UK Banking Law Blames Customers For Insecure OS

twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?

Banks hate responsibility

[plopez]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.

If there is a lawyer in the house can they confirm this?

Not sure what the state of the laws are elsewhere, but knowing what a bunch of whining snivelers the banking industry is it's probably the same. The bank is always right and the depositors and the taxpayer pick up the bill.

ummm ... it's not the consumers property

[Kristoph]

Should end users be ultimately responsible for the state of their systems?

The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

]{

My two cents

[Antony-Kyre]

1. How do they know whether or not one's computer had an AV, anti-spyware, and firewall software installed at the time it was supposedly compromised? (Privacy issue.)

2. Bank customers do have some responsibility in security. Analogy: A homeowner has no locks, leaves door unlocked all day long, then tries getting his or her insurance company to pay out when he or she is ripped off.

3. AV, anti-spyware, and firewall. All three must be done? I think most people are familiar with the AV and firewalls, but how many know about anti-spyware software? (I believe Lavasoft's AdAware is one program.) What they should do is say that the person must make a reasonable attempt at securing their computer. (This could include having a separate computer used solely for banking, and nothing else.)

4. A thought just crossed my mind. Will they deny a claim if someone just happens to have an unsecured computer, even if the computer never was used for banking?

Re:Scare tactics

[Kristoph]

The issue at hand is not the bank's security. It is the security of the consumers account.

In any case, do you really want the bank to be responsible for the security of your system? Because, honestly, I REALLY DO NOT want the banks 'staff of professionals' ensuring my security by requiring I install some type of custom 'security' software.

]{

A finance company gave me antivirus software.

[Anonymous Coward]

One of the financial companies that I have an account with (Scottrade) gives all their customers a free license to McAfee antivirus.

I know that several ISPs do the same thing for their customers.

This seems to be a *far better* preemptive solution to the problem - trying to make sure the customer never gets infected in the first place.

Re:Scare tactics

[MyForest]

How ironic. I just switched from Barclays because they implemented this scheme. Note that Barclays give you everything you need for free.

You need a user id, password, your card and the PINSentry device to access the site. That's sort of OK when you're at home. It's not great when you leave your card in the reader and don't realize until the next day when you're in the shop. It's not great when you travel and you have a few different accounts setup. Although Mr G [mrg9999.com] overcame that he wouldn't have his card to make payments with!

It's spectacularly bad when you have a Python script screen-scraping their site twice a day and you're running the transactions through your local "suspicious transactions" algorithm. I record the bulk of my future transactions, so it's easy for me to spot erroneous ones - heck, I even have a secure RSS feed for the transactions from my five accounts. There's no way to give my bank this payment information (yet) so their heuristics are running without the data that would really help them. I had a heart-to-heart with my Premier Account Manager at Barclays about this and his hands were tied - they just aren't advanced at all. If they want to keep the data in their closed world then they need to give me the tools in that world to manage my money (and yes, OpenPlan [barclays.co.uk] is a step in that direction - great if you only use Barclays I guess).

Re:Scare tactics

[plover]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount.

Of course, that's been tempered with the anti-money-laundering laws requiring identification for cash transactions exceeding $10 000. But still, if you owe $10, then the debtor must accept a $10 bill as payment in full.

Re:Scare tactics

[The_Wilschon]

There is a subtlety here that you may have missed. Cash is legal tender for all debts. So, if you have already incurred a debt, then your creditor must accept cash as payment. However, most transactions do not involve you incurring a debt. For instance, when you pay to get on the bus, you have not yet incurred a debt, whereas if you eat a meal in a restaurant, then by the time you get the check, you do owe a debt. So, the bus driver may refuse cash; the restaurateur may not.

Interestingly, according to wikipedia [wikipedia.org], the "legal tender" phrase was added because the government couldn't pay its debts with gold or silver, and nobody wanted paper money instead. The phrase was added to compel them to accept the paper money.

Re:Scare tactics

[TheRaven64]

And what happens if your bank is Egg (now owned by Citi Group) and tell you every time you log in that you should try the Egg Money Manager, which is only available as an ActiveX control? It's frustrating to keep telling users 'disable ActiveX' and have banks tell them to enable it (and use IE), and if they do then I think they ought to accept at least partial responsibility for the user's poor security.

