Canadians call for action on spyware

A recent report by a global anti-virus user group identifies online banking as a major target for spyware and highlights several areas where banks should take more action.

While banks have procedures in place to deal with routine virus and bug patches from Microsoft, they lack foresight when implementing patching strategies that deal with more complex security threats like browser and application protocol exploits, the group said. The report, which calls on users, government and software companies to pay more attention to spyware, was authored by the Anti-Virus Information Exchange Network (AVIEN).

The AVIEN report comes just as two public interest organizations, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and the Center for Democracy and Technology (CDT) have announced that they will file complaints with the Canadian Competition Bureau on Thursday and with the Americal Federal Trade Commission against an unnamed Canadian technology vendor that is allegedly distributing spyware on the Internet. This action marks what the organizations are touting as the first filing of a spyware complaint in Canadian history.

Ken Bechtel, Avien adjunct administrator, said spyware is a lot like viruses were in the mid-1990s in that a lot of people had little awareness of the problem. While people who deal with spyware on a daily basis recognize the extent of it, the tricky part is convincing upper management to spend the cash to go beyond routine virus and bug patches.

“Until it becomes a perceived larger problem management is doesn’t like to devote the money to it because it is a cost versus risk analysis process,” said Bechtel.

Awareness aside, the minefield of privacy laws and compliance regulations that have come into effect over the last few years are creating communication problems within financial institutions on the proper protocol for handling and controlling spyware.

A former employee of one of Canada’s top five banks said legislation like Sarbanes-Oxley and PIPEDA here are creating paranoia around implementing patches. Paul Wing, now an independent consultant who is based in Toronto, added the Royal Bank fiasco last year that affected millions of customers has also got banks taking extra caution when going about software upgrades.

“They’d like to be able to do it faster but prudence says you don’t just go and willy-nilly implement it on your servers,” said Wing. “The challenge becomes is that decision being made at the right level.”

While banks might benefit from being upfront about situations like that, they are often reluctant or have policies in place that forbid them to share information that could help other banks avoid such problems in the future.

“They’ve got to work within the organizations that exist and share more information so that other organizations don’t fall prey to the same situation,” said Bechtel.

That said, considering spyware affects nearly everybody, the public needs to understand that not even banks can always prevent these attacks from happening.

“Just because a bank robber walks into my local branch and holds up the teller I don’t distrust the bank because they just put in a SWAT team at every branch,” said Bechtel. “You’ve got to be more open with the public and admit that you’ve failed and answer how you’re addressing the problem in the future.”

Wing, however, said one of the reasons why banks aren’t more forthcoming with their data is that the public isn’t demanding enough and the banks don’t want to make an issue of it. “If we cared enough we would not accept four-digit PINs that we haven’t changed for over 20 years,” said Wing. “That in itself leads to a whole bunch of threats and a whole bunch of risks. We’re not insisting on better authentication mechanisms.”

Even if customers had better authentication mechanisms available to them to guard against threats like spyware and pharming, they probably wouldn’t want to use them as they are often more intrusive and less convenient, Wing added.

Avien, however, is encouraged by the increasing number of new bodies like APWG and APACS-UK doing more research on the topic.

Comment: info@itbusiness.ca

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.