New banking code cracks down on out-of-date software The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection. New Banking Codes for consumers and businesses took effect on Monday. The Banking Code produced by the British Bankers' Association (BBA), and followed by …
Hmmm .... so the Bank's dodgy systems transfers your money into dodgy foreign hands and then says it's the customers fault for not having a secure system?
That's novel ...... although somewhat flawed in reasoning and the expectation of Joe Bloggs and Jane Doe.
""If you act without reasonable care, and this causes losses, you may be responsible for them,""
Indeed there is a simple effective method for avoiding losses, it's the challenge response keypad, or the simpler one time number token (generates a new number each time you press a button). Losses from the major Europe banks that use them as virtually nil.
So any bank that refuses to use them is acting without reasonable care. There is a fix, it works, it's proven, the banks in the UK don't want to use them when it's free to blame the customer.
Anti-virus and anti-phishing by it's very nature can never work, the new virus has to occur BEFORE they make a definition for it.
I took a look at the terms and conditions when it came out, and all the risk for dealing with fraud was on my side not theirs. And in order to prove that it was fraud I was going to need *their* system logs etc, which obviously wasn't going to happen. **** that for a lark I thought, and said "No way: take me off the list."
I have none. I run (well patched and up to date) Linux systems. My anti-phishing software consists of the ability to read the address bar in my browser (a technique I mastered after many years of hard study). Are these reasonable measures to secure my PC or do I now need a leaky Windows machine with plenty of after-the-fact pseudo-security software to use my online banking service?
That's quite a leap from "act without reasonable care" to "responsible for losses if they have out of date anti-virus or anti-phishing protection".
I personally don't do internet banking from windows pcs - simply because I have better safer alternatives easily at hand.
"It's just my identity that's gone, none of your money?" "Well, no, they emptied your account - it's identity theft." "They took all the money - that sounds more like a bank robbery..." Mitchell and Webb.
...it's not actually the software that's the issue. It's the pink hardware with its nose pressed firmly to the screen and fat fingers on the keyboard that's the least secure part. Anti-phishing software isn't half as good as an anti-phishing frame of mind; you can have the best anti-virus software in the world but if you're a moron, it'll only have a limited effect.
But the banks can't mention idiocy in their terms and conditions (discrimination is a surprisingly easy word for the hard-of-thinking to work out how to use), so add a clause about software requirements that would probably be pretty damn impossible to enforce (who decides what's 'up to date', and how up to date does it have to be?)
I use 2 banks. One has forced one of these blasted things on me. I am slowly moving everything to the 2nd bank so I can close the 1st account.
Why? If I want to check my account but have left the stupid thing behind I am stuffed. It is too big for its purpose and needs a chip & pin card as well. It is an absolute pain.
I understand the need for decent security but this blasted system is cumbersome and imposes too many limitations.
With my 2nd bank I have to enter PLENTY of separate security identifiers to ensure security. I can carry all of these in my head/stored in a password protected store on my laptop or even written down in an un-obvious way that I understand how to decode. For example £32.57 is a PIN hidden in a shopping list but the numbers are not in entry order. I can even 'hide' these details on-line if I wish.
Freedom is the issue. Freedom from being forced to carry both a bulky keypad/screen plus a chip and pin device. Freedom from being tied to accessing an on-line system ONLY from wherever the blasted device is.
I have taken more than 'reasonable care' to ensure the security information for my 2nd bank is not available to others yet is easy for me to use ANYWHERE.
In a short while I will rejoice in taking a large hammer to that bl**dy thing.
SO first they use the insecure chip and pin system...... you must use your pin everytime you buy goods on card, but you are liable if someone "shoulder surfs" and then nicks the card.
Now they are backing out of online banking anyway they can, while also puling as many customer facing staff as quick as possible.
Next they'll stop accepting money to pay the mortgage you have with them..... Oh Barclays did that a while ago.
So what next, the wrong type of Anti-Virus and Anti-Phising software installed.
Quote poster above
"Anti-virus and anti-phishing by it's very nature can never work, the new virus has to occur BEFORE they make a definition for it."
How can they tackle that one........
Are they going to provide the right type of software and push its customers updates.
Us poor folk who don't have anti virus / malware protection on our Linux systems?
How exactly would The Banks attempt to enforce this anyway? How would they prove that a customer had not taken reasonable care? Or would they just opine that said customer was incompetent and treat that as proof?
and not just because i work in a bank's IT department :)
We have had cases where a customer has received a phishing email and handed over all their details. A few weeks later, after being compensated for their stupidity, they get another mail and hand them all out again. the first time is understandable, the second time is not, some people are just too supid to be allowed on the net. Most banks are at the stage of saying, if you do something really stupid, don't expect us to bail you out.
