UK Banking Law Blames Customers For Insecure OS

twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?

Scare tactics

[plover]

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

But I think there's an ulterior motive here. As a part of Chip-and-PIN, the UK is testing a brilliant two-factor authentication system this year for cards that will cryptographically render browser, PC, and merchant security moot. It's possible this is being used as a "warning shot" to frighten consumers into picking up the tab for the high cost (approximately $70) of the handheld security module.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves. (And I really wish we'd start seeing that kind of security technology available here in America. I'd switch banks and pay the $70 myself in a heartbeat.)

Re:Scare tactics

[aedan]

Do you mean the things which look like pocket calculators and your card slides into the top? We have a couple of them already but the bank hasn't asked us to use them yet. They didn't charge for them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

But...

[blind biker]

even if a user's computer has a keylogger installed, the bad guys would only be able to steal the access code, not the password of the user - because the passwords are from a list and are unique for each session. At least that's how they do it in all banks in Finland. Once the user is logged on, to start a new (parallel) session, a new password would be requited, even if the bad guys would manage to steal the one-time password just when the user is logged on.

Re:Scare tactics

[plover]

Yes, those are the devices.

What they do is move all the encryption to a "trusted platform" -- the device itself. You enter your card and your PIN into the handheld, and it's their own crypto hardware using their own crypto algorithm to generate a one-time-use PIN for you to enter into the merchant's PIN pad or into a web site.

This turns your card into a pure identification token, and turns your PIN into a secure authentication token. Without both tokens, the bank refuses to part with your money. You can enter this into a sleazy internet cafe's browser. It doesn't matter if that transaction's data is stolen or not, because the bank won't authorize your one-time PIN for a second transaction.

What makes these a great solution is not just their security, but that they're backward compatible with current PIN pad technology. The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN. The bank takes care of that.

There's an even more secure variant that ABN-AMRO has deployed for web banking transactions. You enter the amount of the transaction into the handheld along with your PIN. That way, only the amount you authorize will be transferred, and the PIN is useless for any other amount.

(I'm basing my guess of $70 on the price of similar hardware offered by RSA with their SecurID scheme, but it's just a guess.)

This is crap

[Mwongozi]

My old bank [barclays.com] closed my online banking account without warning, and without bothering to tell me they had. I called them and they said it was because "I had a virus". This, despite the fact that I run a secure operating system [apple.com] (with no known viruses) and have an up-to-date virus scanner [sophos.com]. Couldn't they just suspend my account until I "fixed" the problem? No, I had to open a whole new one.

I did. At another bank [firstdirect.com].

Re:Banks hate responsibility

[Nolde Huruska]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.

The policy was actually started by Hugh McCulloch who was U.S. Treasury Secretary, serving under three presidents starting with Abraham Lincoln. Before he was Treasury Secretary he was the first Comptroller of the Currency in that position he declared his famous dictum "In case of a dispute, favor the bank." He became revered by bankers and after his death they commemorated him by putting him on the Series 1902 $20 National Bank Note. His policy has remained pretty much in force ever since.

Re:Scare tactics

[dissy]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount.

http://www.treas.gov/education/faq/currency/legal-tender.shtml [treas.gov]

Q) I thought that United States currency was legal tender for all debts. Some businesses or governmental agencies say that they will only accept checks, money orders or credit cards as payment, and others will only accept currency notes in denominations of $20 or smaller. Isn't this illegal?

A) The pertinent portion of law that applies to your question is the Coinage Act of 1965, specifically Section 31 U.S.C. 5103, entitled "Legal tender," which states: "United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues."
This statute means that all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor. There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills. In addition, movie theaters, convenience stores and gas stations may refuse to accept large denomination currency (usually notes above $20) as a matter of policy.

Re:Scare tactics

[TheRaven64]

It is impossible i repeat IMPOSSIBLE for them to secure your computer from people reading your keystrokes.

