Part of Information Security is not making assumptions. You don’t assume that computer systems are safe, you check them. Even if they were safe when you checked them, you check them again months later to make sure they are still safe. This sort of regular assessment is no different than security guards making regular rounds in an office building late at night. Such as at a bank.
When something suspicious is discovered during a systems check or pentest, you investigate it in order to verify that what was found is what you think it is. Evidence of a server break-in needs to be checked carefully before one goes blurting out “We’ve been hacked!”. Just like a bank doesn’t say “We’ve been robbed” because some accounting numbers don’t match-up.
Such verification and re-verification on a regular basis can sometimes seem like paranoia. But paranoia is the unreasonable sense of persecution. Banks have ample reason to be concerned about their security, as there is a long and rich history of criminals robbing banks. However, there is a point at which one may indeed have to ask oneself, “Am I being too cautious?”
Such is the case with the bank that Blue Moon Fiber Arts signed-up with for processing credit-card orders for their “Sock Club”. A sock club is, for those of us who are ignorant of the textile arts, is a knitting hobby club where you pay a yearly fee in order to receive monthly kits. Yes, it is a sock subscription, and you have to assemble the socks yourself. For people who like to knit, this is fun (as I am told).
When Blue Moon Fiber Arts started their 2007 Sock Club, they needed a bank to process credit card orders (as doing it without a bank is much more expensive and complicated). The bank was suspicious (or maybe just initially surprised) at the volume of orders. The bank contacted Blue Moon, which explained the purpose of the orders and the business model (“Customer gives money, customer gets product!” I suspect sums it up). For whatever reasons, the bank decided that it was improbable for large numbers of people to be interested in knitting socks, never mind spend lots of money on it. So the bank refused to process any more orders, canceled all the existing charges and refunded the money.
I can only guess as to why the bank did not take this further and attempt to involve law enforcement. Without more details, I can only assume the bank just didn’t feel like it was confident enough to involve the law, but was suspicious enough to pull-out of the situation entirely. In the end, Blue Moon Fiber Arts found a bank that would process the credit card orders, and all the Blue Moon folks had to do then was send out a letter explaining what happened.
The consequences of overzealous security in this particular case were trivial. One bank lost a customer and another bank gained a customer. Some people were forced to re-sign-up for a sock club and a lot of knitters got justifiably angry at the sheer stupidity of the situation. Yet the consequences can be much more severe. What if a person staked all of their savings on a new business venture, and the first week of business the bank decided no one could possibly want to buy the product or service, and yanked all ability to deal with credit? Someone could literally lose everything they owned, because a bank manager simply made some assumptions.
Banks are of course only one entity that needs information security. Media companies must protect their copyrights, engineering firms have patents to guard and software shops are very much dependent on both copyrights and patents. Failing to enforce those rights could lead to rampant piracy, yet overbearing enforcement often leads to alienating fans, false accusations and some very nasty, drawn-out lawsuits. There are many cases on record where lawyers making assumptions have caused more harm than good for their corporate clients, including Microsoft, SCO, Intel, and another random bank.
In the end, it is up to each organization to make its own judgements in these matters, as there can never be any absolutely objective method to measure the risk involved in not being cautious. And each organization should be prepared to face the possible consequences of their actions.