.
The writer was director of the National Security Agency in the Clinton administration and director of national intelligence in George W. Bush’s second term. He is executive vice-president of Booz Allen Hamilton
Cheers,
Svenm
Go-Kite and Dig,
About growth: When I read the 10K I see growth of 34% with accounting based on not counting deferred revenue that is booked and paid for but not yet realized services. Use the more liberal revenue growth based on booked sales and include deferred revenues as booked and you get 54% growth. An off-the-cuff calculation using a PE of 54 in the latter method gives a fair price of roughly $4. Unless we get a dramatic change in growth (upward) the share price will have a tough time climbing much above $6 by the end of this year, assuming Wave doesn't slip. All IMHO and I definitely CBW but that's how I see it for the present.
Svenm
Taxi Vader,
Nice find! From the Synnex site it appears that the San Bernardino Unified School District, Ameren (a large midwest utilities company), Defense Information Systems Agency, OC Tanner, Blue Cross Blue Shield of New Jersey, Stanford Linear Accelerator, and AR Inc. are all customers for some amount of ERAS software!
Cheers,
Svenm
Congratulations to all Longs! Great positive validation for the company and hopefully it will make it easier for the next big sale. Who cares if the price drops a few peanuts today? The long haul looks a lot more interesting.
Cheers,
Svenm
Jaybeaux,
Thanks for sharing that demo! Great to see!
Svenm
Alea,
Thanks for giving credit where credit is due! With your pull would you please urge SKS to grant me a nice pile of options, given as how I've done so much to raise the shares of his company's stock (LOL!)?
On the other hand, I would have to think that something occurred on or about Dec. 1 that caused that beautiful breakout. I don't think it was just general awareness, or even that I was concentrating all my kharma just that day! Maybe we'll find out, or maybe not. I seem to recall a similar event one April many years ago, and I don't believe we ever found out the underlying reason for it.
Happy Holidays!
Svenm
ExPat, those are very good points, and btw, thanks for your insightful and balanced posts. They've been a breath of fresh air for this board.
Svenm
New Wave,
Thanks for that follow-up. That's a plausible explanation for SKS' optimism for an eventual rollout of ERAS at PwC. Time will tell but it would obviously be a big boost to see that ERAS is robust enough to compete with tweaking by an IT department as sophisticated as PwC.
Svenm
ExPat,
I believe the explanating why PWC passed on ERAS is because they have a very savvy IT department which apparently is able to manage their TPM's without using Wave's server products. That may perhaps change in the future but there is no indication at this time that it will. On the other hand, the assumption is that most companies will not be able to accomplish that feat on their own.
Svenm
Edit: Didn't notice the fact that the consulting firm in question was in Europe! Another potential customer instead.
Svenm
Hi Root,
Maybe Booz Allen Hamilton? Jakes'Dad's finding indicates their interest. With 23,000 employees a potential 6000 PC refresh would be a reasonable number. Just conjecture and obviously there are a myriad of possibilities here.
Svenm
DaBears,
Did you mean this one: "There is nothing that is more important than deployment of broadly interoperable authentication," he said. "It is a priority for me; it is a priority for DHS; and it is a priority for the administration."
As always, your sleuthing is outstanding! The smart grid presentation by Southwest was a real eye-opener as well!
Thanks,
Svenm
Bruce Potter (S6) is the founder of The Shmoo Group of security, crypto, and privacy professionals. He helps organize the yearly ShmooCon security conference, held each winter in Washington, DC. Mr. Potter has co-authored several books, including 802.11 Security and Mastering FreeBSD and OpenBSD Security published by O'Reilly and Mac OS X Security from New Riders. Mr. Potter is the co-founder of Ponte Technologies, a company specializing in wireless security, IT security operations, and advanced network defense techniques.
Svenm
Thanks, DaBears! That is a great presentation and there is now no question the tide has turned! We've got a long way to go yet but as helpful has pointed out, the NSA is clearly all in!
Svenm