They can't prevent you from installing a malicious keylogger, but they can mitigate it. To log in to my bank's site, I put my card in a reader they provided, hit 'authenticate' and enter my pin. It then gives me an 8 digit number which I enter. This is a hash of my pin (something I know), some data on my card (something I have) and, I believe, some monotonic counter (not sure if it's time based, or if it just generates them in a sequence and they only let you go a few ahead to account for failures). If I want to transfer money to someone I haven't paid before (and said I want them to allow me to pay again) then I have to enter the amount and the recipient's account number into the same device and get another hash to allow the transaction to proceed. My computer could be completely compromised, and all that the attacker would be able to do is read my balance and transfer money to people I've paid before.

Re:Scare tactics

[Nursie]

Perfect up until this bit - "The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN."

This has never been the case in the UK, we have never had PIN entry at the retailer until the EMV (chip 'n' pin) cards came along, and they work the same way as you suggest - the pin pad and card reader are trusted devices and the PIN never leaves them. They are encrypted, by the card, along with the amount of the transaction (which is displayed to the user, not entered by them) and various other bits of information. The retailer's network never gets your PIN, only the device and the bank's word that it was correct.

Re:Scare tactics

[J Isaksson]

The problem is this; in the first case the internet cafe browser, hacked, can display what you wanted to do (pay $50 bill to AT&T) and send an entirely different transaction to the bank (move all money on savings account to random account in Jersey) Since the PIN is totally independent of the transaction, the only thing that you authenticate is that it's actually you getting ripped off, not anyone else ;-) Case 2 will limit the amount that gets stolen, but except for that the same weakness applies.

Same thing in New Zealand, but...

[meowsqueak]

it proved so unpopular that banks were effectively forced to reduce their hard-line stance:

http://www.consumer.org.nz/newsitem.asp?docid=5114&category=News&topic=Internet%20banking%20rule%20back-track [consumer.org.nz]

Re:Scare tactics

[Simon]

That is a good point which you make. The ABN AMRO have that covered too, for the most part. For most transactions this attack is possible, but there is an extra security precaution which kicks in when you try a transaction above a certain amount (1000 euros? I can't remember, I've only hit it once). When this happens you are also requested to enter the target bank account number and the sum into the device. Basically signing those details of the transaction too.

I'm generally very impressed with the ABN's solution to this. It actually seems to solution the problem and is not just another case of security theater.

--
Simon

Re:Scare tactics

[Tuoqui]

Unless they use a Paperclip [slashdot.org]

Re:Scare tactics

[smallfries]

Annoying though it is my bank worked around this awhile ago. Instead of entering my PIN through the keyboard they flash up a java keyboard with randomised key layout on the screen which I have to click with the mouse. It is more annoying than tapping in the code as it takes effort to read the screen and translate my PIN onto it, but it must save quite a few of their customers from keyloggers. If it becomes popular amongst other banks then expect a similar arms race to the one underway between CAPTCHAs and spammers.

Re:Scare tactics

[jimicus]

It depends: Are there banks other than Egg that have ATMs in your town?

Brief explanation of a few things about how UK banking works for our US cousins because there are significant differences:

1. You get paid into your bank account. Virtually nobody is paid in cash. This isn't something you get to negotiate with your employer - they'll ask for your bank account details when you start working.
2. Checks (or, in UK spelling, cheques) are rapidly dying. Many retailers no longer accept them. More or less every bank account comes with a debit card.
3. ATMs owned and operated by banks are generally free for any UK bank customer to use. Privately owned and operated ATMs, OTOH, aren't - these are more commonly found inside shops and pubs.
4. There are usually no charges for day to day banking (eg. receiving statements, using a bank-owned ATM, depositing money). Foreign transactions and unauthorised overdrafts attract swingeing charges.

Re:Damned if you do...

[spedrosa]

Are there any bank sites that don't work with Firefox on Linux these days? Even Natwest works now, and they are the most fussy about what browsers they allow.

Hell yeah.

At least in Brazil, ABM AMRO (more specifically, Real) *requires* Windows.

