UK Banking Law Blames Customers For Insecure OS 430
twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?
Holy crap. (Score:2, Insightful)
this is scary (Score:5, Insightful)
Same here in Poland (Score:3, Insightful)
Re:Scare tactics (Score:5, Insightful)
Banks are held accountable for THEIR systems.
Users should be accountable for THEIR systems as well.
Now, if the bank sold, loaned or leased to me a data terminal for accessing THEIR systems - sure, they'd be accountable for it. But since I'm using MY system, that I configured, operate and maintain - how on earth can the BANK be accountable for that?
For years now, geekly types have been crying about the vulnerability in the "popular products". Since that product held an effective monopoly on the market, consumers happily drank the only 'koo-aid' available.
Now that these same individuals that have been enjoying 'oblivious immunity' will have to pony up for the failures in their personally owned tools - they'll demand, and get, improvements.
It's only good for everyone.
Bullcrap. Don't need that stuff. (Score:5, Insightful)
Why should I have a firewall? I have a NAT router (hardware firewall).
Why should I have antispyware? I know what I'm downloading.
Why should I have antivirus?
- I don't download cracks. When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine.
- I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites.
Dear god, SOMEONE explain to me why any reasonable user should need this resource-hogging crap?
This is bull. (Score:3, Insightful)
People can be be so negligent that they are practically asking for their wallet to be stolen... in which case they should share some of the responsibility for the theft. But the criminal is still guilty of a crime.
Banks can also be negligent, by not keeping tabs on account activity, or not taking several other measures that can reduce theft and fraud. If they do not do those things, then they should share some responsibility, too.
I see nothing new here, unless the banks are trying to weasel out of their share.
Re:Scare tactics (Score:3, Insightful)
Was it on the user's pc? Then i guess its their fault technically. If its in the banks system, then the bank is on the hook.
Problem is that people really don't/can't understand the systems they are using as they are far too complex and to expect/demand them to keep them 'safe' is ludicrous. ( even "IT pros" cant always do it with the constant barrage of attacks on what is are fundamentally flawed systems )
However, the same logic goes for a car. Its far to complex for most people, but if their brakes go out or a wheel falls off and they cause a crash, its their fault.
Measuring heath (Score:1, Insightful)
Re:Damned if you do... (Score:4, Insightful)
Re:Scare tactics (Score:3, Insightful)
Banks are responsible for their own systems, and that is the full-time focus of those professionals. It is irrational, in my opinion, to expect them to take full culpability for the entire universe of client systems as well. Unless you're willing to accept a dictum that you must you BankOS running on BankHardware over the BankNet if you ever plan on accessing your money.
When you make demands on business, in the end the person who ends up paying is you, not "them". Personally I'd rather not subsidize people who can't take even rudimentary responsibility over their own risk factors, though I would like to see a great use of two-factor authentication and the like, as you rightly heralded.
Re:this is scary (Score:3, Insightful)
Just in case anyone was taking this serviously, this scenario just aint gonna happen.
To login to my bank account online, I need the online account's ID, my PIN, and my secret word. In addition, I also now need my physical debit card, a card reader, and to enter my PIN in the reader and get back a code to enter for login. Not much chance of someone randomly getting in by guessing all those.
Re:Bullcrap. Don't need that stuff. (Score:5, Insightful)
Yes, this does happen.
Soitenly! Nyuk Nyuk Nyuk (Score:5, Insightful)
I (The Bank Customer) am 100% responsible for the security of my own systems that I use to access the banking website. How could I POSSIBLY expect the bank to be liable for rootkits, malware, spyware, etc. I can't. That's just not reasonable.
The only thing I can think of that might go either way would be DNS type hacks since that would depend on how it was done and just exactly what point in the communication it was affecting.
Now with that being said.........
It would be the BANKS'S RESPONSIBILITY to TELL the consumer THE BAD NEWS. I can't wait. That's a "shitstorm" waiting to happen.
So basically, the vast majority of PC's are hopelessly insecure. We could talk forever about Microsoft this and Microsoft that, and "what about Safari?", blah blah blah blah. The situation is still the same. The Bank Customer's computer is just not secure enough in most cases and it could only be a matter of time before you are the "lucky" one and get nailed. Kind of like a lottery, except you get bent over.
