back to article New banking code cracks down on out-of-date software

The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection. New Banking Codes for consumers and businesses took effect on Monday. The Banking Code produced by the British Bankers' Association (BBA), and followed by …

COMMENTS

This topic is closed for new posts.
  1. amanfromMars Silver badge
    Alien

    By Hook or by Crook ......Bankers doing a Line of Crack Code/Pass the Toxic Parcel

    Hmmm .... so the Bank's dodgy systems transfers your money into dodgy foreign hands and then says it's the customers fault for not having a secure system?

    That's novel ...... although somewhat flawed in reasoning and the expectation of Joe Bloggs and Jane Doe.

  2. Anonymous Coward
    Anonymous Coward

    Sue their nasty asses

    ""If you act without reasonable care, and this causes losses, you may be responsible for them,""

    Indeed there is a simple effective method for avoiding losses, it's the challenge response keypad, or the simpler one time number token (generates a new number each time you press a button). Losses from the major Europe banks that use them as virtually nil.

    So any bank that refuses to use them is acting without reasonable care. There is a fix, it works, it's proven, the banks in the UK don't want to use them when it's free to blame the customer.

    Anti-virus and anti-phishing by it's very nature can never work, the new virus has to occur BEFORE they make a definition for it.

  3. JimC
    Pirate

    So why does anyone use on-line banking?

    I took a look at the terms and conditions when it came out, and all the risk for dealing with fraud was on my side not theirs. And in order to prove that it was fraud I was going to need *their* system logs etc, which obviously wasn't going to happen. **** that for a lark I thought, and said "No way: take me off the list."

  4. Joe Blogs

    @ amanfrommars

    "That's novel ...... although somewhat flawed in reasoning and the expectation of Joe Bloggs and Jane Doe."

    Hey, leave me out of this....

  5. alain williams Silver badge

    I don't bother with a virus scanner

    on my PC since I run Linux ... so will they blame me if something goes wrong ?

  6. Anonymous Coward
    Anonymous Coward

    personal firewall

    Section 12.9 says: "Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."

    By 'personal firewall' would a router with firewall count or do they require a software firewall on each PC?

  7. Graham Robinson

    Personal firewall

    I wonder who's definition of personal firewall they are using.

    Is a computer behind a router a personal firewall

    Is a computer running XP SP2 or Vista a personal firewall

    Or do you have to go and buy zonealarm to save yourself a big bill

  8. Anonymous Coward
    Thumb Down

    What about other platforms?

    What about people using platforms on which anti-anything solutions make no sense? Between the lines this seem to imply that windows is the only acceptable platform.

  9. Geoff Mackenzie

    AV/Anti-Spyware

    I have none. I run (well patched and up to date) Linux systems. My anti-phishing software consists of the ability to read the address bar in my browser (a technique I mastered after many years of hard study). Are these reasonable measures to secure my PC or do I now need a leaky Windows machine with plenty of after-the-fact pseudo-security software to use my online banking service?

  10. Anonymous Coward
    Anonymous Coward

    Non-windows?

    That's quite a leap from "act without reasonable care" to "responsible for losses if they have out of date anti-virus or anti-phishing protection".

    I personally don't do internet banking from windows pcs - simply because I have better safer alternatives easily at hand.

    "It's just my identity that's gone, none of your money?" "Well, no, they emptied your account - it's identity theft." "They took all the money - that sounds more like a bank robbery..." Mitchell and Webb.

  11. Nick Drew
    Thumb Down

    The thing is....

    ...it's not actually the software that's the issue. It's the pink hardware with its nose pressed firmly to the screen and fat fingers on the keyboard that's the least secure part. Anti-phishing software isn't half as good as an anti-phishing frame of mind; you can have the best anti-virus software in the world but if you're a moron, it'll only have a limited effect.

    But the banks can't mention idiocy in their terms and conditions (discrimination is a surprisingly easy word for the hard-of-thinking to work out how to use), so add a clause about software requirements that would probably be pretty damn impossible to enforce (who decides what's 'up to date', and how up to date does it have to be?)

  12. Paul
    Thumb Down

    @Anonymous Coward

    I use 2 banks. One has forced one of these blasted things on me. I am slowly moving everything to the 2nd bank so I can close the 1st account.

    Why? If I want to check my account but have left the stupid thing behind I am stuffed. It is too big for its purpose and needs a chip & pin card as well. It is an absolute pain.