Anti-virus/anti-spyware software is available freely and almost every pc is sold with some form already present, ok usually Norton, but they're trying. Any non-technical* user of a pc should have some protection if they do anything sensitive at all online, there is no excuse not to take the most basic precautions.
*While a technical user who knows what they are doing can get by without anti-virus, anti-spyware, firewall etc. There is no way i would let someone less technically inclined, for example my dad, loose on the net without it.
so,
antivirus + antispyware + personal firewall....
does this mean they'll force us to M$ windows ?? do they provide the licenses for free ??
if not then tell them to shut the F*** up, don't make it mandatory for everyone, only the crowd already using MS win, and don't force us to pay for MS's mistakes in Operating System design. MS Win is the only OS i know so far that needs all 3 of those...
Linux does not usually need antivirus+antispyware and the firewall is built-in by design into the kernel.
/Billy icon because of the topic
/better yet, on second thought i'll use the flame icon.
One time number tokens add some level of security on top of a simple password but they are not perfect. They reduce the risks but don't eliminate them.
You are right in saying that anti-virus protection is not perfect either but I sort of agree with the banks that their users should ensure they have the latest version of such software: same as the one time tokens, having up to date anti-virus protection doesn't eliminate risks, it reduces them. And to be honest, seeing some friends' machines I've seen in the past, *any* protection would seriously reduce risks.
That's how banks work: they know they can't eliminate all risk so they try to reduce it as much as possible, to a level they can manage. In an online banking situation, there are two sides to the risk: the risk associated to their internal systems, authentication methods, internal security, etc, which is a risk they know and can manage; then there is the risk associated to the customers' PCs such as anti-virus security, recent browsers, etc. So what they're saying to their customers is "take care of your side of the security and we'll take responsibility for our side of it; don't take care of your side of the risk and we'll consider you liable". It's exactly the same as saying to customers to not write down their pin numbers.
At the end of the day, any incentive for users to make sure they have the latest anti-virus and behave sensibly online is a good thing.
On how long before we're reading a story about a bank losing some critical information because their firewall/antivirus wasn't up to date.
You've really got to admire the cheek of these guys. If WE don't take reasonable precautions, then WE are responsible for any losses. When THEY don't take reasonable precautions, WE have to bail them out.
If there is no chance that the customer could be to blame then the bank has to take the hit. So it's important for the bank to warn the customer that they are responsible, they need to get that one in before the fraud takes place. Then the bank an say we told you so.
Having said that people are increadably stupid. One customer of mine, before he was my customer, lost thousands off his credit card. His computer was so full of crap from porn and gambling sites etc that it was hardly surprising.
Does Linux count as "up-to-date anti-virus and spyware software"? I can just imagine the bank asking me, "Do you have a firewall, anti-virus and spyware software?" (I think they mean anti-spyware anyway...) I don't have any specific software to cover the last two, although Linux is inherently a good way to avoid viruses and spyware. Perhaps banks should mantate the use of Linux as it's the best way to stay secure.
***"Anti-virus and anti-phishing by it's very nature can never work, the new virus has to occur BEFORE they make a definition for it."***
I have always been under the impression that AV is largely snake-oil. It spends 99.999% of its time slowing down your computer and hogging resources then, when you actually want it to do its work and make up for slowing your computer to a crawl, along comes a zero day nasty which fails to detect.
Same for anti-phishing. Slows down your browsing then fails to spot a new site.
And, in both cases, these 'protections' tend to give (particularly the less IT literate) a false sense of security. They think "it doesn't matter what I click on / download / run because I have AV and anti-phishing which will protect me".
Dear Bank
I keep my systems up to date for many reasons, only one of which is that I use them to access online banking. However, I would give your little declarations a bit more credence if your own internal systems were free of crappy old NT boxes running 15 year old software. ok ?
What's the definition of 'up-to-date'? Will my bank refuse any compensation until it has proved that my computer is secure? IMHO my computer is secure but how do I prove it? Sounds like just another attempt by the banks to avoid liability.
(Putting on my coat to do my banking the old-fashioned way - at the branch).
Will they need anyone reporting online fraud to go into their branch with their machine to prove that they have an up to date firewall, anti-virus and anti-spyware? Cause I can't see that happening! The bank might say "Sorry, you can't prove that this was installed/running/had up-to-date definitions, so you get nothing back!"
Great
Why - don't you think there are any viruses for Linux? 'Cause there are.
Plus there are viruses that affect cross-platform applications like openoffice.org, exploiting the scripting in those apps.
You should really think again about anti-virus software.
