UK Banking Law Blames Customers For Insecure OS

twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?

Scare tactics

[plover]

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

But I think there's an ulterior motive here. As a part of Chip-and-PIN, the UK is testing a brilliant two-factor authentication system this year for cards that will cryptographically render browser, PC, and merchant security moot. It's possible this is being used as a "warning shot" to frighten consumers into picking up the tab for the high cost (approximately $70) of the handheld security module.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves. (And I really wish we'd start seeing that kind of security technology available here in America. I'd switch banks and pay the $70 myself in a heartbeat.)

Re:Scare tactics

[aedan]

Do you mean the things which look like pocket calculators and your card slides into the top? We have a couple of them already but the bank hasn't asked us to use them yet. They didn't charge for them.

Re:Scare tactics

[CRCulver]

Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

At least in Finland (and I imagine probably the other Nordic countries as well), you can use cash for a decreasing amount of payments. Nearly everyone who demands money of you wants you to pay by bank transfer, and if you don't use your free online banking and decide you want to hand cash to a teller, there's a 3 euro fee for the service. Nearly everyone who wants to pay you money will only deposit it directly into your bank account, there are no more cheques. I'm sure this will spread to other EU countries.

Re:Scare tactics

[Wapiti-eater]

"About damned time!", I say.

Banks are held accountable for THEIR systems.

Users should be accountable for THEIR systems as well.

Now, if the bank sold, loaned or leased to me a data terminal for accessing THEIR systems - sure, they'd be accountable for it. But since I'm using MY system, that I configured, operate and maintain - how on earth can the BANK be accountable for that?

For years now, geekly types have been crying about the vulnerability in the "popular products". Since that product held an effective monopoly on the market, consumers happily drank the only 'koo-aid' available.

Now that these same individuals that have been enjoying 'oblivious immunity' will have to pony up for the failures in their personally owned tools - they'll demand, and get, improvements.

It's only good for everyone.

Re:Scare tactics

[Kristoph]

The issue at hand is not the bank's security. It is the security of the consumers account.

In any case, do you really want the bank to be responsible for the security of your system? Because, honestly, I REALLY DO NOT want the banks 'staff of professionals' ensuring my security by requiring I install some type of custom 'security' software.

]{

Re:Scare tactics

[nurb432]

Depends on where the leak was.

Was it on the user's pc? Then i guess its their fault technically. If its in the banks system, then the bank is on the hook.

Problem is that people really don't/can't understand the systems they are using as they are far too complex and to expect/demand them to keep them 'safe' is ludicrous. ( even "IT pros" cant always do it with the constant barrage of attacks on what is are fundamentally flawed systems )

However, the same logic goes for a car. Its far to complex for most people, but if their brakes go out or a wheel falls off and they cause a crash, its their fault.

Re:Scare tactics

[ergo98]

I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards

Banks are responsible for their own systems, and that is the full-time focus of those professionals. It is irrational, in my opinion, to expect them to take full culpability for the entire universe of client systems as well. Unless you're willing to accept a dictum that you must you BankOS running on BankHardware over the BankNet if you ever plan on accessing your money.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves.

When you make demands on business, in the end the person who ends up paying is you, not "them". Personally I'd rather not subsidize people who can't take even rudimentary responsibility over their own risk factors, though I would like to see a great use of two-factor authentication and the like, as you rightly heralded.

Re:Scare tactics

[plover]

Yes, those are the devices.

What they do is move all the encryption to a "trusted platform" -- the device itself. You enter your card and your PIN into the handheld, and it's their own crypto hardware using their own crypto algorithm to generate a one-time-use PIN for you to enter into the merchant's PIN pad or into a web site.

This turns your card into a pure identification token, and turns your PIN into a secure authentication token. Without both tokens, the bank refuses to part with your money. You can enter this into a sleazy internet cafe's browser. It doesn't matter if that transaction's data is stolen or not, because the bank won't authorize your one-time PIN for a second transaction.

What makes these a great solution is not just their security, but that they're backward compatible with current PIN pad technology. The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN. The bank takes care of that.

There's an even more secure variant that ABN-AMRO has deployed for web banking transactions. You enter the amount of the transaction into the handheld along with your PIN. That way, only the amount you authorize will be transferred, and the PIN is useless for any other amount.

(I'm basing my guess of $70 on the price of similar hardware offered by RSA with their SecurID scheme, but it's just a guess.)

Re:Scare tactics

[Naughty+Bob]

"About damned time!", I say.

Banks are held accountable for THEIR systems.

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system.

I don't use my bank's internet-based facilities, because they don't support my (more secure) choice of software- bizarre...

Re:Scare tactics

[buravirgil]

I suppose your argument lies in the term "access" as when you sign on to the bank's servers, you have "entered" a bank and to what party a responsibility of security is assigned is the literal argument you so damn with time.

This very question has already been addressed by the Securities and Exchange Commission...
http://www.nytimes.com/2008/02/15/business/15norris.html?_r=1&oref=slogin
with a decision with which, I might infer from this quickly modded post, you profanely contend.

I would pose the question as to the greatest likelihood of fraud that might go undetected. A bank blaming an individual, of which there would be potentially hundreds of thousands to consider or an individual blaming a bank, fewer in number, properly regulated and inspected.

Moreover, given the advantage Gate's OS has maintained for decades and its nearly endemic nature of viral infection...pretty much anybody logging onto a bank's servers has a virus on it and all a bank need do is task the police to recover a computer, find a virus and claim the bank is not at fault.

So, the question becomes a chain of evidence and which route is of less resistance.

Re:Scare tactics

[MyForest]

How ironic. I just switched from Barclays because they implemented this scheme. Note that Barclays give you everything you need for free.