    I understand the need for decent security but this blasted system is cumbersome and imposes too many limitations.

    With my 2nd bank I have to enter PLENTY of separate security identifiers to ensure security. I can carry all of these in my head/stored in a password protected store on my laptop or even written down in an un-obvious way that I understand how to decode. For example £32.57 is a PIN hidden in a shopping list but the numbers are not in entry order. I can even 'hide' these details on-line if I wish.

    Freedom is the issue. Freedom from being forced to carry both a bulky keypad/screen plus a chip and pin device. Freedom from being tied to accessing an on-line system ONLY from wherever the blasted device is.

    I have taken more than 'reasonable care' to ensure the security information for my 2nd bank is not available to others yet is easy for me to use ANYWHERE.

    In a short while I will rejoice in taking a large hammer to that bl**dy thing.

  13. Matt

    Passing the buck

    SO first they use the insecure chip and pin system...... you must use your pin everytime you buy goods on card, but you are liable if someone "shoulder surfs" and then nicks the card.

    Now they are backing out of online banking anyway they can, while also puling as many customer facing staff as quick as possible.

    Next they'll stop accepting money to pay the mortgage you have with them..... Oh Barclays did that a while ago.

  14. Jamie
    Linux

    Burden of proof???

    Who would have the burden of proof, bet it won't be the banks to prove you did not have up to date software. Instead as always with the banks and the gov't it will be up you you to prove that you did.

  15. Dave

    Non-Windows Machines?

    So what about those of us who don't use Windows? For the most part we don't use AV software. Or is there going to be a clause saying that they'll only cover losses to people with fully up-to-date Windows machines?

  16. Justin
    Stop

    Another get out clause

    So what next, the wrong type of Anti-Virus and Anti-Phising software installed.

    Quote poster above

    "Anti-virus and anti-phishing by it's very nature can never work, the new virus has to occur BEFORE they make a definition for it."

    How can they tackle that one........

    Are they going to provide the right type of software and push its customers updates.

  17. Humph

    And what about...

    Us poor folk who don't have anti virus / malware protection on our Linux systems?

    How exactly would The Banks attempt to enforce this anyway? How would they prove that a customer had not taken reasonable care? Or would they just opine that said customer was incompetent and treat that as proof?

  18. Kenny Millar

    So they should outlaw IE too

    So are they going to tell you that you should only use FireFox, Safari or any other non-IE based browser too?

  19. Anonymous Coward
    Anonymous Coward

    I can understand this perfectly

    and not just because i work in a bank's IT department :)

    We have had cases where a customer has received a phishing email and handed over all their details. A few weeks later, after being compensated for their stupidity, they get another mail and hand them all out again. the first time is understandable, the second time is not, some people are just too supid to be allowed on the net. Most banks are at the stage of saying, if you do something really stupid, don't expect us to bail you out.

    Anti-virus/anti-spyware software is available freely and almost every pc is sold with some form already present, ok usually Norton, but they're trying. Any non-technical* user of a pc should have some protection if they do anything sensitive at all online, there is no excuse not to take the most basic precautions.

    *While a technical user who knows what they are doing can get by without anti-virus, anti-spyware, firewall etc. There is no way i would let someone less technically inclined, for example my dad, loose on the net without it.

  20. G2
    Flame

    will they force us to use winblows ?

    so,

    antivirus + antispyware + personal firewall....

    does this mean they'll force us to M$ windows ?? do they provide the licenses for free ??

    if not then tell them to shut the F*** up, don't make it mandatory for everyone, only the crowd already using MS win, and don't force us to pay for MS's mistakes in Operating System design. MS Win is the only OS i know so far that needs all 3 of those...

    Linux does not usually need antivirus+antispyware and the firewall is built-in by design into the kernel.

    /Billy icon because of the topic

    /better yet, on second thought i'll use the flame icon.

  21. Bruno Girin
    Go

    @AC

    One time number tokens add some level of security on top of a simple password but they are not perfect. They reduce the risks but don't eliminate them.

    You are right in saying that anti-virus protection is not perfect either but I sort of agree with the banks that their users should ensure they have the latest version of such software: same as the one time tokens, having up to date anti-virus protection doesn't eliminate risks, it reduces them. And to be honest, seeing some friends' machines I've seen in the past, *any* protection would seriously reduce risks.