"Tom Ferris a researcher with Mission Viejo, California-based Security Protocols said in 2006, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or [Mac] OS X. But that's not necessarily true...."
http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses
Anyone with an eye for the past will remember a few issues with ATMs. A number of customers sued banks when they refused to act upon fraudulant ATM transactions, mostly (but not always) from stolen PIN/strip details (often obtained the infamous false fascia scams [http://www.snopes.com/fraud/atm/atmcamera.asp]).
The banks 'believed' thier system 'technically' infallable. One court defense even stated that the codebase was 100% secure as it was written in assembler. The technically inept judge, if I can recall, believed the argument, ignoring the fact that a) assembler for large applications can turn into swiss cheese and b) this technical solution was simply being bypassed.
These very same banks were initially abhored by the presence of ATM security cameras introduced by Citibank (would make them *look* insecure), who themselves have tried to hush security flaws rather than fix them [http://cryptome.org/pacc.htm].
These greedy idiots take no responsibily for thier own actions, and when they fail with their golden bullet they simply blame everyone else. It's *their* money, after all!
Not everyone is an IT expert, but the new code insists that as a user you need to ensure that your security is up to date. I'm sure there are plenty of people out there who have no idea how to check that they are secure.
Then of course there is the question of how a bank will know that you are up to date or not? Short of an intrusive scan of each PC connecting to their systems, I just don't see it. Unless..... given the possible combinations of OS, Antivirus and Firewall software, 'HSBC in association with Microsoft and Symantec Internet Security' type deals start popping up, forcing online bank customers to use specific software.
The one time number key fobs really are the only way to go. Those of us who use Internet Banking should migrate our accounts to the banks that use them.
Although you are right and it's a good system, there is no incentive for the banks to do this when they've put the risk onto the customer. Same as the move to chip and pin. Before, they had to verify your signature, now you have to make sure nobody sees your four secret digits. It would take a law to move the risk onto the banks and that won't happen.
Actually, you are not quite correct.
The banks in the countries where crime and fraud is a bigger problem like Eastern Europe do not use challenge-response keypads. They used to use client-side certificates since around 2001-2002 and now use PKI functionality of national identity cards and/or PKI tokens carrying national digital identity. The same method is used for companies and the digital signatures from these are contractually binding. For example I can both pay my council tax from my Bulgarian bank account and sign my annual tax return with it in one go.
As far as phishing being able to or not able to work a standard challenge response token does nothing to help. The attackers can piggyback on your authenticated session and fake the logout screen. Can be done with trivial Man-in-the-Middle website. The only solution to this is tokens used to sign each transaction with individual code like the Nationwide card reader, but these are frankly quite cumbersome and not totally bulletproof.
Compared to that using a personal digital identity and/or a national identity card is actually something that works. The reason for this is that the SSL handshake is done both ways and it is _NOT_ possible to be a man-in-the middle without possessing the certificate from the smart card. And if someone has got your ID card and has the technical prowess to get the cert off it there is bugger all you can do against him anyway. It is also not something you tend to forget plugged into your computer as well (especially if you know that you can sign off your house and all belongings with it).
Unfortunately a system like this is a very tall order by the UK standards. It requires a competent administration capable of running an national ID (or having it contracted to identity companies). It also requires the banking security understanding PKI and the difference between PKI and snake oil. And so on.
As others have said, this is another windows only ruling and a sign that windows monopoly has got too far when legislation and banking codes of practice assume everyone is using it.
However, since those of us enlightened enough to be running linux are likely to be security concious (e.g. fully patched, decent browser, router level fire-wall functions) it is unlikely they will be coming after any of us anyway.
Also imagine the outcry when a bank claims that a linux machine was compromised like it was windows running IE?
stick their filthy personal firewalls up their arses - along with antivirus and antispyware.
I like my computer to run fast.
The only time I get viruses and spyware is when I'm doing something blatently stupid, and there is a voice saying "dude - it's a virus not the serial key you'er after" followed by *sigh - told you* resulting in a few hours of clear up, and that happens once every two or three years.
"Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."
Don't use Windows, that’s probably what they should be saying.
I use Avast AV/Comodo PF/a NAT Router/Lavasoft Ad-aware/IE7/I run the MS malicious software removal tool, I have all the MS patches/etc but in reality I'm still not secure. It's only a matter of time before MS release their next critical patch or something gets installed with an innocuous piece of software.
Anyway how exactly are they going to be checking all this? How can they check which computer I was using at the time? A lot of people use a computer at work, how can they be sure that's secure (they expect it is but in reality there's no guarantee)? Are they going to be sending us CDs to diagnose our PCs (why don't they do that before we have a problem)? Will it be a phone interview:
Q. Hello Sir, Can I ask which Antivirus software you have installed?
A. Well sure, I use XYZ.
Q. I'm sorry Sir, that software is not our list. You are liable for any loses.
A. But how do you know it was an online fraud?
Q. I'm sorry Sir but you are using Antivirus software that's not on our list.
Q. .................
It seems like the only way to be secure and not liable is not to use online banking/shopping at all (or maybe use the token system Anonymous Coward mentioned above, if your bank will give it to you).