You need a user id, password, your card and the PINSentry device to access the site. That's sort of OK when you're at home. It's not great when you leave your card in the reader and don't realize until the next day when you're in the shop. It's not great when you travel and you have a few different accounts setup. Although Mr G overcame that he wouldn't have his card to make payments with!

It's spectacularly bad when you have a Python script screen-scraping their site twice a day and you're running the transactions through your local "suspicious transactions" algorithm. I record the bulk of my future transactions, so it's easy for me to spot erroneous ones - heck, I even have a secure RSS feed for the transactions from my five accounts. There's no way to give my bank this payment information (yet) so their heuristics are running without the data that would really help them. I had a heart-to-heart with my Premier Account Manager at Barclays about this and his hands were tied - they just aren't advanced at all. If they want to keep the data in their closed world then they need to give me the tools in that world to manage my money (and yes, OpenPlan is a step in that direction - great if you only use Barclays I guess).

Re:Scare tactics

[plover]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount.

Of course, that's been tempered with the anti-money-laundering laws requiring identification for cash transactions exceeding $10 000. But still, if you owe $10, then the debtor must accept a $10 bill as payment in full.

Re:Scare tactics

[dissy]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount. http://www.treas.gov/education/faq/currency/legal-tender.shtml

Q) I thought that United States currency was legal tender for all debts. Some businesses or governmental agencies say that they will only accept checks, money orders or credit cards as payment, and others will only accept currency notes in denominations of $20 or smaller. Isn't this illegal?

A) The pertinent portion of law that applies to your question is the Coinage Act of 1965, specifically Section 31 U.S.C. 5103, entitled "Legal tender," which states: "United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues."
This statute means that all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor. There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills. In addition, movie theaters, convenience stores and gas stations may refuse to accept large denomination currency (usually notes above $20) as a matter of policy.

Re:Scare tactics

[SJS]

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system.

I agree. I disallow any client-side code to run in my browser, and that makes it difficult or impossible to use many financial websites (not because allowing it would be more secure, but because the developers of the website go out of their way to make it that way).

Responsibility needs to go hand-in-hand with the power to make a decision; if a bank requires particular combinations of software, or disallows my preferred security policies, then it's their decision, and should be their responsibility. If the bank merely recommends software, but doesn't seek to subvert my security policy, then yes, faults in my security policy are my own damn fault.

Re:Scare tactics

[v1]

I'd mod you up but you're at +5 already so I'll just add my 2c to your comments. "About damned time!" Got that straight.

A coworker got his xbox-live account phished several weeks ago. Although he's having a really hard time getting his account recovered properly, he's fully accepted responsibility for what he did. I showed him an example phishing email I got and how it takes you to chase visa and you look in the url and it's some random IP in russia. He had no idea to pay attention to that, but now he does.

And he 100% accepts responsibility for his actions. And that's how it should be. But there's not enough of that going around right now, too many people wanting to blame their own lack of education on the world. If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it.

That's why we have drivers licenses. I've seen the idea jokingly suggested from time to time that you should require a permit to get on the internet. And it's things like this that make me seriously wonder if they have something there. But then it's someone taking the responsibility away from you and accepting the burden themselves. They can be held accountable for giving you a permit if you don't know what you're doing. So you see, these types don't want to accept the responsibility for making sure they are educated, and they don't want to accept the responsibility for what happens to them as a result.

Can't have it both ways.

You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence.

Re:Scare tactics

[The_Wilschon]

There is a subtlety here that you may have missed. Cash is legal tender for all debts. So, if you have already incurred a debt, then your creditor must accept cash as payment. However, most transactions do not involve you incurring a debt. For instance, when you pay to get on the bus, you have not yet incurred a debt, whereas if you eat a meal in a restaurant, then by the time you get the check, you do owe a debt. So, the bus driver may refuse cash; the restaurateur may not.

Interestingly, according to wikipedia, the "legal tender" phrase was added because the government couldn't pay its debts with gold or silver, and nobody wanted paper money instead. The phrase was added to compel them to accept the paper money.

Re:Scare tactics

[TheRaven64]

And what happens if your bank is Egg (now owned by Citi Group) and tell you every time you log in that you should try the Egg Money Manager, which is only available as an ActiveX control? It's frustrating to keep telling users 'disable ActiveX' and have banks tell them to enable it (and use IE), and if they do then I think they ought to accept at least partial responsibility for the user's poor security.

Re:Scare tactics

[xaxa]

In the UK, that only applies for a debt, i.e. if you already owe someone the money then they have to accept legal tender (essentially coins and banknotes, but with some exceptions: a creditor doesn't have to accept more than £2 of £0.01 or £0.02 coins in a transaction, for instance, but they have to accept £1, £2 or £5 coins in any amount).

Because there's no debt, a shop is not breaking any law by putting up a notice saying "we don't accept £50 notes", and neither is someone who will only accept credit cards for purchasing stuff.

I wouldn't want large amounts of cash for most purposes. I pay for transport automatically (the cost comes out of my bank by debit card), for food at college by card (loading up a pre-payment card), everywhere accepts cards, and I'd rather not carry more cash than I need. Cheques are annoying, I have to walk into the bank, though they're still quite common. There isn't the EUR3 fee for depositing cash at a bank yet.

Re:Scare tactics

[TheRaven64]

It is impossible i repeat IMPOSSIBLE for them to secure your computer from people reading your keystrokes. They can't prevent you from installing a malicious keylogger, but they can mitigate it. To log in to my bank's site, I put my card in a reader they provided, hit 'authenticate' and enter my pin. It then gives me an 8 digit number which I enter. This is a hash of my pin (something I know), some data on my card (something I have) and, I believe, some monotonic counter (not sure if it's time based, or if it just generates them in a sequence and they only let you go a few ahead to account for failures). If I want to transfer money to someone I haven't paid before (and said I want them to allow me to pay again) then I have to enter the amount and the recipient's account number into the same device and get another hash to allow the transaction to proceed. My computer could be completely compromised, and all that the attacker would be able to do is read my balance and transfer money to people I've paid before.