    That's how banks work: they know they can't eliminate all risk so they try to reduce it as much as possible, to a level they can manage. In an online banking situation, there are two sides to the risk: the risk associated to their internal systems, authentication methods, internal security, etc, which is a risk they know and can manage; then there is the risk associated to the customers' PCs such as anti-virus security, recent browsers, etc. So what they're saying to their customers is "take care of your side of the security and we'll take responsibility for our side of it; don't take care of your side of the risk and we'll consider you liable". It's exactly the same as saying to customers to not write down their pin numbers.

    At the end of the day, any incentive for users to make sure they have the latest anti-virus and behave sensibly online is a good thing.

  22. Anonymous Coward
    Anonymous Coward

    Load of bankers

    Shifting liability, regulatorzzzzzz asleep as usual.

  23. Steve

    Time to start a sweepstake

    On how long before we're reading a story about a bank losing some critical information because their firewall/antivirus wasn't up to date.

    You've really got to admire the cheek of these guys. If WE don't take reasonable precautions, then WE are responsible for any losses. When THEY don't take reasonable precautions, WE have to bail them out.

  24. Anonymous Coward
    Anonymous Coward

    Liability Engineering again

    If there is no chance that the customer could be to blame then the bank has to take the hit. So it's important for the bank to warn the customer that they are responsible, they need to get that one in before the fraud takes place. Then the bank an say we told you so.

    Having said that people are increadably stupid. One customer of mine, before he was my customer, lost thousands off his credit card. His computer was so full of crap from porn and gambling sites etc that it was hardly surprising.

  25. Jonathan Rawle
    Linux

    Does Linux count?

    Does Linux count as "up-to-date anti-virus and spyware software"? I can just imagine the bank asking me, "Do you have a firewall, anti-virus and spyware software?" (I think they mean anti-spyware anyway...) I don't have any specific software to cover the last two, although Linux is inherently a good way to avoid viruses and spyware. Perhaps banks should mantate the use of Linux as it's the best way to stay secure.

  26. Eponymous Cowherd
    Unhappy

    Re:Sue their nasty asses

    ***"Anti-virus and anti-phishing by it's very nature can never work, the new virus has to occur BEFORE they make a definition for it."***

    I have always been under the impression that AV is largely snake-oil. It spends 99.999% of its time slowing down your computer and hogging resources then, when you actually want it to do its work and make up for slowing your computer to a crawl, along comes a zero day nasty which fails to detect.

    Same for anti-phishing. Slows down your browsing then fails to spot a new site.

    And, in both cases, these 'protections' tend to give (particularly the less IT literate) a false sense of security. They think "it doesn't matter what I click on / download / run because I have AV and anti-phishing which will protect me".

  27. david g
    Flame

    Pot & Kettle

    Dear Bank

    I keep my systems up to date for many reasons, only one of which is that I use them to access online banking. However, I would give your little declarations a bit more credence if your own internal systems were free of crappy old NT boxes running 15 year old software. ok ?

  28. Sordid Details
    Jobs Halo

    Keep your PC secure

    What does it say about Macs? I don't have any AV software on my Mac, and I'm not so stupid that I need anti-phishing software.

  29. ducksoup
    Coat

    By whose rules?

    What's the definition of 'up-to-date'? Will my bank refuse any compensation until it has proved that my computer is secure? IMHO my computer is secure but how do I prove it? Sounds like just another attempt by the banks to avoid liability.

    (Putting on my coat to do my banking the old-fashioned way - at the branch).

  30. punks unite
    Pirate

    Like to see them prove this

    Will they need anyone reporting online fraud to go into their branch with their machine to prove that they have an up to date firewall, anti-virus and anti-spyware? Cause I can't see that happening! The bank might say "Sorry, you can't prove that this was installed/running/had up-to-date definitions, so you get nothing back!"

    Great

  31. Anonymous Coward
    Alert

    @alain williams

    Why - don't you think there are any viruses for Linux? 'Cause there are.

    Plus there are viruses that affect cross-platform applications like openoffice.org, exploiting the scripting in those apps.

    You should really think again about anti-virus software.

    "Tom Ferris a researcher with Mission Viejo, California-based Security Protocols said in 2006, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or [Mac] OS X. But that's not necessarily true...."

    http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses

  32. El G
    Unhappy

    All of this has happened before...

    Anyone with an eye for the past will remember a few issues with ATMs. A number of customers sued banks when they refused to act upon fraudulant ATM transactions, mostly (but not always) from stolen PIN/strip details (often obtained the infamous false fascia scams [http://www.snopes.com/fraud/atm/atmcamera.asp]).

