In an article on the Australian ABC website, Patrick Gray suggests that the major motivation for writing viruses is financial. This is certainly true with ‘key logger’ type infections, but I am not sure it is true with the ‘I’m cleverer than you’ type viruses, which Conficker seems to be, nor with the ‘Cause as much damage as possible’ type.
Gray makes some interesting points about banks leaving most of the liability for online ‘card not present’ transaction fraud with merchants. He suggests that if banks were liable, or carried a greater share of liability for online fraud, they would instantly increase credit card security, and this would make writing keyloggers less profitable.
I think he overestimates the percentage of viruses which are of the ripoff – key logger type, and that he underestimates the speed with which profit seeking programmers are able to respond to changing security measures. Consider for example how quickly hackers were able to work around DVD and then Blu-Ray copy protection.
Also, putting further security measures in place to protect against online fraud may make it more difficult and time-consuming for both customers and merchants to conduct legitimate transactions. VeriSign’s chief technology officer Ken Silva has said: “If all the security measures were deployed that should be deployed, they would become too annoying and too difficult for most consumers.”
Nonetheless I agree that present security measures are inadequate, and that banks should take a greater share of responsibility, instead of leaving merchants to carry any losses. SMS authentication and portable keys (like a USB drive you put into your computer to confirm your identity) are two methods which could be implemented without too much extra fuss or cost.