Re:Scare tactics

[Nursie]

Perfect up until this bit - "The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN."

This has never been the case in the UK, we have never had PIN entry at the retailer until the EMV (chip 'n' pin) cards came along, and they work the same way as you suggest - the pin pad and card reader are trusted devices and the PIN never leaves them. They are encrypted, by the card, along with the amount of the transaction (which is displayed to the user, not entered by them) and various other bits of information. The retailer's network never gets your PIN, only the device and the bank's word that it was correct.

Re:Scare tactics

[J+Isaksson]

The problem is this; in the first case the internet cafe browser, hacked, can display what you wanted to do (pay $50 bill to AT&T) and send an entirely different transaction to the bank (move all money on savings account to random account in Jersey) Since the PIN is totally independent of the transaction, the only thing that you authenticate is that it's actually you getting ripped off, not anyone else ;-) Case 2 will limit the amount that gets stolen, but except for that the same weakness applies.

Re:Scare tactics

[Simon]

That is a good point which you make. The ABN AMRO have that covered too, for the most part. For most transactions this attack is possible, but there is an extra security precaution which kicks in when you try a transaction above a certain amount (1000 euros? I can't remember, I've only hit it once). When this happens you are also requested to enter the target bank account number and the sum into the device. Basically signing those details of the transaction too.

I'm generally very impressed with the ABN's solution to this. It actually seems to solution the problem and is not just another case of security theater.

--
Simon

Re:Scare tactics

[Tuoqui]

Unless they use a Paperclip

Re:Scare tactics

[Shemmie]

And as a bonus, Egg Money Manager will store all your other bank usernames and passwords, log into the sites for you, and I'm assuming it scrapes the balance information from the HTML, displaying it on the Egg page. Does that sound at all... risky?

Re:Scare tactics

[tepples]

And what happens if your bank is Egg (now owned by Citi Group) It depends: Are there banks other than Egg that have ATMs in your town?

Re:Scare tactics

[MeltUp]

Huh? Why is that? I have one of those things as well.
My debit card is a smart-card (has one of those chips on it), and the bank gave me a simple cardreader.

How it goes is:

- I go to my bank's site
- I enter my card number
- I put my card reader into the device
- I type the 8-digit number on the screen into the reader
- I type my pin into the reader
- The reader tells me the pin is OK (I assume that since it's a smartcard, if I type a wrong pin 3 times in a row, it destroys itself)
- the reader returns an 8-digit number I type into the login screen

I am in

If I want to transfer money, I have to use a different procedure. I don't have to do this for every transfer, I can make a few and then do it once for all:

- I type my pin into the card reader
- I type a number on the screen into the reader
- I type the total amount transfered
- The reader returns a number which I can use to confirm the transfer

I think this system is pretty secure. It's a minor annoyance, but after a few times it only takes a few seconds to do.

Why would giving the card reader to people be a security breach? Am I missing something?

Re:Scare tactics

[smallfries]

Annoying though it is my bank worked around this awhile ago. Instead of entering my PIN through the keyboard they flash up a java keyboard with randomised key layout on the screen which I have to click with the mouse. It is more annoying than tapping in the code as it takes effort to read the screen and translate my PIN onto it, but it must save quite a few of their customers from keyloggers. If it becomes popular amongst other banks then expect a similar arms race to the one underway between CAPTCHAs and spammers.

Re:Scare tactics

[Giant+Electronic+Bra]

And the bank's response to that is, you 'gave away' your information to someone. Why if the information, which they've told you is confidential, is revealed BY YOUR FAULTY EQUIPMENT, should they be on the hook to bail you out?

It is just the same as if you magic markered your PIN onto the back of your ATM card and someone stole it and drained your account. I GUARANTEE you the bank will wash its hands of your loss. And rightly so.

There is another factor involved. If the bank has to eat the losses, then the bank will pass them on to ALL the customers. So now you're not charging 'the bank' for the loss, your charging ALL THE PEOPLE THAT DIDN'T let themselves get ripped off!

So the question becomes "Why the hell should I pay for YOUR negligence/incompetence?' Let the idiot that let someone steal his private data off his machine pay for his own mistakes!

Of course, it makes sense for both parties to deploy a technology that is as secure as possible. The bank which doesn't should be loosing business (no matter who pays for the fraud). Still, I see NO reason why the financial institution should be liable unless the loss occured because of their act of negligence. Which exactly dovetails with liability law pretty much the world over.

Re:Scare tactics

[jimicus]

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system. Very few banks in the UK have IE-only websites, so that's not a particularly big deal.

What is an issue is the wording - nothing in The Register's article suggests that they've included the magic phrase "where necessary". You could be using an SELinux box tightened beyond belief with no need for anti-spyware or antivirus, but if you get ripped off through a website, their first question is going to be "What antivirus are you running?" and if the answer isn't a well known commercial product, then it's your problem and not theirs.

Re:Scare tactics

[LordLucless]

I wish there was a "-1, Cannot Read" mod. The bit about pennies was an example. American currency is legal tender for debts, not compulsory for purchases.

Re:Scare tactics

[jimicus]

It depends: Are there banks other than Egg that have ATMs in your town? Brief explanation of a few things about how UK banking works for our US cousins because there are significant differences:

1. You get paid into your bank account. Virtually nobody is paid in cash. This isn't something you get to negotiate with your employer - they'll ask for your bank account details when you start working.
2. Checks (or, in UK spelling, cheques) are rapidly dying. Many retailers no longer accept them. More or less every bank account comes with a debit card.
3. ATMs owned and operated by banks are generally free for any UK bank customer to use. Privately owned and operated ATMs, OTOH, aren't - these are more commonly found inside shops and pubs.
4. There are usually no charges for day to day banking (eg. receiving statements, using a bank-owned ATM, depositing money). Foreign transactions and unauthorised overdrafts attract swingeing charges.