I have a router-based firewall, AV (ClamAV) on my Linux system, and all my email is AV scanned, spam filtered and (as a consequence of these two) almost no phishing stuff gets in. I run Firefox (patched and updated), with NoScript, Ad-block and TrackMeNot. I also apply my own common-sense and intelligence to anything that does get through these barriers.
All of these things should mean I am about as secure as a bank, apart from the physical security of their server rooms, and I feel reasonably confident using my regular on-line banking system which asks for several pieces of reasobly memorable information to access it.
Then I get a new Post Office Credit card.
"This site requires Microsoft Internet Explorer 5 or later"
FFS!
Banks say "we will never ask you for your account details in an email"...
No you won't, but you'll ask for them when you phone me up, giving me absolutely no way of knowing who I'm speaking to. I've even been told "we take security very seriously, so rest assured that this really is xxx bank". Oh well that's all right then, I'll just bend over.
Fair enough, if they want to put everyone off using the Net to run their finances then fine. Open a NORMAL account. Pay bills and withdraw cash at the counter lunchtime. And don't forget to riot with gusto when they only have one or two counters open for service. Or if they've decided to close your local branch for their own selfish profit increases.
And demand to know why you can not just wait for 10 minurtes while they make you a new cheque book. Or why their pay-in slips on the counter seem to be missing the counterfoils you need for your record.
Banks ? Ever since we have all been obliged to have accounts to transfer our pay into, they have gradually lost the whole idea of providing a service. No real incentive you see.
I think that if you look at the terms and conditions of most online banking services, you will find that they have a list of known and supported OS/Browser combinations, and I would be surprised if any Linux platform is listed. This gives them an immediate get-out from most Linux users.
My primary bank would like me to install agent software on my machine (at least last time I looked) to access their online banking system. Of course, this is windows based.
And the AC who was talking about Linux viruses has obviously not taken into account how short the wikipedia page about Linux viruses actually is, nor has he looked at the viruses listed. Many of them are old definitions, some are for products not involved with browsing, and virtually none of them will cross the user/system boundry unless you are stupid enough to be running the vector as a privileged user (root).
I'm not saying that Linux is invulnerable, and the increased evidence of flash/java/javascript cross-platform attacks is worrying, but a well maintained Linux system is probably safe from most prevalent attack vectors. About the only place where Firefox is likely to be vulnerable, assuming it is installed into system-defined location (rather than in home directories) is via a plugin. It is just NOT POSSIBLE as a non-system user to install such things as keyloggers, DNS redirectors, and default route redirectors in a Linux system if the system privilege is guarded well.
Of course, Linux is just as vulnerable to social engineering (i.e. Phishing) attacks, but that is because the user is being targetted, not the OS or browser. In theory, it is possible to install anti-phishing plugins in Firefox, but such defenses are only as good as the block database that is being referenced.
I'm just waiting for the banks to insist on content filters being mandatory for their services. When that happens, the simple port filter firewalls implemented by most routers (and Linux Tables and Chains firewalls) will not satisy their requirements, and we will be further beholden to Microsoft.
"All of these things should mean I am about as secure as a bank,"
No, you would be about as secure as a bank, computer wise, if you were running an original unpatched Windows 98 (not SE) install, using IE4, with an outdated firewall and anti virus.
Okay, that's probably exgurating the situation, but seriously, if you see your average bank computer (not server), you'll probably find half a dozen vectors for malware to get in.
Here in the Netherlands, liability is entirely on the bank unless they can prove beyond reasonable doubt that you were a direct cause or contributor to the fraud. For example, if your PIN code is written on a piece of paper or if you're using the above mentioned windows 98 machine to do your internet banking with.
And the Postbank, one of the bigger banks around here, uses one time authentication (TAN codes, they call them) to authorise the actaul payments. You log in with a normal username + password, but without the TAN codes a potential malicious user wouldn't be able to do much.
FD (who are the best behaved bank I used, to their credit) have Internet Banking and Internet Banking Plus.
The plus version of course requires IE so I wrote to them a while ago explaining that was reasonably dumb to mandate IE as although I'm sure their banking systems are very secure, the problem is the keyloggers, trojans and spyware that will potentially get installed by virtue of the fact I'm ostensibly using that browser for all my surfing.
Surprisingly they didn't seem to think that was an issue at all.
Now I need to ask them if they consider Linux 'acceptable' (for annoyance ask them what distro & release level as well) and if I were using a different OS and browser combination to access the banking what they would consider 'secure' in each case.
Has been a while since I bugged the bank about their security so it's about due....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