To add insult to the injury, they require the installation of a "protection module". Which is a very intrusive and spyware-like dll called "G-Buster Browser Defense". It's installation under Windows Vista only works if you run the browser as *administrator* and add the banking site to the list of trusted sites.

You can call them to deactivate the "security measures" for your account and enable it to work on other operating systems, but then I suspect they are not going to be held accountable for unathorized accesses.

Re:Scare tactics

[Jesus_666]

In Germany chip-and-PIN has been one of the two traditional homebanking concepts (the other being PIN-and-TAN [wikipedia.org]) via the HBCI standard (now called FinTS). We distinguish between four classes of card readers:

• Class 1 readers are just smartcard interface; you enter the PIN via the computer's keyboard. They come at about 30-40 EUR.
• Class 2 readers are like class 1 plus a keypad. ~70-80 EUR, unless your bank sells you a branded device for less.
• Class 3 readers are like class 2 plus a display. Upwards of 100 EUR. Fancy ones with additional biometric interfaces (not useful for homebanking) come at 250 EUR and up.
• Class 4 readers are like class 3 plus support for an own Secure Access Module so they can sign transactions with their own credentials (to make card and reader uniquely identifiable for each transaction). These aren't used for homebanking, but the planned German healthcare smartcard will require them.

Any of the first three classes can be used for homebanking. A few years ago my bank issued a class 1 reader with their homebanking package; when my parents had to get a now one because the old one got flaky they got the current standard-issue device, which is class 2 - however, that might also be because the company the bank gets the readers from has removed all class 1 readers from their lineup.

Class 2 readers are arguably more secure, but class 1 devices have the advantage of being small and robust, which is useful to me because I lug the reader around in my backpack. Having the choice is nice and sice HBCI is an open standard there are implementations for Linux (GnuCash) and OS X (MacGiro, BankX, GnuCash), so keyloggers are a bit less of a worry.

Re:Scare tactics

[Lost Engineer]

So valuable information isn't sitting on his windows partition -- not 100% perfect as a trojan could in theory mount his linux partition in windows or just read the device directly if it has admin priveleges, but it will foil the most common attacks against windows.

Re:Oh no you didn't!

[Gareth Williams]

And if an exploitable bug should be found in the browser, what then? Send out new CDs to all your customers and hope nobody continues to use the old one?

Building your system around read only media has always been a bad idea. You can't patch it when something goes wrong - and something always goes wrong.

Re:Scare tactics - technical correction

[ancientt]

Not to say the other method isn't better, but it isn't quite that bad. I used to work in the debit processor industry, essentially our computers were the ones that the PIN was sent along to.

It actually works like this: PIN entry -> Unique encryption in keypad (light sensitive PRAM typically) -> Debit machine processing -> VPN or dial-up direct to processor -> decryption based on id of machine and uniquely assigned encryption keys -> somehow (varying) communicated to bank ->back up the line with approval/denial.

It is supposed to be using hardware that never stores the encryption keys (triple DES mandated) anywhere that is accessible from the machinery that processes the transaction and they're tamper resistant (not quite proof, but difficult) with the encryption key knowledge being split between (at least) two people. The keys are unknown to the people who handle them until the time of entry and only stored in the end machine and in the processing machine (identified by serial number or machine ID.)

It is possible for the systems to be compromised in several ways, but paranoid safeguards are in place to make it difficult. Getting card numbers is no terrific feat, as evidenced by all the news stories about exactly that, but mechanically getting PINs usable for debit transactions is tremendously more difficult. That isn't to say it can't be done, but it does raise the barrier much higher than just sending your PIN along.

On the other side though, the decision on whether to approve or deny a transaction is typically just a matter of an unencrypted 0 or 1 along with the mirror of the transaction. If a transaction is denied, but the machine gets a 1 where it should have received a 0, then the merchant has no immediate indication that the cash or goods weren't paid for. Machines using debug or emulation modes occasionally get into service and approve everyone without even validating the transaction, but as you can imagine that gets pretty prompt attention.