Re:Scare tactics

[zotz]

"Can't have it both ways."

True, but then neither can the vendors and others. Right?

When they advertise that their system is so easy, anyone can do it. It is really intuitive. Then they can hardly come back and say that the problem was due to lack of proper training on the part of the users. They just got finished selling the system on the premise that no training was needed.

And in the case of banks, if they require a particular, OS, browser, other settings to work, they can hardly properly claim that the customer is fully liable.

But, even though this may be brain dead, if it scares people into looking into the situation more closely, it may do some good despite being borked.

all the best,

drew
--
http://packet-in.org/wiki/index.php?title=Main_Page
Packet In - net band, libre music, sometimes gratis

Re:Scare tactics

[Jesus_666]

In Germany chip-and-PIN has been one of the two traditional homebanking concepts (the other being PIN-and-TAN) via the HBCI standard (now called FinTS). We distinguish between four classes of card readers:

• Class 1 readers are just smartcard interface; you enter the PIN via the computer's keyboard. They come at about 30-40 EUR.
• Class 2 readers are like class 1 plus a keypad. ~70-80 EUR, unless your bank sells you a branded device for less.
• Class 3 readers are like class 2 plus a display. Upwards of 100 EUR. Fancy ones with additional biometric interfaces (not useful for homebanking) come at 250 EUR and up.
• Class 4 readers are like class 3 plus support for an own Secure Access Module so they can sign transactions with their own credentials (to make card and reader uniquely identifiable for each transaction). These aren't used for homebanking, but the planned German healthcare smartcard will require them.

Any of the first three classes can be used for homebanking. A few years ago my bank issued a class 1 reader with their homebanking package; when my parents had to get a now one because the old one got flaky they got the current standard-issue device, which is class 2 - however, that might also be because the company the bank gets the readers from has removed all class 1 readers from their lineup.

Class 2 readers are arguably more secure, but class 1 devices have the advantage of being small and robust, which is useful to me because I lug the reader around in my backpack. Having the choice is nice and sice HBCI is an open standard there are implementations for Linux (GnuCash) and OS X (MacGiro, BankX, GnuCash), so keyloggers are a bit less of a worry.

Re:Scare tactics

[penguinbrat]

"If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it."

Do you understand the inner workings of a fuel injected turbo with dual over head cams - or do you have a general idea and just use it assuming safety from the manufacturer?

Do you understand the inner workings/procedures and protocols that it takes to fly a commercial airliner from LA to NY - or do you have a general idea and just use the transports assuming those that be aren't putting your life at risk for a mere buck?

Do you understand biology and the inner workings of your OWN BODY - or do you assume and rely on doctors and those in the medical profession to NOT kill you mistakenly for the treatment of a zit?

"You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence." - Typical arrogant and assinine comment from the godly geeks among us, when your inflated ego can go an entire day with out relying on ANYTHING that ANY manufacturer claims is perfectly safe and secure to use (regardless if it is or isn't - read M$ and ANY software corp) then, AND ONLY THEN would you have a valid argument to make and have something to back it up. Until then, you need to wake the fuck up and stop expecting everyone else in the world know as much about computers and the internet as you do - because you rely on company-X telling you using such-n-such is perfectly safe, just as much as grandma and little Jane down the street relies on M$ and the billions of other software manufacturers telling them everything is safe to use their products - not to mention teller X and sales boy Y doubling as a pretend security expert that just "knows" it is safe (hint, they are told to say that).

Arrogance like this is a big part of the problem - Marketing takes crap like this and runs with it, not to mention the legal department - who cares if it is complicated and way to much to comprehend for 90% of the population, the "experts" that do know what they are talking about blame everyone for not knowing what they know, so we'll do the same, they just don't mention the education and knowledge base behind it - but who cares about that?

EVERYONE SHOULD ALREADY KNOW IT! - and that is the biggest load of arrogant bull shit I've heard in a long time.

Re:Scare tactics

[Lost+Engineer]

So valuable information isn't sitting on his windows partition -- not 100% perfect as a trojan could in theory mount his linux partition in windows or just read the device directly if it has admin priveleges, but it will foil the most common attacks against windows.

Re:Scare tactics

[Reziac]

Which also ensures a monoculture and a uniform point of failure when (more likely than if) their custom setup is compromised.

Re:Scare tactics

[jc42]

Moreover, given the advantage Gate's OS has maintained for decades and its nearly endemic nature of viral infection...pretty much anybody logging onto a bank's servers has a virus on it and all a bank need do is task the police to recover a computer, find a virus and claim the bank is not at fault.

Well, now; it seems this situation is ripe for a nice setup. Get an account at a bank such as the Egg mentioned in other messages here, which strongly encourages use of IE and includes Active-X code in its pages. Arrange for your account data to be stolen by malware from a site that uses Active X as an infection vector. When the bank's investigators find the malware on your machine and disclaims responsibility, file suit against the bank, claiming fraud and entrapment (or whatever those are called in UK law). Show in court that they strongly encourage use of IE and Active X, which are well known to be major security risks.

I'd think some UK solicitors with a bit of tech knowledge might have a bit of fun taking on such a case.

Of course, you'd want to do this with a new account, and don't put a whole lot of your money into it.

It's only a matter of time before such a case happens. It might be best if it happens to people with the technical knowledge to show in court what's really going on. Maybe you can force the banks to not require customer use of the least secure software available.

Re:Scare tactics

[CastrTroy]

I'm not sure why one would sign up for a bank called "Egg" in the first place.

Re:Scare tactics

[Kristoph]

The device you speak of (which I happen to actually use for one of my bank accounts) includes an additional step which is the challenge code.