In the end the only thing that will happen is that people will stop using online banking. I know plenty of people now that outright refuse to use it for the perceived security risks NOW. If the bank's outright say that they will not be responsible for the security on your computer, that will only make the situation worse (for them).
I'm pretty good at securing my systems, but even I know it would only take one determined person to get me. If the bank will not at least insure my losses, I can't take the risk of online banking. That simple.
If this really does go down, that will be a pretty big statement about PC security in general. Regardless of who is responsible, if a bank says it will no longer trust the end user's security that is a bad omen for the rest of e-commerce. What about the credit card companies? How will they react to the bank's position?
How do you define secure? (Score:3, Insightful)
I dual boot Ubuntu and Windows. If I type:
sudo apt-get install lokkit (as an example, not an accusation) how do I know I'm not getting a free keysniffer as an added bonus?
I run windows with a firewall, have a firewalled router with minimal ports forwarded, use ad-aware/the windows spyware program/spybot search and destroy as well as AVG. How do I know that none of these pieces of software are, in themselves, spyware/keylogging software? How do I know that my browser hasn't been attacked by some 0-day hack embedded in an ad banner despite rigorous/consistent upgrading of both of my OSes?
Are people really diligent to that point that every time they're about to do their banking, they close all active programs, update and run their suites of virus scanners and anti-spyware software, and *then* do their banking once the all-clear is given by all programs?
Honestly, I just see it as a game of probabilities. *Most likely* I don't have a key logger installed on my system, and *most likely* my banking experience is going to be a sane one, but if the shit ever hits the fan, I'm willing to bet that there are people hired to specifically poke holes in my system and say "Linux is an unapproved OS. We can't cover your banking losses."
I look forward to a better solution.
Why should on-line banking be any different... (Score:4, Insightful)
Re:Scare tactics (Score:5, Insightful)
I don't use my bank's internet-based facilities, because they don't support my (more secure) choice of software- bizarre...
Re:Scare tactics (Score:2, Insightful)
This very question has already been addressed by the Securities and Exchange Commission...
http://www.nytimes.com/2008/02/15/business/15norris.html?_r=1&oref=slogin
with a decision with which, I might infer from this quickly modded post, you profanely contend.
I would pose the question as to the greatest likelihood of fraud that might go undetected. A bank blaming an individual, of which there would be potentially hundreds of thousands to consider or an individual blaming a bank, fewer in number, properly regulated and inspected.
Moreover, given the advantage Gate's OS has maintained for decades and its nearly endemic nature of viral infection...pretty much anybody logging onto a bank's servers has a virus on it and all a bank need do is task the police to recover a computer, find a virus and claim the bank is not at fault.
So, the question becomes a chain of evidence and which route is of less resistance.
Re:How do you define secure? (Score:3, Insightful)
Re:Scare tactics (Score:1, Insightful)
Re:Scare tactics (Score:4, Insightful)
I agree. I disallow any client-side code to run in my browser, and that makes it difficult or impossible to use many financial websites (not because allowing it would be more secure, but because the developers of the website go out of their way to make it that way).
Responsibility needs to go hand-in-hand with the power to make a decision; if a bank requires particular combinations of software, or disallows my preferred security policies, then it's their decision, and should be their responsibility. If the bank merely recommends software, but doesn't seek to subvert my security policy, then yes, faults in my security policy are my own damn fault.
Re:Scare tactics (Score:5, Insightful)
A coworker got his xbox-live account phished several weeks ago. Although he's having a really hard time getting his account recovered properly, he's fully accepted responsibility for what he did. I showed him an example phishing email I got and how it takes you to chase visa and you look in the url and it's some random IP in russia. He had no idea to pay attention to that, but now he does.
And he 100% accepts responsibility for his actions. And that's how it should be. But there's not enough of that going around right now, too many people wanting to blame their own lack of education on the world. If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it.
That's why we have drivers licenses. I've seen the idea jokingly suggested from time to time that you should require a permit to get on the internet. And it's things like this that make me seriously wonder if they have something there. But then it's someone taking the responsibility away from you and accepting the burden themselves. They can be held accountable for giving you a permit if you don't know what you're doing. So you see, these types don't want to accept the responsibility for making sure they are educated, and they don't want to accept the responsibility for what happens to them as a result.
Can't have it both ways.
You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence.
Re:Scare tactics (Score:3, Insightful)
Because there's no debt, a shop is not breaking any law by putting up a notice saying "we don't accept £50 notes", and neither is someone who will only accept credit cards for purchasing stuff.
