Reckless by Design: Why “Industry Norms” Fail the Public
Abstract
This brief argues that recurring security failures across finance and telecommunications are not isolated mistakes but the predictable outcome of systems designed with structural fragility and incentives that externalize risk. Institutions frequently meet minimal “industry norms” while maintaining controls known to be ineffective against common threats (ACM Queue, 2020; ITU, 2019). The pattern is evident in documented cases of large-scale consumer harm and market manipulation (CFPB, 2016; OCC, 2016; CFR, 2016) and in the post-crisis analysis of the 2008 meltdown (FCIC, 2011). In such environments, responsibility should shift from victims to the institutions that knowingly operate brittle controls and rely on plausible deniability.
Problem Statement
Incidents like insider abuse and credential misuse are often framed as anomalies. Yet across banking, telecom, and government systems, the same failure modes recur: weak internal access controls, brittle customer authentication (e.g., SMS-based 2FA), and monitoring that does not reliably prevent or detect known attack classes (ACM Queue, 2020; ITU, 2019). When these controls persist despite longstanding warnings and public evidence of harm, calling them “industry norms” no longer excuses the outcomes (FCIC, 2011; OECD, 2017a).
Five Levels of Institutional Failure
- Mistake. One-off human error (e.g., a missed patch or a single misclick). With robust processes, these events are containable.
- Ordinary negligence. Failure to meet basic standards of care (e.g., leaving a known vulnerability unpatched or ignoring a single alert). Harm is foreseeable but not yet systemic.
- Gross negligence. A deeper disregard for risk: repeated lapses, persistent blind spots, or ignoring red-flag warnings. Equifax’s failure to patch a widely publicized Apache Struts flaw before the 2017 breach affecting ~147 million people is a canonical example (FTC, 2019).
- Reckless practice. Weak controls persist as deliberate design choices that create a window for plausible deniability. Telecom reliance on SMS-based authentication, despite well-documented SS7 and messaging-layer vulnerabilities, exemplifies this category because the insecurity is known yet persists in high-risk flows (ACM Queue, 2020; ITU, 2019).
- Systemic fraud. Institutions knowingly misrepresent safety or reliability to protect profits. The Wells Fargo account-creation scandal and LIBOR manipulation were not accidents; they were structurally induced behaviors that harmed consumers and markets (CFPB, 2016; OCC, 2016; CFR, 2016).
Why “Industry Norms” Are Not a Defense
When norms tolerate controls known to fail against common threats, the collective standard has itself become reckless. The 2008 crisis report documents governance and oversight breakdowns that were avoidable but normalized across firms and regulators (FCIC, 2011). Policy-capture analyses further explain how oversight can drift from public interest to industry convenience (OECD, 2017a). In such settings, meeting the norm signals little about actual risk reduction; it often indicates synchronized under-protection.
Implications
- Responsibility shift. At levels 4–5 above, firms are no longer merely failing; they are monetizing insecurity. Indemnification should be the default, not the exception.
- Outcome-based assurance. Replace checkbox compliance with control-effectiveness testing and third-party red-team attestations tied to executive compensation.
- Phase-outs and deadlines. Mandate retirement of brittle controls (e.g., SMS-only 2FA for high-risk workflows) on fixed timelines with penalties for non-compliance (ACM Queue, 2020; ITU, 2019).
- Personal accountability. Where evidence shows awareness plus inaction, director/officer indemnity should not apply (FCIC, 2011).
Practical Guidance for Individuals
- Assume provider controls can fail. Use app-based or hardware authentication where available; avoid SMS-only 2FA for valuable accounts (ACM Queue, 2020).
- Segment risk: separate email/phone numbers for banking, brokerage, and everyday apps to reduce cross-channel compromise.
- Monitor changes: enable alerts for SIM swaps, number port-outs, password resets, and new device logins.
- Slow down social engineering: verify out-of-band, treat urgency and secrecy as red flags, and distrust links sent over SMS/IM.
Conclusion
The combination of known vulnerabilities and AI-enabled attack capabilities makes the present risk environment more dangerous than many expect. Where institutions knowingly persist with brittle controls and shift costs to the public, responsibility should rest with them—not with victims. Until incentives change, individuals should operate with extraordinary caution and “trust, but verify.”
References
- ACM Queue. (2020). Security analysis of SMS as a second factor. https://queue.acm.org/detail.cfm?id=3425909
- Consumer Financial Protection Bureau. (2016). Wells Fargo Bank, N.A. enforcement action. https://www.consumerfinance.gov/enforcement/actions/wells-fargo-bank-2016/
- Council on Foreign Relations. (2016). Understanding the LIBOR scandal. https://www.cfr.org/backgrounder/understanding-libor-scandal
- Federal Trade Commission. (2019). Equifax data breach settlement (up to $425M for consumers). https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
- Financial Crisis Inquiry Commission. (2011). The financial crisis inquiry report. https://fcic-static.law.stanford.edu/cdn_media/fcic-reports/fcic_final_report_full.pdf
- International Telecommunication Union. (2019). SS7 vulnerabilities & mitigation for DFS transactions. https://www.itu.int/.../SS7-vulnerabilities-report.pdf
- Office of the Comptroller of the Currency. (2016). Penalty & restitution order—Wells Fargo. https://www.occ.gov/news-issuances/news-releases/2016/nr-occ-2016-106.html
- OECD. (2017a). Preventing policy capture: Integrity in public decision making. https://www.oecd.org/en/publications/2017/03/preventing-policy-capture_g1g78280.html
Comments