You slot in your smart card, enter your pin into the device, followed by the challenge code, and it returns the response code which you must transcribe into the site. It is something that works on the internet but it probably would not work well for commercial transactions because most users would consider it too cumbersome.

In any case there is a pretty straightforward way to bypass this security. You spoof the bank site and, in real time, interact with the real site sending the user the real challenge code so they provide the real response code and then, once your in, you transfer the funds from the users account to some other account (which you presumable set up under an assumed name). If you are a reasonable competent crook this actual transfer process is automated and once you've completed the transfer you change the users pin code so they cannot see the transaction for the X days it takes them to order a new pin code from the bank.

]{

Re:Scare tactics

[rastos1]

Do you understand the inner workings of a fuel injected turbo with dual over head cams - or do you have a general idea and just use it assuming safety from the manufacturer?

If the "fuel injected turbo with dual over head cams" fail, then I'm not dangerous to others. In worst case I won't be able to start up. However I do understand how breaks work. I know that I have to regularly check the level of breaking liquid. I know that I have to have the front and break lights and blinkers working. I know how they work and how to check that they work. And if I find out that they do not work, I know that I can't keep on driving.

Do you understand the inner workings/procedures and protocols that it takes to fly a commercial airliner from LA to NY - or do you have a general idea and just use the transports assuming those that be aren't putting your life at risk for a mere buck?

No I don't. However I do not fly (control) the commercial airliner. The crew does. The ground personel ensures that it is working. Again: by not knowing the internals of airliner I'm not dangerous to others.

Do you understand biology and the inner workings of your OWN BODY - or do you assume and rely on doctors and those in the medical profession to NOT kill you mistakenly for the treatment of a zit?

I don't know about you, but I had biology classes in school. I know that I should seek help if I suspect that something is wrong. Having a raised temperature is wrong; having aches is wrong; having bones sticking out of body is wrong -> seek help. But that is not important. Important is to know, that I should not wander on the bus station if I have infectious disease.

Yes, you should know enough about the system to not to be a threat others.

Re:Scare tactics

[ozmanjusri]

What's even better is that this method is completely OS and browser independent.

My bank has an authentication method which is OS and browser independent too.

When I, or anyone else, attempts a transfer which exceeds my set limit, the bank sends me a text message (SMS) with a one-time PIN. I then have three minutes to input the PIN to approve the transfer.

If the PIN isn't correct, or if it's not typed in within the time limit, I get another SMS telling me of the attempt.

Damned if you do...

[UbuntuDupe]

So, to summarize:

bankers: "You better use a secure OS, or you'll be liable for any fraudulent transactions with your account."
customers: "Okay. What if we use Firefox on Linux?"
bankers: "That'll work."
customers: "Hey, we can't access your site using Firefox!"
bankers: [British equivalent of "hah! Sucks to be you!"]

Re:Damned if you do...

[jonbryce]

Are there any bank sites that don't work with Firefox on Linux these days? Even Natwest works now, and they are the most fussy about what browsers they allow.

Re:Damned if you do...

[spedrosa]

Are there any bank sites that don't work with Firefox on Linux these days? Even Natwest works now, and they are the most fussy about what browsers they allow. Hell yeah.

At least in Brazil, ABM AMRO (more specifically, Real) *requires* Windows.

To add insult to the injury, they require the installation of a "protection module". Which is a very intrusive and spyware-like dll called "G-Buster Browser Defense". It's installation under Windows Vista only works if you run the browser as *administrator* and add the banking site to the list of trusted sites.

You can call them to deactivate the "security measures" for your account and enable it to work on other operating systems, but then I suspect they are not going to be held accountable for unathorized accesses.

Re:Damned if you do...

[mgblst]

Really? Send me your details I and I will test it on my end...

Holy crap.

Look, if an account compromise occurs as a result of a compromise on the bank's side (web server, backend network, etc), it's the bank's fault. If the compromise occurs because the user's login gets sent to some dude in Russia by a keysniffer running on the user's already compromised workstation, it's MOST DEFINITELY the user's fault. This isn't complicated. Wow.

this is scary

[suck_burners_rice]

Suppose one is running a hardened version of OpenBSD on some PA-RISC machine. Suppose then that this person's bank account is drained out and that said draining has NOTHING to do with their computer or OS. Suppose it's drained by someone who prints checks with a random bank account number on them and it just so happens to be this OpenBSD user's bank account. Again, the theft has NOTHING to do with their computer, OS, computing practices, or hair color. What will happen? Will the bank file a discovery motion to check if the person has anti-virus software on their hardened machine? What? No anti-virus software? Never mind that there is no virus to check for. This is scary as it gives the bank a way to weasel out of its own responsibilities.

Re:this is scary

[jez9999]

Suppose it's drained by someone who prints checks with a random bank account number on them and it just so happens to be this OpenBSD user's bank account.

Just in case anyone was taking this serviously, this scenario just aint gonna happen.

To login to my bank account online, I need the online account's ID, my PIN, and my secret word. In addition, I also now need my physical debit card, a card reader, and to enter my PIN in the reader and get back a code to enter for login. Not much chance of someone randomly getting in by guessing all those.

Banks hate responsibility

[plopez]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.

If there is a lawyer in the house can they confirm this?

Not sure what the state of the laws are elsewhere, but knowing what a bunch of whining snivelers the banking industry is it's probably the same. The bank is always right and the depositors and the taxpayer pick up the bill.

Re:Banks hate responsibility

[Nolde+Huruska]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability. The policy was actually started by Hugh McCulloch who was U.S. Treasury Secretary, serving under three presidents starting with Abraham Lincoln. Before he was Treasury Secretary he was the first Comptroller of the Currency in that position he declared his famous dictum "In case of a dispute, favor the bank." He became revered by bankers and after his death they commemorated him by putting him on the Series 1902 $20 National Bank Note. His policy has remained pretty much in force ever since.