I wouldn't want large amounts of cash for most purposes. I pay for transport automatically (the cost comes out of my bank by debit card), for food at college by card (loading up a pre-payment card), everywhere accepts cards, and I'd rather not carry more cash than I need. Cheques are annoying, I have to walk into the bank, though they're still quite common. There isn't the EUR3 fee for depositing cash at a bank yet.
Don't overlook the obvious (Score:4, Insightful)
So just exactly who decided to put customer information / account access on the internet where security problems are widespread and well known? Those so-called professionals at the banks must have known that this would lead to problems - and did it anyway.
Pointing at insecure computers, spyware, malware, etc as being the problem is ingenious. This is simply an attempt by the bank to move some of its expenses onto its customers.
Remember - none of these internet security / fraud problems would exist if the bank hadn't put the customer accounts online. They knew this was likely to happen and now this bad idea is starting to affect their bottom line. Rather than take responsibility for their mistake, they're abusing the legal system to move the losses onto their customers.
Gotta love those banking corporations...
Be cynical (Score:2, Insightful)
"In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:
'When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses--most of the fraud actually was not the cardholder's fault--while in the UK, the banks did nothing.'
The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn't until the UK courts reversed themselves and aligned interest with capability that ATM security improved."
from http://www.schneier.com/blog/archives/2006/06/aligning_intere.html [schneier.com]
Fsck the Bankers (Score:3, Insightful)
http://catless.ncl.ac.uk/risks/18.25.html#subj5 [ncl.ac.uk]
Why fix your own systems when you can blame the customer?
only if it's your fault (Score:4, Insightful)
In other words, if your authentication info gets stolen by a virus that's in the wild, and would have been blocked by up-to-date antivirus software, you're responsible for what happens as a result.
This does not appear to be intended to make the customer's software a scapegoat, just to hold people responsible for failure to take reasonable steps to protect their accounts. It is still very much in the bank's interest to improve account security measures, as most losses will not be clearly attributable to a cause that would allow this provision to be invoked.
Re:Scare tactics (Score:3, Insightful)
Re:Scare tactics (Score:3, Insightful)
Re:Scare tactics (Score:2, Insightful)
My debit card is a smart-card (has one of those chips on it), and the bank gave me a simple cardreader.
How it goes is:
- I go to my bank's site
- I enter my card number
- I put my card reader into the device
- I type the 8-digit number on the screen into the reader
- I type my pin into the reader
- The reader tells me the pin is OK (I assume that since it's a smartcard, if I type a wrong pin 3 times in a row, it destroys itself)
- the reader returns an 8-digit number I type into the login screen
I am in
If I want to transfer money, I have to use a different procedure. I don't have to do this for every transfer, I can make a few and then do it once for all:
- I type my pin into the card reader
- I type a number on the screen into the reader
- I type the total amount transfered
- The reader returns a number which I can use to confirm the transfer
I think this system is pretty secure. It's a minor annoyance, but after a few times it only takes a few seconds to do.
Why would giving the card reader to people be a security breach? Am I missing something?
Liability for the Liable (Score:3, Insightful)
If the loss was incurred by a bad guy exploiting an open vulnerability in the customer's access device, then the liability should be exactly the same as if the bad guy had entered the customer's home and stolen the key to their vault at the bank. If the door was locked, the customer is not liable at all, and the burglar is fully liable.
If the "door" was not locked, then the local laws, wherever the burglar did whatever they did to subvert the customer's device, will determine whether the burglar has any less liability for picking an easy target. The laws local to the customer's "unlocked door" will determine whether the customer has any more liability.
This is all a matter of obvious principles of liability for one's actions, and long-settled law governing that liability. Of course the bank is liable for losses it caused, even if just through negligently failing to protect its own systems. Now, of course the bank is going to try to weasel out of that liability, if it can: banks don't care about principles or laws, just the money they can make or lose. But if I leave my credit card at a restaurant, and then some burglar breaks into my safe deposit box while the bank security guard sleeps, of course the bank is liable, and not me, and not the waitress who was trying to charge a new TV to my account at the time - even if she's responsible for the TV charge, completely independently.
