UK Banking Law Blames Customers For Insecure OS

twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?

Scare tactics

[plover]

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

But I think there's an ulterior motive here. As a part of Chip-and-PIN, the UK is testing a brilliant two-factor authentication system this year for cards that will cryptographically render browser, PC, and merchant security moot. It's possible this is being used as a "warning shot" to frighten consumers into picking up the tab for the high cost (approximately $70) of the handheld security module.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves. (And I really wish we'd start seeing that kind of security technology available here in America. I'd switch banks and pay the $70 myself in a heartbeat.)

Re:Scare tactics

[CRCulver]

Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

At least in Finland (and I imagine probably the other Nordic countries as well), you can use cash for a decreasing amount of payments. Nearly everyone who demands money of you wants you to pay by bank transfer, and if you don't use your free online banking and decide you want to hand cash to a teller, there's a 3 euro fee for the service. Nearly everyone who wants to pay you money will only deposit it directly into your bank account, there are no more cheques. I'm sure this will spread to other EU countries.

Re:Scare tactics

[Wapiti-eater]

"About damned time!", I say.

Banks are held accountable for THEIR systems.

Users should be accountable for THEIR systems as well.

Now, if the bank sold, loaned or leased to me a data terminal for accessing THEIR systems - sure, they'd be accountable for it. But since I'm using MY system, that I configured, operate and maintain - how on earth can the BANK be accountable for that?

For years now, geekly types have been crying about the vulnerability in the "popular products". Since that product held an effective monopoly on the market, consumers happily drank the only 'koo-aid' available.

Now that these same individuals that have been enjoying 'oblivious immunity' will have to pony up for the failures in their personally owned tools - they'll demand, and get, improvements.

It's only good for everyone.

Re:Scare tactics

[Kristoph]

The issue at hand is not the bank's security. It is the security of the consumers account.

In any case, do you really want the bank to be responsible for the security of your system? Because, honestly, I REALLY DO NOT want the banks 'staff of professionals' ensuring my security by requiring I install some type of custom 'security' software.

]{

Re:Scare tactics

[plover]

Yes, those are the devices.

What they do is move all the encryption to a "trusted platform" -- the device itself. You enter your card and your PIN into the handheld, and it's their own crypto hardware using their own crypto algorithm to generate a one-time-use PIN for you to enter into the merchant's PIN pad or into a web site.

This turns your card into a pure identification token, and turns your PIN into a secure authentication token. Without both tokens, the bank refuses to part with your money. You can enter this into a sleazy internet cafe's browser. It doesn't matter if that transaction's data is stolen or not, because the bank won't authorize your one-time PIN for a second transaction.

What makes these a great solution is not just their security, but that they're backward compatible with current PIN pad technology. The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN. The bank takes care of that.

There's an even more secure variant that ABN-AMRO has deployed for web banking transactions. You enter the amount of the transaction into the handheld along with your PIN. That way, only the amount you authorize will be transferred, and the PIN is useless for any other amount.

(I'm basing my guess of $70 on the price of similar hardware offered by RSA with their SecurID scheme, but it's just a guess.)

Re:Scare tactics

[Naughty+Bob]

"About damned time!", I say.

Banks are held accountable for THEIR systems.

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system.

I don't use my bank's internet-based facilities, because they don't support my (more secure) choice of software- bizarre...

Re:Scare tactics

[dissy]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount. http://www.treas.gov/education/faq/currency/legal-tender.shtml

Q) I thought that United States currency was legal tender for all debts. Some businesses or governmental agencies say that they will only accept checks, money orders or credit cards as payment, and others will only accept currency notes in denominations of $20 or smaller. Isn't this illegal?

A) The pertinent portion of law that applies to your question is the Coinage Act of 1965, specifically Section 31 U.S.C. 5103, entitled "Legal tender," which states: "United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues."
This statute means that all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor. There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills. In addition, movie theaters, convenience stores and gas stations may refuse to accept large denomination currency (usually notes above $20) as a matter of policy.

Re:Scare tactics

[v1]

I'd mod you up but you're at +5 already so I'll just add my 2c to your comments. "About damned time!" Got that straight.

A coworker got his xbox-live account phished several weeks ago. Although he's having a really hard time getting his account recovered properly, he's fully accepted responsibility for what he did. I showed him an example phishing email I got and how it takes you to chase visa and you look in the url and it's some random IP in russia. He had no idea to pay attention to that, but now he does.