Re:Banks hate responsibility

[DogDude]

That's part of the reason why anybody with half a brain uses a credit union.

Same here in Poland

[hubert.lepicki]

I just seen on news the same news about our Polish banks. And to be honest, I can't see any way security can be made when used compromised operating systems on client's accounts. Even USB tokens are not enough when someone else than you controls your PC.

ummm ... it's not the consumers property

[Kristoph]

Should end users be ultimately responsible for the state of their systems?

The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

]{

My two cents

[Antony-Kyre]

1. How do they know whether or not one's computer had an AV, anti-spyware, and firewall software installed at the time it was supposedly compromised? (Privacy issue.)

2. Bank customers do have some responsibility in security. Analogy: A homeowner has no locks, leaves door unlocked all day long, then tries getting his or her insurance company to pay out when he or she is ripped off.

3. AV, anti-spyware, and firewall. All three must be done? I think most people are familiar with the AV and firewalls, but how many know about anti-spyware software? (I believe Lavasoft's AdAware is one program.) What they should do is say that the person must make a reasonable attempt at securing their computer. (This could include having a separate computer used solely for banking, and nothing else.)

4. A thought just crossed my mind. Will they deny a claim if someone just happens to have an unsecured computer, even if the computer never was used for banking?

Bullcrap. Don't need that stuff.

[mboverload]

I'm pretty freaking tired of all this "advice" that you need this protection for Windows machines.

Why should I have a firewall? I have a NAT router (hardware firewall).
Why should I have antispyware? I know what I'm downloading.
Why should I have antivirus?
- I don't download cracks. When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine.
- I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites.

Dear god, SOMEONE explain to me why any reasonable user should need this resource-hogging crap?

This is bull.

[Jane+Q.+Public]

Someone who obtains a bank account number via spyware is ethically (and should be legally) no different than someone who obtains a credit card number by picking someone's pocket.

People can be be so negligent that they are practically asking for their wallet to be stolen... in which case they should share some of the responsibility for the theft. But the criminal is still guilty of a crime.

Banks can also be negligent, by not keeping tabs on account activity, or not taking several other measures that can reduce theft and fraud. If they do not do those things, then they should share some responsibility, too.

I see nothing new here, unless the banks are trying to weasel out of their share.

Re:This is bull.

[Anne+Thwacks]

Someone who obtains a bank account number via spyware is ethically (and should be legally) no different than someone who obtains a credit card number by picking someone's pocket.

next you will be suggesting that the US gvernment should arrest the people doing the phishing, or the companies selling stuff through spam.

This will never happen - they are far to busy figthing the war on drugs and the war on terror to actually olve real life problems.

Spam could be stopped overnight if the US owned credit card companies (ie all credit card companies) were threatened with the same sanctions for processing payments for spam-promoted products that thwere threatened for internet gambling.

The "follow the money" approach ahs been proven to work, and lack of applying it is wholely due to lack of interest by the UK and US governments.

But...

[blind+biker]

even if a user's computer has a keylogger installed, the bad guys would only be able to steal the access code, not the password of the user - because the passwords are from a list and are unique for each session. At least that's how they do it in all banks in Finland. Once the user is logged on, to start a new (parallel) session, a new password would be requited, even if the bad guys would manage to steal the one-time password just when the user is logged on.

Think about it for a second ...

[daveime]

No "sensible" person leaves their cheque book open, with 25 presigned cheques ... because the bank could hardly be held responsible if someone stole that chequebook and emptied your account.

No "sensible" person leaves their car wide open, with the engine running ... because no insurer would ever pay out for the theft of that car.

So why is it okay to leave your PC "wide open" and the banks have to pick up the tab ?

Your security is your own personal responsibility ... this culture of "what the hell, someone else can be the scapegoat" make us all too lax ...

I like this proposal ... maybe if you knew that YOU were going to have to pick up the tab for your losses, you'd take a bit more care about what you do online.

Okay, so the banks are two faced for talking about secure browsing, and then only accepting Internet Explorer ... but MSIE, Firefox, any other solution is really academic ... ANY solution is only as secure as the PC you are running on, and a keylogger logs keystrokes from ANY application ... so be 110% sure you DON'T have a keylogger before using online services ... and don't expect someone else to pick up the tab when you screw up. Because let's face it, it ISN'T the bank picking up the tab anyway, it's the rest of us.

Re:Bullcrap. Don't need that stuff.

[jonbryce]

Someone finds a security hole in IE7 or Firefox. At the same time, they find a security hole in IIS or Apache. Using both these holes, they attack some well known and trusted site, maybe a newspaper, and use it to do drive-by attacks on visitors.

Yes, this does happen.

Humourous call

[sjwest]

client rings up the bank, 'i have been stolen from',
bank rep asks: whats your operating system:
client says: mac osx
rep says: im sorry sir that means your liable for the losses
client asks: why
rep says: you dont run norton antivirus, only norton antivirus protected computers are safe. Thank you for banking with us, can i help you with anything else?

Re:Humourous call

[Anne+Thwacks]

Mod parent +5, accurate. This is not funny, this is a typical UK bank.

Yes I did try to use Barclays on-line banking using Firefox on OpenBSD on Sparc64 hardware, and No it doesnt work.

In fact Opera on FreeBSD doesnt either, and Opera on WinXP is barely useable.

In short, Barclays have clearly never tested with anything other than IE on XP.

But they have issued me with a PINSentry device which looks like a fisher-price toy, but is allegedly secure.

Soitenly! Nyuk Nyuk Nyuk

[EdIII]

I wholeheartedly agree. It's only logical. Banks are responsible for the security within their own networks and their web servers which are on the edges. That is Just Fine.