Re:Scare tactics

[Giant Electronic Bra]

And the bank's response to that is, you 'gave away' your information to someone. Why if the information, which they've told you is confidential, is revealed BY YOUR FAULTY EQUIPMENT, should they be on the hook to bail you out?

It is just the same as if you magic markered your PIN onto the back of your ATM card and someone stole it and drained your account. I GUARANTEE you the bank will wash its hands of your loss. And rightly so.

There is another factor involved. If the bank has to eat the losses, then the bank will pass them on to ALL the customers. So now you're not charging 'the bank' for the loss, your charging ALL THE PEOPLE THAT DIDN'T let themselves get ripped off!

So the question becomes "Why the hell should I pay for YOUR negligence/incompetence?' Let the idiot that let someone steal his private data off his machine pay for his own mistakes!

Of course, it makes sense for both parties to deploy a technology that is as secure as possible. The bank which doesn't should be loosing business (no matter who pays for the fraud). Still, I see NO reason why the financial institution should be liable unless the loss occured because of their act of negligence. Which exactly dovetails with liability law pretty much the world over.

Re:Humourous call

[Anne Thwacks]

Mod parent +5, accurate. This is not funny, this is a typical UK bank.

Yes I did try to use Barclays on-line banking using Firefox on OpenBSD on Sparc64 hardware, and No it doesnt work.

In fact Opera on FreeBSD doesnt either, and Opera on WinXP is barely useable.

In short, Barclays have clearly never tested with anything other than IE on XP.

But they have issued me with a PINSentry device which looks like a fisher-price toy, but is allegedly secure.

Re:Same thing in New Zealand, but...

[pigwin32]

I think it was more the stance that was at issue and not that the code of practice was actually being enforced. Kiwi banks are far more concerned that an incidence of fraud might damage their reputation and put customers off using what is a cheap and effective channel. Consequently they will tend to pay out any losses in order to keep below the media radar. Banks could quickly solve this problem by introducing secure challenge response tokens but the cost would be enormous and many users would struggle with the technology increasing the cost of support.

Re:Scare tactics

[jc42]

Moreover, given the advantage Gate's OS has maintained for decades and its nearly endemic nature of viral infection...pretty much anybody logging onto a bank's servers has a virus on it and all a bank need do is task the police to recover a computer, find a virus and claim the bank is not at fault.

Well, now; it seems this situation is ripe for a nice setup. Get an account at a bank such as the Egg mentioned in other messages here, which strongly encourages use of IE and includes Active-X code in its pages. Arrange for your account data to be stolen by malware from a site that uses Active X as an infection vector. When the bank's investigators find the malware on your machine and disclaims responsibility, file suit against the bank, claiming fraud and entrapment (or whatever those are called in UK law). Show in court that they strongly encourage use of IE and Active X, which are well known to be major security risks.

I'd think some UK solicitors with a bit of tech knowledge might have a bit of fun taking on such a case.

Of course, you'd want to do this with a new account, and don't put a whole lot of your money into it.

It's only a matter of time before such a case happens. It might be best if it happens to people with the technical knowledge to show in court what's really going on. Maybe you can force the banks to not require customer use of the least secure software available.

Re:Scare tactics

[Kristoph]

The device you speak of (which I happen to actually use for one of my bank accounts) includes an additional step which is the challenge code.

You slot in your smart card, enter your pin into the device, followed by the challenge code, and it returns the response code which you must transcribe into the site. It is something that works on the internet but it probably would not work well for commercial transactions because most users would consider it too cumbersome.

In any case there is a pretty straightforward way to bypass this security. You spoof the bank site and, in real time, interact with the real site sending the user the real challenge code so they provide the real response code and then, once your in, you transfer the funds from the users account to some other account (which you presumable set up under an assumed name). If you are a reasonable competent crook this actual transfer process is automated and once you've completed the transfer you change the users pin code so they cannot see the transaction for the X days it takes them to order a new pin code from the bank.

]{

Re:Scare tactics

[ozmanjusri]

What's even better is that this method is completely OS and browser independent.

My bank has an authentication method which is OS and browser independent too.

When I, or anyone else, attempts a transfer which exceeds my set limit, the bank sends me a text message (SMS) with a one-time PIN. I then have three minutes to input the PIN to approve the transfer.

If the PIN isn't correct, or if it's not typed in within the time limit, I get another SMS telling me of the attempt.