And he 100% accepts responsibility for his actions. And that's how it should be. But there's not enough of that going around right now, too many people wanting to blame their own lack of education on the world. If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it.

That's why we have drivers licenses. I've seen the idea jokingly suggested from time to time that you should require a permit to get on the internet. And it's things like this that make me seriously wonder if they have something there. But then it's someone taking the responsibility away from you and accepting the burden themselves. They can be held accountable for giving you a permit if you don't know what you're doing. So you see, these types don't want to accept the responsibility for making sure they are educated, and they don't want to accept the responsibility for what happens to them as a result.

Can't have it both ways.

You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence.

Re:Scare tactics

[The_Wilschon]

There is a subtlety here that you may have missed. Cash is legal tender for all debts. So, if you have already incurred a debt, then your creditor must accept cash as payment. However, most transactions do not involve you incurring a debt. For instance, when you pay to get on the bus, you have not yet incurred a debt, whereas if you eat a meal in a restaurant, then by the time you get the check, you do owe a debt. So, the bus driver may refuse cash; the restaurateur may not.

Interestingly, according to wikipedia, the "legal tender" phrase was added because the government couldn't pay its debts with gold or silver, and nobody wanted paper money instead. The phrase was added to compel them to accept the paper money.

Re:Scare tactics

[TheRaven64]

And what happens if your bank is Egg (now owned by Citi Group) and tell you every time you log in that you should try the Egg Money Manager, which is only available as an ActiveX control? It's frustrating to keep telling users 'disable ActiveX' and have banks tell them to enable it (and use IE), and if they do then I think they ought to accept at least partial responsibility for the user's poor security.

Re:Scare tactics

[Nursie]

Perfect up until this bit - "The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN."

This has never been the case in the UK, we have never had PIN entry at the retailer until the EMV (chip 'n' pin) cards came along, and they work the same way as you suggest - the pin pad and card reader are trusted devices and the PIN never leaves them. They are encrypted, by the card, along with the amount of the transaction (which is displayed to the user, not entered by them) and various other bits of information. The retailer's network never gets your PIN, only the device and the bank's word that it was correct.

Re:Scare tactics

[J+Isaksson]

The problem is this; in the first case the internet cafe browser, hacked, can display what you wanted to do (pay $50 bill to AT&T) and send an entirely different transaction to the bank (move all money on savings account to random account in Jersey) Since the PIN is totally independent of the transaction, the only thing that you authenticate is that it's actually you getting ripped off, not anyone else ;-) Case 2 will limit the amount that gets stolen, but except for that the same weakness applies.

Re:Scare tactics

[Simon]

That is a good point which you make. The ABN AMRO have that covered too, for the most part. For most transactions this attack is possible, but there is an extra security precaution which kicks in when you try a transaction above a certain amount (1000 euros? I can't remember, I've only hit it once). When this happens you are also requested to enter the target bank account number and the sum into the device. Basically signing those details of the transaction too.

I'm generally very impressed with the ABN's solution to this. It actually seems to solution the problem and is not just another case of security theater.

--
Simon

Re:Scare tactics

[Tuoqui]

Unless they use a Paperclip

Re:Scare tactics

[penguinbrat]

"If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it."

Do you understand the inner workings of a fuel injected turbo with dual over head cams - or do you have a general idea and just use it assuming safety from the manufacturer?

Do you understand the inner workings/procedures and protocols that it takes to fly a commercial airliner from LA to NY - or do you have a general idea and just use the transports assuming those that be aren't putting your life at risk for a mere buck?

Do you understand biology and the inner workings of your OWN BODY - or do you assume and rely on doctors and those in the medical profession to NOT kill you mistakenly for the treatment of a zit?

"You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence." - Typical arrogant and assinine comment from the godly geeks among us, when your inflated ego can go an entire day with out relying on ANYTHING that ANY manufacturer claims is perfectly safe and secure to use (regardless if it is or isn't - read M$ and ANY software corp) then, AND ONLY THEN would you have a valid argument to make and have something to back it up. Until then, you need to wake the fuck up and stop expecting everyone else in the world know as much about computers and the internet as you do - because you rely on company-X telling you using such-n-such is perfectly safe, just as much as grandma and little Jane down the street relies on M$ and the billions of other software manufacturers telling them everything is safe to use their products - not to mention teller X and sales boy Y doubling as a pretend security expert that just "knows" it is safe (hint, they are told to say that).

