How? The Jockey Club had published a procurement standard with a technical framework which told vendors that any newly procured system claiming conformance to some standard would have to be made interoperable (at the vendor's cost) with any already procured systems that had claimed conformance to the same standard. As might reasonably have been expected, the few vendors who understood the significance of this stipulation, declared it totally unreasonable, if not outrageous. Over a decade later, interoperability is still a much sought-after consequence of well-intentioned endeavors but most of the people who understood the issues have become exhausted by the educational struggle, taken retirement or died.
In 2005, we have another test of reasonable expectations. The technical community has in the past castigated naive souls who fell for 419 scams and phishing emails as guilty of stupidity (or at least contributory negligence), but the times are changing. Last month, Demopoulos Associates conducted a survey among non-technical people on phishing. They found that "less than 48 percent of Internet users have heard of phishing, and only 30 percent have any idea of what it is. Less than four percent of Internet users have changed their online habits due to phishing threats."
The new question being heard regularly in the global security community is "whose problem is it anyway?". Since we are talking about financial fraud, there is certainly no shortage of organizations who should be asserting ownership. It is, however, a serious problem with implications for the general acceptance of Internet-security for financial transactions.
Leaving aside discussions of cryptographic strength and security architecture, the finger now points at the financial institutions. Making them responsible for the losses has been declared by high-profile converted cryptographers as the only way to deal with the problem. If the banks won't volunteer to take on responsibility for the online safety of their customers, many now want government regulation to explicitly put the responsibility onto banks. Exhortations from the Hong Kong Monetary Authority on "two factor authentication" will do little to impress citizens trying to find room in their handbags for a plethora of proprietary bank fobs and orphaned e-cert readers.
No doubt, the banks will be the first to declare that putting the burden on them is unreasonable and that they are already doing all they could reasonably be expected to.