I (The Bank Customer) am 100% responsible for the security of my own systems that I use to access the banking website. How could I POSSIBLY expect the bank to be liable for rootkits, malware, spyware, etc. I can't. That's just not reasonable.

The only thing I can think of that might go either way would be DNS type hacks since that would depend on how it was done and just exactly what point in the communication it was affecting.

Now with that being said.........

It would be the BANKS'S RESPONSIBILITY to TELL the consumer THE BAD NEWS. I can't wait. That's a "shitstorm" waiting to happen.

So basically, the vast majority of PC's are hopelessly insecure. We could talk forever about Microsoft this and Microsoft that, and "what about Safari?", blah blah blah blah. The situation is still the same. The Bank Customer's computer is just not secure enough in most cases and it could only be a matter of time before you are the "lucky" one and get nailed. Kind of like a lottery, except you get bent over.

In the end the only thing that will happen is that people will stop using online banking. I know plenty of people now that outright refuse to use it for the perceived security risks NOW. If the bank's outright say that they will not be responsible for the security on your computer, that will only make the situation worse (for them).

I'm pretty good at securing my systems, but even I know it would only take one determined person to get me. If the bank will not at least insure my losses, I can't take the risk of online banking. That simple.

If this really does go down, that will be a pretty big statement about PC security in general. Regardless of who is responsible, if a bank says it will no longer trust the end user's security that is a bad omen for the rest of e-commerce. What about the credit card companies? How will they react to the bank's position?

How do you define secure?

[LordOfYourPants]

This may sound facetious, but is any system really secure from keylogging?

I dual boot Ubuntu and Windows. If I type:

sudo apt-get install lokkit (as an example, not an accusation) how do I know I'm not getting a free keysniffer as an added bonus?

I run windows with a firewall, have a firewalled router with minimal ports forwarded, use ad-aware/the windows spyware program/spybot search and destroy as well as AVG. How do I know that none of these pieces of software are, in themselves, spyware/keylogging software? How do I know that my browser hasn't been attacked by some 0-day hack embedded in an ad banner despite rigorous/consistent upgrading of both of my OSes?

Are people really diligent to that point that every time they're about to do their banking, they close all active programs, update and run their suites of virus scanners and anti-spyware software, and *then* do their banking once the all-clear is given by all programs?

Honestly, I just see it as a game of probabilities. *Most likely* I don't have a key logger installed on my system, and *most likely* my banking experience is going to be a sane one, but if the shit ever hits the fan, I'm willing to bet that there are people hired to specifically poke holes in my system and say "Linux is an unapproved OS. We can't cover your banking losses."

I look forward to a better solution.

Re:How do you define secure?

[WindBourne]

sudo apt-get install lokkit (as an example, not an accusation) how do I know I'm not getting a free keysniffer as an added bonus? Unless you personally check the code yourself, AND know what to look for, then no, you do not really know (even then, you may make a mistake). But based on past history, I would trust k?ubuntu over MS.

This is crap

[Mwongozi]

My old bank closed my online banking account without warning, and without bothering to tell me they had. I called them and they said it was because "I had a virus". This, despite the fact that I run a secure operating system (with no known viruses) and have an up-to-date virus scanner. Couldn't they just suspend my account until I "fixed" the problem? No, I had to open a whole new one.

I did. At another bank.

Why should on-line banking be any different...

[Copley]

... from physical cheque books and credit cards. If I leave my wallet in a place where cards, etc. might be stolen, I'm responsible for any loses that occur - shouldn't the same be true if I leave my electronic 'wallet' open? I really think that, within limits, people need to be held responsible for their actions/inactions - too much 'I never realised/knew/expected/thought that might happen' in the world. The banks should have similar guidelines to those used for stolen physical banking paraphernalia - if you suspect your PC might have been compromised, report it to the bank within a given time fame and they thereafter accept responsibility for subsequent losses.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Don't overlook the obvious

[Whuffo]

Banks are responsible for the safety / security of the assets entrusted to their care. They protect those assets by erecting barriers and using authentication to insure that only the person who the asset belongs to can access it.

So just exactly who decided to put customer information / account access on the internet where security problems are widespread and well known? Those so-called professionals at the banks must have known that this would lead to problems - and did it anyway.

Pointing at insecure computers, spyware, malware, etc as being the problem is ingenious. This is simply an attempt by the bank to move some of its expenses onto its customers.

Remember - none of these internet security / fraud problems would exist if the bank hadn't put the customer accounts online. They knew this was likely to happen and now this bad idea is starting to affect their bottom line. Rather than take responsibility for their mistake, they're abusing the legal system to move the losses onto their customers.

Gotta love those banking corporations...

Be cynical

[gwern]

Funnily enough, this reminds me of something I once read, by Schneier:

"In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

'When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses--most of the fraud actually was not the cardholder's fault--while in the UK, the banks did nothing.'

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn't until the UK courts reversed themselves and aligned interest with capability that ATM security improved."

from http://www.schneier.com/blog/archives/2006/06/aligning_intere.html

Same thing in New Zealand, but...

[meowsqueak]

it proved so unpopular that banks were effectively forced to reduce their hard-line stance:

http://www.consumer.org.nz/newsitem.asp?docid=5114&category=News&topic=Internet%20banking%20rule%20back-track

Re:Same thing in New Zealand, but...

[pigwin32]

I think it was more the stance that was at issue and not that the code of practice was actually being enforced. Kiwi banks are far more concerned that an incidence of fraud might damage their reputation and put customers off using what is a cheap and effective channel. Consequently they will tend to pay out any losses in order to keep below the media radar. Banks could quickly solve this problem by introducing secure challenge response tokens but the cost would be enormous and many users would struggle with the technology increasing the cost of support.