    The banks 'believed' thier system 'technically' infallable. One court defense even stated that the codebase was 100% secure as it was written in assembler. The technically inept judge, if I can recall, believed the argument, ignoring the fact that a) assembler for large applications can turn into swiss cheese and b) this technical solution was simply being bypassed.

    These very same banks were initially abhored by the presence of ATM security cameras introduced by Citibank (would make them *look* insecure), who themselves have tried to hush security flaws rather than fix them [http://cryptome.org/pacc.htm].

    These greedy idiots take no responsibily for thier own actions, and when they fail with their golden bullet they simply blame everyone else. It's *their* money, after all!

  33. Anonymous Coward
    Gates Horns

    Bankers!!!!

    Not everyone is an IT expert, but the new code insists that as a user you need to ensure that your security is up to date. I'm sure there are plenty of people out there who have no idea how to check that they are secure.

    Then of course there is the question of how a bank will know that you are up to date or not? Short of an intrusive scan of each PC connecting to their systems, I just don't see it. Unless..... given the possible combinations of OS, Antivirus and Firewall software, 'HSBC in association with Microsoft and Symantec Internet Security' type deals start popping up, forcing online bank customers to use specific software.

    The one time number key fobs really are the only way to go. Those of us who use Internet Banking should migrate our accounts to the banks that use them.

  34. Ferry Boat

    @Anon Cow and your one time pad thingy

    Although you are right and it's a good system, there is no incentive for the banks to do this when they've put the risk onto the customer. Same as the move to chip and pin. Before, they had to verify your signature, now you have to make sure nobody sees your four secret digits. It would take a law to move the risk onto the banks and that won't happen.

  35. Anton Ivanov
    Boffin

    Re: Sue their nasty asses

    Actually, you are not quite correct.

    The banks in the countries where crime and fraud is a bigger problem like Eastern Europe do not use challenge-response keypads. They used to use client-side certificates since around 2001-2002 and now use PKI functionality of national identity cards and/or PKI tokens carrying national digital identity. The same method is used for companies and the digital signatures from these are contractually binding. For example I can both pay my council tax from my Bulgarian bank account and sign my annual tax return with it in one go.

    As far as phishing being able to or not able to work a standard challenge response token does nothing to help. The attackers can piggyback on your authenticated session and fake the logout screen. Can be done with trivial Man-in-the-Middle website. The only solution to this is tokens used to sign each transaction with individual code like the Nationwide card reader, but these are frankly quite cumbersome and not totally bulletproof.

    Compared to that using a personal digital identity and/or a national identity card is actually something that works. The reason for this is that the SSL handshake is done both ways and it is _NOT_ possible to be a man-in-the middle without possessing the certificate from the smart card. And if someone has got your ID card and has the technical prowess to get the cert off it there is bugger all you can do against him anyway. It is also not something you tend to forget plugged into your computer as well (especially if you know that you can sign off your house and all belongings with it).

    Unfortunately a system like this is a very tall order by the UK standards. It requires a competent administration capable of running an national ID (or having it contracted to identity companies). It also requires the banking security understanding PKI and the difference between PKI and snake oil. And so on.

  36. Anonymous Coward
    Linux

    linux

    As others have said, this is another windows only ruling and a sign that windows monopoly has got too far when legislation and banking codes of practice assume everyone is using it.

    However, since those of us enlightened enough to be running linux are likely to be security concious (e.g. fully patched, decent browser, router level fire-wall functions) it is unlikely they will be coming after any of us anyway.

    Also imagine the outcry when a bank claims that a linux machine was compromised like it was windows running IE?

  37. Anonymous Coward
    Anonymous Coward

    they can

    stick their filthy personal firewalls up their arses - along with antivirus and antispyware.

    I like my computer to run fast.

    The only time I get viruses and spyware is when I'm doing something blatently stupid, and there is a voice saying "dude - it's a virus not the serial key you'er after" followed by *sigh - told you* resulting in a few hours of clear up, and that happens once every two or three years.

  38. pAnoNymous
    Unhappy

    As long as you're on a public network your PC is never really secure

    "Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."

    Don't use Windows, that’s probably what they should be saying.

    I use Avast AV/Comodo PF/a NAT Router/Lavasoft Ad-aware/IE7/I run the MS malicious software removal tool, I have all the MS patches/etc but in reality I'm still not secure. It's only a matter of time before MS release their next critical patch or something gets installed with an innocuous piece of software.