Arrogance like this is a big part of the problem - Marketing takes crap like this and runs with it, not to mention the legal department - who cares if it is complicated and way to much to comprehend for 90% of the population, the "experts" that do know what they are talking about blame everyone for not knowing what they know, so we'll do the same, they just don't mention the education and knowledge base behind it - but who cares about that?

EVERYONE SHOULD ALREADY KNOW IT! - and that is the biggest load of arrogant bull shit I've heard in a long time.

Damned if you do...

[UbuntuDupe]

So, to summarize:

bankers: "You better use a secure OS, or you'll be liable for any fraudulent transactions with your account."
customers: "Okay. What if we use Firefox on Linux?"
bankers: "That'll work."
customers: "Hey, we can't access your site using Firefox!"
bankers: [British equivalent of "hah! Sucks to be you!"]

this is scary

[suck_burners_rice]

Suppose one is running a hardened version of OpenBSD on some PA-RISC machine. Suppose then that this person's bank account is drained out and that said draining has NOTHING to do with their computer or OS. Suppose it's drained by someone who prints checks with a random bank account number on them and it just so happens to be this OpenBSD user's bank account. Again, the theft has NOTHING to do with their computer, OS, computing practices, or hair color. What will happen? Will the bank file a discovery motion to check if the person has anti-virus software on their hardened machine? What? No anti-virus software? Never mind that there is no virus to check for. This is scary as it gives the bank a way to weasel out of its own responsibilities.

Banks hate responsibility

[plopez]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.

If there is a lawyer in the house can they confirm this?

Not sure what the state of the laws are elsewhere, but knowing what a bunch of whining snivelers the banking industry is it's probably the same. The bank is always right and the depositors and the taxpayer pick up the bill.

Re:Banks hate responsibility

[Nolde+Huruska]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability. The policy was actually started by Hugh McCulloch who was U.S. Treasury Secretary, serving under three presidents starting with Abraham Lincoln. Before he was Treasury Secretary he was the first Comptroller of the Currency in that position he declared his famous dictum "In case of a dispute, favor the bank." He became revered by bankers and after his death they commemorated him by putting him on the Series 1902 $20 National Bank Note. His policy has remained pretty much in force ever since.

ummm ... it's not the consumers property

[Kristoph]

Should end users be ultimately responsible for the state of their systems?

The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

]{

Bullcrap. Don't need that stuff.

[mboverload]

I'm pretty freaking tired of all this "advice" that you need this protection for Windows machines.

Why should I have a firewall? I have a NAT router (hardware firewall).
Why should I have antispyware? I know what I'm downloading.
Why should I have antivirus?
- I don't download cracks. When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine.
- I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites.

Dear god, SOMEONE explain to me why any reasonable user should need this resource-hogging crap?

Re:Bullcrap. Don't need that stuff.

[jonbryce]

Someone finds a security hole in IE7 or Firefox. At the same time, they find a security hole in IIS or Apache. Using both these holes, they attack some well known and trusted site, maybe a newspaper, and use it to do drive-by attacks on visitors.

Yes, this does happen.

Humourous call

[sjwest]

client rings up the bank, 'i have been stolen from',
bank rep asks: whats your operating system:
client says: mac osx
rep says: im sorry sir that means your liable for the losses
client asks: why
rep says: you dont run norton antivirus, only norton antivirus protected computers are safe. Thank you for banking with us, can i help you with anything else?

Soitenly! Nyuk Nyuk Nyuk

[EdIII]

I wholeheartedly agree. It's only logical. Banks are responsible for the security within their own networks and their web servers which are on the edges. That is Just Fine.

I (The Bank Customer) am 100% responsible for the security of my own systems that I use to access the banking website. How could I POSSIBLY expect the bank to be liable for rootkits, malware, spyware, etc. I can't. That's just not reasonable.

The only thing I can think of that might go either way would be DNS type hacks since that would depend on how it was done and just exactly what point in the communication it was affecting.

Now with that being said.........

It would be the BANKS'S RESPONSIBILITY to TELL the consumer THE BAD NEWS. I can't wait. That's a "shitstorm" waiting to happen.