Re:Oh no you didn't! (Score:5, Insightful)
Re:Scare tactics (Score:4, Insightful)
What is an issue is the wording - nothing in The Register's article suggests that they've included the magic phrase "where necessary". You could be using an SELinux box tightened beyond belief with no need for anti-spyware or antivirus, but if you get ripped off through a website, their first question is going to be "What antivirus are you running?" and if the answer isn't a well known commercial product, then it's your problem and not theirs.
Re:Scare tactics (Score:3, Insightful)
Re:This is bull. (Score:5, Insightful)
next you will be suggesting that the US gvernment should arrest the people doing the phishing, or the companies selling stuff through spam.
This will never happen - they are far to busy figthing the war on drugs and the war on terror to actually olve real life problems.
Spam could be stopped overnight if the US owned credit card companies (ie all credit card companies) were threatened with the same sanctions for processing payments for spam-promoted products that thwere threatened for internet gambling.
The "follow the money" approach ahs been proven to work, and lack of applying it is wholely due to lack of interest by the UK and US governments.
Re:Scare tactics (Score:3, Insightful)
True, but then neither can the vendors and others. Right?
When they advertise that their system is so easy, anyone can do it. It is really intuitive. Then they can hardly come back and say that the problem was due to lack of proper training on the part of the users. They just got finished selling the system on the premise that no training was needed.
And in the case of banks, if they require a particular, OS, browser, other settings to work, they can hardly properly claim that the customer is fully liable.
But, even though this may be brain dead, if it scares people into looking into the situation more closely, it may do some good despite being borked.
all the best,
drew
--
http://packet-in.org/wiki/index.php?title=Main_Page [packet-in.org]
Packet In - net band, libre music, sometimes gratis
Banks and Online Banking (Score:2, Insightful)
Banks, like any other business, just do not really care about security. What they do care about is liability. It's the same as insurance companies. Which costs less, added security or the losses involved in security that is "just good enough"? What we are now seeing is that this balance is changing as a result of an increase in computer trojans that are out to steal money.
Until the banks provide the consumer with better security options, in my opinion, the liability falls on their doorstep.
David
Re:Scare tactics (Score:5, Insightful)
Do you understand the inner workings of a fuel injected turbo with dual over head cams - or do you have a general idea and just use it assuming safety from the manufacturer?
Do you understand the inner workings/procedures and protocols that it takes to fly a commercial airliner from LA to NY - or do you have a general idea and just use the transports assuming those that be aren't putting your life at risk for a mere buck?
Do you understand biology and the inner workings of your OWN BODY - or do you assume and rely on doctors and those in the medical profession to NOT kill you mistakenly for the treatment of a zit?
"You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence." - Typical arrogant and assinine comment from the godly geeks among us, when your inflated ego can go an entire day with out relying on ANYTHING that ANY manufacturer claims is perfectly safe and secure to use (regardless if it is or isn't - read M$ and ANY software corp) then, AND ONLY THEN would you have a valid argument to make and have something to back it up. Until then, you need to wake the fuck up and stop expecting everyone else in the world know as much about computers and the internet as you do - because you rely on company-X telling you using such-n-such is perfectly safe, just as much as grandma and little Jane down the street relies on M$ and the billions of other software manufacturers telling them everything is safe to use their products - not to mention teller X and sales boy Y doubling as a pretend security expert that just "knows" it is safe (hint, they are told to say that).
Arrogance like this is a big part of the problem - Marketing takes crap like this and runs with it, not to mention the legal department - who cares if it is complicated and way to much to comprehend for 90% of the population, the "experts" that do know what they are talking about blame everyone for not knowing what they know, so we'll do the same, they just don't mention the education and knowledge base behind it - but who cares about that?
EVERYONE SHOULD ALREADY KNOW IT! - and that is the biggest load of arrogant bull shit I've heard in a long time.
Re:Scare tactics (Score:3, Insightful)
Re:Scare tactics (Score:3, Insightful)
Yes, you should know enough about the system to not to be a threat others.
Re:Oh no you didn't! (Score:3, Insightful)
Re:Oh no you didn't! (Score:4, Insightful)
But it is still a bad idea. While I am working, I want to do some banking stuff several times a day. If every time I need to restart my notebook it would suck. I might start using a VMware instance but not every bank customer is able to.
Lets ask this question then?... (Score:3, Insightful)
I think that deserves a look don't you? Language after all; is still legal and how you phrase your "terms of service" is how you either are forced to replenish the customers funds, or you get off Scott-Free and not face any repercussions.
Just a thought...