UK Banking Law Blames Customers For Insecure OS

twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?

Re:Scare tactics

[CRCulver]

Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

At least in Finland (and I imagine probably the other Nordic countries as well), you can use cash for a decreasing amount of payments. Nearly everyone who demands money of you wants you to pay by bank transfer, and if you don't use your free online banking and decide you want to hand cash to a teller, there's a 3 euro fee for the service. Nearly everyone who wants to pay you money will only deposit it directly into your bank account, there are no more cheques. I'm sure this will spread to other EU countries.

Re:Scare tactics

[plover]

Yes, those are the devices.

What they do is move all the encryption to a "trusted platform" -- the device itself. You enter your card and your PIN into the handheld, and it's their own crypto hardware using their own crypto algorithm to generate a one-time-use PIN for you to enter into the merchant's PIN pad or into a web site.

This turns your card into a pure identification token, and turns your PIN into a secure authentication token. Without both tokens, the bank refuses to part with your money. You can enter this into a sleazy internet cafe's browser. It doesn't matter if that transaction's data is stolen or not, because the bank won't authorize your one-time PIN for a second transaction.

What makes these a great solution is not just their security, but that they're backward compatible with current PIN pad technology. The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN. The bank takes care of that.

There's an even more secure variant that ABN-AMRO has deployed for web banking transactions. You enter the amount of the transaction into the handheld along with your PIN. That way, only the amount you authorize will be transferred, and the PIN is useless for any other amount.

(I'm basing my guess of $70 on the price of similar hardware offered by RSA with their SecurID scheme, but it's just a guess.)

Re:Banks hate responsibility

[Nolde+Huruska]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability. The policy was actually started by Hugh McCulloch who was U.S. Treasury Secretary, serving under three presidents starting with Abraham Lincoln. Before he was Treasury Secretary he was the first Comptroller of the Currency in that position he declared his famous dictum "In case of a dispute, favor the bank." He became revered by bankers and after his death they commemorated him by putting him on the Series 1902 $20 National Bank Note. His policy has remained pretty much in force ever since.

Re:Scare tactics

[dissy]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount. http://www.treas.gov/education/faq/currency/legal-tender.shtml

Q) I thought that United States currency was legal tender for all debts. Some businesses or governmental agencies say that they will only accept checks, money orders or credit cards as payment, and others will only accept currency notes in denominations of $20 or smaller. Isn't this illegal?

A) The pertinent portion of law that applies to your question is the Coinage Act of 1965, specifically Section 31 U.S.C. 5103, entitled "Legal tender," which states: "United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues."
This statute means that all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor. There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills. In addition, movie theaters, convenience stores and gas stations may refuse to accept large denomination currency (usually notes above $20) as a matter of policy.

Re:Scare tactics

[J+Isaksson]

The problem is this; in the first case the internet cafe browser, hacked, can display what you wanted to do (pay $50 bill to AT&T) and send an entirely different transaction to the bank (move all money on savings account to random account in Jersey) Since the PIN is totally independent of the transaction, the only thing that you authenticate is that it's actually you getting ripped off, not anyone else ;-) Case 2 will limit the amount that gets stolen, but except for that the same weakness applies.