So basically, the vast majority of PC's are hopelessly insecure. We could talk forever about Microsoft this and Microsoft that, and "what about Safari?", blah blah blah blah. The situation is still the same. The Bank Customer's computer is just not secure enough in most cases and it could only be a matter of time before you are the "lucky" one and get nailed. Kind of like a lottery, except you get bent over.

In the end the only thing that will happen is that people will stop using online banking. I know plenty of people now that outright refuse to use it for the perceived security risks NOW. If the bank's outright say that they will not be responsible for the security on your computer, that will only make the situation worse (for them).

I'm pretty good at securing my systems, but even I know it would only take one determined person to get me. If the bank will not at least insure my losses, I can't take the risk of online banking. That simple.

If this really does go down, that will be a pretty big statement about PC security in general. Regardless of who is responsible, if a bank says it will no longer trust the end user's security that is a bad omen for the rest of e-commerce. What about the credit card companies? How will they react to the bank's position?

This is crap

[Mwongozi]

My old bank closed my online banking account without warning, and without bothering to tell me they had. I called them and they said it was because "I had a virus". This, despite the fact that I run a secure operating system (with no known viruses) and have an up-to-date virus scanner. Couldn't they just suspend my account until I "fixed" the problem? No, I had to open a whole new one.

I did. At another bank.

Why should on-line banking be any different...

[Copley]

... from physical cheque books and credit cards. If I leave my wallet in a place where cards, etc. might be stolen, I'm responsible for any loses that occur - shouldn't the same be true if I leave my electronic 'wallet' open? I really think that, within limits, people need to be held responsible for their actions/inactions - too much 'I never realised/knew/expected/thought that might happen' in the world. The banks should have similar guidelines to those used for stolen physical banking paraphernalia - if you suspect your PC might have been compromised, report it to the bank within a given time fame and they thereafter accept responsibility for subsequent losses.

Re:Oh no you didn't!

[jschimpf]

So give every customer a Live CD of a really locked down Linux and a special purpose browser pointed to the bank.

Re:This is bull.

[Anne+Thwacks]

Someone who obtains a bank account number via spyware is ethically (and should be legally) no different than someone who obtains a credit card number by picking someone's pocket.

next you will be suggesting that the US gvernment should arrest the people doing the phishing, or the companies selling stuff through spam.

This will never happen - they are far to busy figthing the war on drugs and the war on terror to actually olve real life problems.

Spam could be stopped overnight if the US owned credit card companies (ie all credit card companies) were threatened with the same sanctions for processing payments for spam-promoted products that thwere threatened for internet gambling.

The "follow the money" approach ahs been proven to work, and lack of applying it is wholely due to lack of interest by the UK and US governments.

Re:Scare tactics - technical correction

[ancientt]

Not to say the other method isn't better, but it isn't quite that bad. I used to work in the debit processor industry, essentially our computers were the ones that the PIN was sent along to.

It actually works like this: PIN entry -> Unique encryption in keypad (light sensitive PRAM typically) -> Debit machine processing -> VPN or dial-up direct to processor -> decryption based on id of machine and uniquely assigned encryption keys -> somehow (varying) communicated to bank ->back up the line with approval/denial.

It is supposed to be using hardware that never stores the encryption keys (triple DES mandated) anywhere that is accessible from the machinery that processes the transaction and they're tamper resistant (not quite proof, but difficult) with the encryption key knowledge being split between (at least) two people. The keys are unknown to the people who handle them until the time of entry and only stored in the end machine and in the processing machine (identified by serial number or machine ID.)

It is possible for the systems to be compromised in several ways, but paranoid safeguards are in place to make it difficult. Getting card numbers is no terrific feat, as evidenced by all the news stories about exactly that, but mechanically getting PINs usable for debit transactions is tremendously more difficult. That isn't to say it can't be done, but it does raise the barrier much higher than just sending your PIN along.

On the other side though, the decision on whether to approve or deny a transaction is typically just a matter of an unencrypted 0 or 1 along with the mirror of the transaction. If a transaction is denied, but the machine gets a 1 where it should have received a 0, then the merchant has no immediate indication that the cash or goods weren't paid for. Machines using debug or emulation modes occasionally get into service and approve everyone without even validating the transaction, but as you can imagine that gets pretty prompt attention.