Computer Security And Computer Crimes

Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows about the flaw to read all information about other people's bank accounts. You consider it a serious privacy risk. You sent to the bank about the problem but received no answer. What should you do next? Discuss pros and cons of various possible actions.A software flaw was found in a national bank's web site that allows anyone who knows about the flaw to read all information about other people's bank accounts. You consider it a serious privacy risk. You sent to the bank about the problem but received no answer. What should you do next? Discuss pros and cons of various possible actions.

Discussions covered Individual’s standpoint Bank’s perspective

Individual’s stand point Customer Decision Tree Call Customer Support Representative Take AdvantageDo NothingTry Again Stage I Stage II

Individual’s stand point (cont’d.) [ Customer Decision Tree…] Harmless Hacking Malicious Hacking Hactivism Close Account Follow Executive Hierarchy Repetition till remedy Eye on possibility of threats (Take Advantage)(Do Nothing) (Try Again)

Individual’s standpoint (cont’d.) 1.Take Advantage of the Situation Use your knowledge to hack the web site –Harmless hacking Let the bank know they have been hacked Probably illegal Forces the bank to confront security breach Is this ethically justified?

Individual’s standpoint (cont’d.) [ 1.Take Advantage of the Situation…] –Malicious hacking Access accounts yourself Disrupt service and/or steal money Very much illegal Severe penalties No ethical justification

Individual’s standpoint (cont’d.) [ 1.Take Advantage of the Situation…] –Hacktivism Disrupt service Tell other customers that web site is unsafe Very much illegal or valid civil disobedience? Penalties may not be as severe

Individual’s standpoint (cont’d.) [ 1.Take Advantage of the Situation…] In all three hacking examples the bank may incur serious losses –Financial –Customer relationships –Service disruptions

Close account and go away –Problem still exists –Save your own hide –No recognition of responsibility to anyone beyond yourself; socially irresponsible –Absolutely the least one can do –Don’t care about bank’s further actions Individual’s standpoint (cont’d.) 2. Do Nothing

Go up one level in complaint –Threaten to leave –Threaten to go to authorities (FDIC) –Threaten to go to media Repeat process as necessary, through chain of command Individual’s standpoint (cont’d.) 3. Try again

Individual’s standpoint (cont’d.) [ 3. Try again…] Follow through on threats Shows –Social responsibility –Customer loyalty

Bank’s Perspective Decision Tree Informed of Glitch Do Nothing Do Something Internal Fix External Fix

Bank’s Perspective Bank’s Perspective 1. Keep quiet about it –Don’t draw attention Keep secret from hackers –Reliance on secrecy Cheap –Cost of fix vs. cost of liability Cost of exposure could have consequences beyond the cost of fixing the problem

Bank’s Perspective (cont’d.) 2. Analyze and fix problem internally –Problem can be fixed without undue publicity –Minimal disruption of service –Question of competence Can we trust the people who broke it to fix it? –Potentially most cost effective

Bank’s Perspective (cont’d.) [ 2. Analyze and fix problem internally…] –Check the flaw and see if any others exist –Check on potential of IT team Maybe hire a hacker to test other parts of the system –Let it stay within the bank

Bank’s Perspective (cont’d.) 3. Third party security audit –What requires auditing? Hardware Software Network –Personnel evaluation

Bank’s Perspective (cont’d.) [ 3. Third party security audit …] –Question of security Threat of exposure Exposes secrets to outside entity

Bank’s Perspective (cont’d.) How to decide –Has anyone been injured Loss of money Loss of personal information –Consequences of breach becoming known Known only to hackers Known to general public –Ethical considerations

Comments / Questions