Slashdot Mirror
UK Banking Law Blames Customers For Insecure OS
twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?
In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.
If there is a lawyer in the house can they confirm this?
Not sure what the state of the laws are elsewhere, but knowing what a bunch of whining snivelers the banking industry is it's probably the same. The bank is always right and the depositors and the taxpayer pick up the bill.
putting the 'B' in LGBTQ+
Should end users be ultimately responsible for the state of their systems?
The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).
]{
1. How do they know whether or not one's computer had an AV, anti-spyware, and firewall software installed at the time it was supposedly compromised? (Privacy issue.)
2. Bank customers do have some responsibility in security. Analogy: A homeowner has no locks, leaves door unlocked all day long, then tries getting his or her insurance company to pay out when he or she is ripped off.
3. AV, anti-spyware, and firewall. All three must be done? I think most people are familiar with the AV and firewalls, but how many know about anti-spyware software? (I believe Lavasoft's AdAware is one program.) What they should do is say that the person must make a reasonable attempt at securing their computer. (This could include having a separate computer used solely for banking, and nothing else.)
4. A thought just crossed my mind. Will they deny a claim if someone just happens to have an unsecured computer, even if the computer never was used for banking?
The issue at hand is not the bank's security. It is the security of the consumers account.
In any case, do you really want the bank to be responsible for the security of your system? Because, honestly, I REALLY DO NOT want the banks 'staff of professionals' ensuring my security by requiring I install some type of custom 'security' software.
]{
How ironic. I just switched from Barclays because they implemented this scheme. Note that Barclays give you everything you need for free.
You need a user id, password, your card and the PINSentry device to access the site. That's sort of OK when you're at home. It's not great when you leave your card in the reader and don't realize until the next day when you're in the shop. It's not great when you travel and you have a few different accounts setup. Although Mr G overcame that he wouldn't have his card to make payments with!
It's spectacularly bad when you have a Python script screen-scraping their site twice a day and you're running the transactions through your local "suspicious transactions" algorithm. I record the bulk of my future transactions, so it's easy for me to spot erroneous ones - heck, I even have a secure RSS feed for the transactions from my five accounts. There's no way to give my bank this payment information (yet) so their heuristics are running without the data that would really help them. I had a heart-to-heart with my Premier Account Manager at Barclays about this and his hands were tied - they just aren't advanced at all. If they want to keep the data in their closed world then they need to give me the tools in that world to manage my money (and yes, OpenPlan is a step in that direction - great if you only use Barclays I guess).
There is a subtlety here that you may have missed. Cash is legal tender for all debts. So, if you have already incurred a debt, then your creditor must accept cash as payment. However, most transactions do not involve you incurring a debt. For instance, when you pay to get on the bus, you have not yet incurred a debt, whereas if you eat a meal in a restaurant, then by the time you get the check, you do owe a debt. So, the bus driver may refuse cash; the restaurateur may not.
Interestingly, according to wikipedia, the "legal tender" phrase was added because the government couldn't pay its debts with gold or silver, and nobody wanted paper money instead. The phrase was added to compel them to accept the paper money.
SIGSEGV caught, terminating
wait... not that kind of sig.
And what happens if your bank is Egg (now owned by Citi Group) and tell you every time you log in that you should try the Egg Money Manager, which is only available as an ActiveX control? It's frustrating to keep telling users 'disable ActiveX' and have banks tell them to enable it (and use IE), and if they do then I think they ought to accept at least partial responsibility for the user's poor security.
I am TheRaven on Soylent News
I think it was more the stance that was at issue and not that the code of practice was actually being enforced. Kiwi banks are far more concerned that an incidence of fraud might damage their reputation and put customers off using what is a cheap and effective channel. Consequently they will tend to pay out any losses in order to keep below the media radar. Banks could quickly solve this problem by introducing secure challenge response tokens but the cost would be enormous and many users would struggle with the technology increasing the cost of support.