InfoWorld has a scary article about how malware can get right under the SSL connection to a bank, and execute a "man at the endpoint" attack. The problem? Once malware is on the machine, any transaction that occurs is trusted - and "safely" encrypted. Thus everything looks ok to both the bank and the customer, even though they may be seeing differing transactions. Here's the gist:

“The problem is,” according to one bank regulatory security auditor, “SSL isn’t broken. SSL states that the connection between your PC’s network card and the bank’s network card isn’t compromised. This is still true. Nobody is sniffing the transaction off the wire. Instead, this is a ‘man-in-the-end-point’ attack.” In other words, the Trojan is sniffing or manipulating the transaction before it is ever sent across the Internet to the bank.

...

“It’s not a problem of authentication but one of transactional authorization,” says Bruce Schneier, leading security expert and CTO of Counterpane Internet Security. “No matter how hard you make the initial authentication for the end-user or hacker, the malware can just wait until the authentication is done and then manipulate the transaction.”

So what does my post title have to do with that? Well, InfoWorld interviewed a number of bank and regulatory personnel. Here's the bottom line - changing the security setup looks politically (corp. politics-wise) difficult, so it's not going to happen - at least, not until something really awful happens (and gets reported). In other words, not before you see the scary tag-lines on the 7 pm news:

When told how SSL-evading Trojans can bypass any authentication mechanism, most offered up additional ineffective authentication as a solution. When convinced by additional discussion that the problem could be solved only by fixing transactional authorization, most shrugged their shoulders and said they would remain under pressure to continue implementing authentication-only solutions.

They were also hesitant to broach the subject with senior management. It had taken so long to get banks to agree to two-factor authentication, they said, it would be almost impossible to change recommendations midstream. That puts the banking industry on a collision course with escalating attacks.

You've seen this one before. Someone (maybe even you) recommends some new security procedure. You then find out that as effective as you would like - but it was expensive, both in monetary and political terms - to implement. People had to change their business processes and implement new systems to support it - and now you've found that it's not enough. The all too common result: "Let's ignore it and hope it doesn't hit us".

Which is where bank and regulatory management seems to be on this. From the sounds of it, it's not executive management either - it's not getting that far. It's middle tier people, afraid to stick their necks out on something that will cost money to fix. Wait until this hits the fan - the finger pointing is going to be everywhere.