    Anyway how exactly are they going to be checking all this? How can they check which computer I was using at the time? A lot of people use a computer at work, how can they be sure that's secure (they expect it is but in reality there's no guarantee)? Are they going to be sending us CDs to diagnose our PCs (why don't they do that before we have a problem)? Will it be a phone interview:

    Q. Hello Sir, Can I ask which Antivirus software you have installed?

    A. Well sure, I use XYZ.

    Q. I'm sorry Sir, that software is not our list. You are liable for any loses.

    A. But how do you know it was an online fraud?

    Q. I'm sorry Sir but you are using Antivirus software that's not on our list.

    Q. .................

    It seems like the only way to be secure and not liable is not to use online banking/shopping at all (or maybe use the token system Anonymous Coward mentioned above, if your bank will give it to you).

  39. peter Silver badge
    Thumb Up

    @anton

    I think I might move to Bulgaria.

  40. Peter Ford
    Gates Horns

    MS lock-in

    I have a router-based firewall, AV (ClamAV) on my Linux system, and all my email is AV scanned, spam filtered and (as a consequence of these two) almost no phishing stuff gets in. I run Firefox (patched and updated), with NoScript, Ad-block and TrackMeNot. I also apply my own common-sense and intelligence to anything that does get through these barriers.

    All of these things should mean I am about as secure as a bank, apart from the physical security of their server rooms, and I feel reasonably confident using my regular on-line banking system which asks for several pieces of reasobly memorable information to access it.

    Then I get a new Post Office Credit card.

    "This site requires Microsoft Internet Explorer 5 or later"

    FFS!

  41. Anonymous Coward
    Anonymous Coward

    Phorm

    Of course Phorm have hardware sitting between your machine and the bank that can redirect you transparently.

    Suddenly your financial security is only as good as the systems produced by an advertising agency.

    It doesn't matter what system you're on.

  42. Michael Shaw

    But the banks train people to fall for fraud...

    The banks all seem to ring people up, out of the blue and ask for their password details to verify their identity, before they can tell you what the phone call is about.

    Surely this is training someone to become a future victim of fraud.

  43. Ian Chard

    Fair enough... if the banks followed their own rules

    Banks say "we will never ask you for your account details in an email"...

    No you won't, but you'll ask for them when you phone me up, giving me absolutely no way of knowing who I'm speaking to. I've even been told "we take security very seriously, so rest assured that this really is xxx bank". Oh well that's all right then, I'll just bend over.

  44. Anonymous Coward
    Anonymous Coward

    <no title>

    Fair enough, if they want to put everyone off using the Net to run their finances then fine. Open a NORMAL account. Pay bills and withdraw cash at the counter lunchtime. And don't forget to riot with gusto when they only have one or two counters open for service. Or if they've decided to close your local branch for their own selfish profit increases.

    And demand to know why you can not just wait for 10 minurtes while they make you a new cheque book. Or why their pay-in slips on the counter seem to be missing the counterfoils you need for your record.

    Banks ? Ever since we have all been obliged to have accounts to transfer our pay into, they have gradually lost the whole idea of providing a service. No real incentive you see.

  45. Peter Gathercole Silver badge
    Linux

    Check the Ts & Cs

    I think that if you look at the terms and conditions of most online banking services, you will find that they have a list of known and supported OS/Browser combinations, and I would be surprised if any Linux platform is listed. This gives them an immediate get-out from most Linux users.

    My primary bank would like me to install agent software on my machine (at least last time I looked) to access their online banking system. Of course, this is windows based.

    And the AC who was talking about Linux viruses has obviously not taken into account how short the wikipedia page about Linux viruses actually is, nor has he looked at the viruses listed. Many of them are old definitions, some are for products not involved with browsing, and virtually none of them will cross the user/system boundry unless you are stupid enough to be running the vector as a privileged user (root).

    I'm not saying that Linux is invulnerable, and the increased evidence of flash/java/javascript cross-platform attacks is worrying, but a well maintained Linux system is probably safe from most prevalent attack vectors. About the only place where Firefox is likely to be vulnerable, assuming it is installed into system-defined location (rather than in home directories) is via a plugin. It is just NOT POSSIBLE as a non-system user to install such things as keyloggers, DNS redirectors, and default route redirectors in a Linux system if the system privilege is guarded well.