Fsck the Bankers

[Detritus]

Aren't these the same bastards who had a police constable arrested and convicted of attempting to obtain money by deception after he inquired about unauthorized withdrawals from his account?

http://catless.ncl.ac.uk/risks/18.25.html#subj5

Why fix your own systems when you can blame the customer?

only if it's your fault

[Chris+Snook]

"If you act without reasonable care, and this causes losses, you may be responsible for them."

In other words, if your authentication info gets stolen by a virus that's in the wild, and would have been blocked by up-to-date antivirus software, you're responsible for what happens as a result.

This does not appear to be intended to make the customer's software a scapegoat, just to hold people responsible for failure to take reasonable steps to protect their accounts. It is still very much in the bank's interest to improve account security measures, as most losses will not be clearly attributable to a cause that would allow this provision to be invoked.

Liability for the Liable

[Doc+Ruby]

Of course the bank shouldn't be responsible for losses incurred that are because the customer's own access device had a problem the customer should have known to fix. If the customer's device was vulnerable, but not actually compromised, of course the bank is liable if the bank's system caused the loss. Even if the customer's device was vulnerable and compromised, if that compromise didn't cause or contribute to the loss, of course the customer is not liable, if the loss was entirely the bank's fault.

If the loss was incurred by a bad guy exploiting an open vulnerability in the customer's access device, then the liability should be exactly the same as if the bad guy had entered the customer's home and stolen the key to their vault at the bank. If the door was locked, the customer is not liable at all, and the burglar is fully liable.

If the "door" was not locked, then the local laws, wherever the burglar did whatever they did to subvert the customer's device, will determine whether the burglar has any less liability for picking an easy target. The laws local to the customer's "unlocked door" will determine whether the customer has any more liability.

This is all a matter of obvious principles of liability for one's actions, and long-settled law governing that liability. Of course the bank is liable for losses it caused, even if just through negligently failing to protect its own systems. Now, of course the bank is going to try to weasel out of that liability, if it can: banks don't care about principles or laws, just the money they can make or lose. But if I leave my credit card at a restaurant, and then some burglar breaks into my safe deposit box while the bank security guard sleeps, of course the bank is liable, and not me, and not the waitress who was trying to charge a new TV to my account at the time - even if she's responsible for the TV charge, completely independently.

Re:Oh no you didn't!

[jschimpf]

So give every customer a Live CD of a really locked down Linux and a special purpose browser pointed to the bank.

Banks and Online Banking

[David_Hart]

Say what you will about Paypal and eBay, but Paypal has the option (at least in the US) to pay $5 for a Security Key. This provides two factor athentication, something that you have (the security key) and something that you know, your password. Something that has been arround for over 20 years. Most current trojans are out to grab your ID and password and store them for later use. You can't do that with a constantly changing security key number.

Banks, like any other business, just do not really care about security. What they do care about is liability. It's the same as insurance companies. Which costs less, added security or the losses involved in security that is "just good enough"? What we are now seeing is that this balance is changing as a result of an increase in computer trojans that are out to steal money.

Until the banks provide the consumer with better security options, in my opinion, the liability falls on their doorstep.

David

Re:Oh no you didn't!

[Gareth+Williams]

And if an exploitable bug should be found in the browser, what then? Send out new CDs to all your customers and hope nobody continues to use the old one?

Building your system around read only media has always been a bad idea. You can't patch it when something goes wrong - and something always goes wrong.

Re:Scare tactics - technical correction

[ancientt]

Not to say the other method isn't better, but it isn't quite that bad. I used to work in the debit processor industry, essentially our computers were the ones that the PIN was sent along to.

It actually works like this: PIN entry -> Unique encryption in keypad (light sensitive PRAM typically) -> Debit machine processing -> VPN or dial-up direct to processor -> decryption based on id of machine and uniquely assigned encryption keys -> somehow (varying) communicated to bank ->back up the line with approval/denial.

It is supposed to be using hardware that never stores the encryption keys (triple DES mandated) anywhere that is accessible from the machinery that processes the transaction and they're tamper resistant (not quite proof, but difficult) with the encryption key knowledge being split between (at least) two people. The keys are unknown to the people who handle them until the time of entry and only stored in the end machine and in the processing machine (identified by serial number or machine ID.)

It is possible for the systems to be compromised in several ways, but paranoid safeguards are in place to make it difficult. Getting card numbers is no terrific feat, as evidenced by all the news stories about exactly that, but mechanically getting PINs usable for debit transactions is tremendously more difficult. That isn't to say it can't be done, but it does raise the barrier much higher than just sending your PIN along.

On the other side though, the decision on whether to approve or deny a transaction is typically just a matter of an unencrypted 0 or 1 along with the mirror of the transaction. If a transaction is denied, but the machine gets a 1 where it should have received a 0, then the merchant has no immediate indication that the cash or goods weren't paid for. Machines using debug or emulation modes occasionally get into service and approve everyone without even validating the transaction, but as you can imagine that gets pretty prompt attention.

Re:Oh no you didn't!

[tubapro12]

Isn't this the bank simply saying "we're too lame and lazy to write a secure website and teach our users how to safely surf the Internet"?

Re:Oh no you didn't!

[funfail]

If you configure the browser to connect to the bank's site but nowhere else, who can exploit the vulnerability in the browser?

But it is still a bad idea. While I am working, I want to do some banking stuff several times a day. If every time I need to restart my notebook it would suck. I might start using a VMware instance but not every bank customer is able to.

Lets ask this question then?...

[jskline]

If Barklay sets up this stuff and adheres to it, and I as a possible customer have an account there by which I physically pay my bills by cheque, but never by using any of the online services, and in fact never even initialize any of the access online, and someone accesses my account and rips me for all my funds, am I still responsible??

I think that deserves a look don't you? Language after all; is still legal and how you phrase your "terms of service" is how you either are forced to replenish the customers funds, or you get off Scott-Free and not face any repercussions.

Just a thought...