Friday, May 2, 2014

This Week in Bank Failures

A previously unknown defect in Microsoft Internet Explorer came to light last weekend as U.S. authorities found the browser was being used to systematically spy on U.S.-based banks, along with defense suppliers and probably also government targets that weren’t disclosed. The realization that they were specifically being targeted has made banks especially cautious about this browser bug, and some banks have urged their employees and customers to avoid using Internet Explorer for the time being. However, I have not heard of a bank actually banning Internet Explorer from its site or removing the browser from its own computers. The United States government and the government of Australia issued official cautions about Internet Explorer, quickly joined by several other countries.

The profile of attacks, based on what little has been revealed, seems consistent with the involvement of a major foreign power. We may tend to think of China first when it comes to state-sponsored Internet break-ins, but the cautious, low-key approach and selection of targets would not seem to point to China, but to a country affected by U.S. money-laundering rules. Attacks can potentially disclose information stored on a computer, install new software on a computer, or damage a computer.

All versions of Internet Explorer are affected. A fraction of attacks exploit a flaw in Adobe Flash Player to trigger the flaw in Internet Explorer, but others may be triggered just by loading a compromised web page.

Based on Microsoft’s history, it will likely release a partial fix within a month and a more complete fix within three months. One key question is whether a fix will be made available that works in Microsoft Windows XP, an old operating system that is no longer officially supported but nevertheless remains the standard desktop configuration inside many major banks. If Internet Explorer cannot be secured within Microsoft Windows XP, I wonder if the Fed will take the step of issuing guidance that finds that software combination not to be a secure platform for banking data. That would nearly be a ban on Microsoft Windows XP for banks, as that guidance would make banks liable for negligence in the event that banking data was disclosed as a result of using Microsoft Windows XP. That kind of guidance from the Fed would be an unusual step, but then, this particular browser flaw and its targeted exploits have been unusual from the beginning.