    Of course, Linux is just as vulnerable to social engineering (i.e. Phishing) attacks, but that is because the user is being targetted, not the OS or browser. In theory, it is possible to install anti-phishing plugins in Firefox, but such defenses are only as good as the block database that is being referenced.

    I'm just waiting for the banks to insist on content filters being mandatory for their services. When that happens, the simple port filter firewalls implemented by most routers (and Linux Tables and Chains firewalls) will not satisy their requirements, and we will be further beholden to Microsoft.

  46. Lucy Knight
    Coat

    What a wunch...

    ...of bankers

  47. Whitter
    Thumb Down

    IE

    As most bank's sites only work on IE and require javascript, aren't they guilty of compromising your security by design, long before you worry about when you late updated whatever?

  48. Remy Redert

    re: Peter Ford

    "All of these things should mean I am about as secure as a bank,"

    No, you would be about as secure as a bank, computer wise, if you were running an original unpatched Windows 98 (not SE) install, using IE4, with an outdated firewall and anti virus.

    Okay, that's probably exgurating the situation, but seriously, if you see your average bank computer (not server), you'll probably find half a dozen vectors for malware to get in.

    Here in the Netherlands, liability is entirely on the bank unless they can prove beyond reasonable doubt that you were a direct cause or contributor to the fraud. For example, if your PIN code is written on a piece of paper or if you're using the above mentioned windows 98 machine to do your internet banking with.

    And the Postbank, one of the bigger banks around here, uses one time authentication (TAN codes, they call them) to authorise the actaul payments. You log in with a normal username + password, but without the TAN codes a potential malicious user wouldn't be able to do much.

  49. Anonymous Coward
    Anonymous Coward

    So now we know

    Bank in Bulgaria! There the banks take responsibility for fraud - here they pretend it's the customers'. I wonder why.

  50. g e

    First direct told me once...

    FD (who are the best behaved bank I used, to their credit) have Internet Banking and Internet Banking Plus.

    The plus version of course requires IE so I wrote to them a while ago explaining that was reasonably dumb to mandate IE as although I'm sure their banking systems are very secure, the problem is the keyloggers, trojans and spyware that will potentially get installed by virtue of the fact I'm ostensibly using that browser for all my surfing.

    Surprisingly they didn't seem to think that was an issue at all.

    Now I need to ask them if they consider Linux 'acceptable' (for annoyance ask them what distro & release level as well) and if I were using a different OS and browser combination to access the banking what they would consider 'secure' in each case.

    Has been a while since I bugged the bank about their security so it's about due....

  51. Andus McCoatover
    Stop

    New banking codeS crack down on out-of-date banking mentality.

    Yep, here in Finland...

    Customer number is a 7-digit code (not a user name).

    Then, in conjunction with this, I use a one-time 4-digit PIN. Cross it off the list when used. Also, same list of one-time PIN's can be used for tax office transactions, getting e-post in PDF from Posti - payslips, etc and much more.

    So, I have new banking codeS each time I use the bank. Bleeding obvious.

    Also, if I want to check something with the bank, thy will NEVER ring me. An SMS, asking me to call THEM if there's a problem - and even then, after a couple of OTHER checks (Social Security + security question) can the converstaion continue once I've typed my (next) one-time PIN into the phone.

    Remember, even at this stage, I've phoned THE BANK. NOT the other way round.

    Ever.

    Britain - what the fuc*k are you doing???? Welcome to the 3rd world banking system.

  52. Bad Fish
    Paris Hilton

    My bank asks security questions when I phone them

    I had to call them to active a new credit card:

    Bank: when did you open your account?

    Me: I can't remember

    Bank: how much was your last credit card bill

    Me: I don't know; my wife pays them

    Bank (after a pause): your credit card is now activated.

    (Paris, because shw gives a warm fuzzy feeling, even though my bank doesn't)

  53. Ben
    Alert

    @Anonymous Coward

    "Why - don't you think there are any viruses for Linux? 'Cause there are.

    http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses"

    So... you can list them all on 1 page?

    Try searching for Linux viruses 'in the wild':

    http://www.google.co.uk/search?q=linux+site%3Awildlist.org

    Last one found was in 2004.

  54. RW
    Boffin

    Ring ring: two real-life incidents

    Incident One:

    One delightful day I got a mail from my bank (Royal Bank of Canada) informing me that online banking was now enabled on my accounts. I immediately phoned them and told them to disable online banking on my accounts.

    "But why, sir?"

    "It's insecure."

    "Oh, no, it's completely secure."

    "No, it isn't; one of your marketing wonks enabled online banking on my accounts without my permission."

    <silence>

    Incident Two:

    ring ring

    "Hello, this is Statistics Canada, we have some questions about your census return."

    "That's nice but how do I know you are who you say you are? Is there a telephone number that is listed in the telephone book whereby I can validate your identity? We live in a world full of scams, phishing, identity theft and so on, and I would be irresponsible to simply believe you without verification."

    "Yes, phone 1-800-555-1212."

    "Sorry, but that's not in the telephone book under Stats Canada."

    Ultimately he gave up and marked the form as not answered due to concerns about confidentiality. I pointed out that the real reason was that his identity could not be validated, but alas! the form he had evidently had no such box on it to tick.

    I once took a course in survey methods from Stats Canada, and in those days they did have verification phone numbers that were listed in the telephone book. No more, evidently.

  55. TimBinsted

    PSD

    There is a little thing called the Payments Service Directive that comes into force in 2009 and will apply also to the UK that makes the onus for evidence and intent lie by the bank. So this measure will be of very short extent.

  56. Lou Gosselin

    Full security

    The one time keys + password might be able to prove to the secure site (bank) that the user is who he is and has the FOB. However as mentioned by Anton Ivanov, an attack vector would be possible by using man in middle attack or by hijacking the authenticated session using some method.

    Obviously the Man in Middle could have his own valid SSL cert, so that the user sees the "key" and thinks he's secure even if it is the wrong site. This even happens with legitimate banks who use multiple domains across subsystems, some pop up windows may even hide the address bar completely.

    Or worse, if the client desktop has already been infected, then anything is possible as the machine can show the user what he wants to see while doing something else. Even a compromised *user* account is powerful because it can fool the user into providing root credentials by displaying a false login screen, I bet even most pro's would be caught off guard.

    There is a physical solution to all these things without resorting to out of band communication. The FOB's weakness is that it can be used to authorize *any* action, even if not intentional. It would have a small lcd display on it so the user could review the transaction(s) on it and then click 'Approve'. The device would then sign the transaction (or a hash of it), and this signature would be verified by the bank. So long as this "digital signing FOB" is kept physically secure and cannot reprogram itself so that it is not digitally exploitable, then the user has very high confidence that the signature can only be used to approve a specific series of transactions.

    Such a device would be used at the *end* of a session/transaction instead of at the beginning. An attacker / middle man could go through the steps, but the user would have to approve the transaction. If he doesn't look at it, then it really ought to be his fault.

    I wasn't going to write this in, seeing as this thread already has many comments. However am worried about someone patenting/profiting from the idea instead of benefiting the public. So hopefully this thread can be used to claim prior-art on the idea.

  57. Daniel B.

    Oh great...

    Sometimes I feel my own country's "third world banking" (Mexico) seems to be more advanced than some, but then the Bulgarian system seems to be more efficient. Oh wait, PKI has already been proposed over here.

    OTP tokens over here are *mandatory* since 2007. Though it is true that implementation itself isn't regulated, so some have the OTP challenge during initial login, others have it for any third-party transaction; and some use challenge-response systems. Oh, and one bank uses some funny "number matrix" cards.

    So security's been upped nationwide, and we have the added advantage that we have INSTANT inter-banking electronic transfers (search "banco de mexico SPEI" for that) unlike other countries where "quick" means "next day" or "next 2 days".

    Even with cheques, longest time to wait would be 24 hours for "other bank" deposits.

    Downside of course that fraud investigations usually take about 2 months to solve, and even then you might not get your money back. Oops! But at least they do try to be secure.

  58. Anonymous Coward
    Anonymous Coward

    Banks???

    I don't even use banks - no credit cards either. I rent so I don't have a mortgage. I pay my rent in cash - hand it right to my landlord and he gives me a receipt. I guess I'm lucky in that all my clients will pay me in cash. When I do have to accept a cheque, I cash it at the local money mart. I pay my other bills by money order. You can probably guess that I don't like banks and I don't trust them. And don't get me started on the insurance companies!

  59. Lou Gosselin

    Full Security, clairify patents

    I feel I must pre-emptively clarify my stance on patents.

    A company should make a profit for building security devices, after all the existence of safe (hopefully open source) security devices *is* a public benefit. They should not make a profit off of the mere idea and algorithms of security devices, which is what such a patent would grant to patent trolls.

    Some people may complain that it is impossible to compete/innovate without patents. However without patents, nothing is stopping them from building something better than the competition - actually building on their competitor's ideas without worry of a patent lawsuit. This would be a huge boast to innovation and to the public.

  60. Mike Bronze badge

    secure system

    how about a simple device with a radio in it, we'll call it a "BankSafe" to please the marketing guys

    when you log in to your bank account you just enter your username/accounts number then get a (constantly refreshing) "Please use your BankSafe to verify your identity" page. you pick up your "BankSafe" device, on the screen is a message "Are you trying to log on to online banking using <your ISP>?" you enter a PIN and "confirm". you want to transfer your life savings to someone you get a message "Please use your BankSafe to verify this transaction", you pick it up, on the screen is "Do you wish to transfer £50,000,000 to John Smith?", you enter your PIN and press "confirm". Of course an extendable system would be open to currently unknown future uses (allow the bank to specify custom messages for confirmation).

    This could then be extended to your debit card transactions, the delay need not be more than a couple of seconds, so you put your card in like you currently do, wait 2 seconds, then instead of entering your PIN in to the shops machine you enter it in to the "BankSafe" device, press confirm, 2 seconds later the cashier gets a "payment confirmed" back from the bank and trasaction is complete, the same as the current system - with the difference that you enter your PIN in to your own machine, rather than having to trust the machines in every single shop (it's also not fixed in to a location on the checkout where the people around you can see you entering it!). of course you could use RFID as well then so no need to put a card in to the machine, merely take the device out of your pocket, enter PIN, payment made.

    The only issue with this system would be radio coverage, however the bandwidth requirement is rather low and would mostly consist of encryption overhead, a low data rate network would be fine for this so would not need more than a few dozen masts to provide acceptable coverage of peoples homes, and for in-shop coverage, the shop has a low power transmitter in it (a small change to the hardware of the credit card machines in use today, to include the RFID reader and the "BankSafe" transmitter - it is already linked to the bank for transactions anyway)

    Naturally communications are done using a secure form of encryption, bank sends messages encrypted with your public key and its private key (so you can verify its identity from its public key, and only you can decode it with your private key) and the same in reverse.

    The only potential problem I can think of with such a system is online banking from a house outside of the coverage area, but it could have a failure mode that is less convenient but where you can enter a code given by the banks website and it will then give you the relevant confirmation code to give to the banks website.

    The inconvenience of carrying the device around would not be a problem if it became universally adopted, as you would soon find mobile phones including "built in BankSafe support" so you can give your bank your phones certificate and you can then authenticate transactions using your phone which most carry with them anyway. and a standard fitting on the top of the checkout machines that you can rest the device in to power it would sort out flat battery problems (battery flat, just plug in to their machine for power, authenticate the transaction, then remove).

    Such a system would of course work with multiple bank accounts with a single device, assuming they all used the same standard compatible system and allowed you to register your own device, rather than each sending you a separate device and insisting you use that.

    Anyone see any problems with such a system?

  61. Andus McCoatover

    @banks???

    Curious. How the hell do you pay the Internet bill/electricity/etc.

    Plus, which mattress do you stuff your wages under? I've a mate from the pub who's interested for some reason...

  62. Anteaus
    Stop

    Missed the whole point...

    Antivirus only detects viruses. The majority of AV totally ignores rootkits or password-stealing Trojans, so won't help us here. Implying that it does creates a false sense of security.

    If you browse with Internet Explorer, you ARE at risk form keystroke-logging Trojans. No matter what firewall, antivirus or whatever you are using.

    If you use a secure browser such as Firefox or Seamonkey, you are very unlikely to get hit by malware. Though, it is no good JUST using the secure browser for online banking, if IE has been used in the past for other sites, the machine may ALREADY be Trojanised, and in that case the secure browser won't help you.

    The best security for online backing is to use a separate PC. This can be an older model running (a fresh copy of) a less-vulnerable OS such as Windows 95/98 or Linux and with IE removed (if present) and a secure browser installed. If it's only used for accounting-related purposes then antivirus etc is largely academic.

  63. Solomon Grundy

    @banks???

    Yep, cash is still king.

    Like you said, we don't need banks for anything (unless you like people rooting through your personal life). I just walk down the street and pay all my bills in cash - Internet, utilities, etc... And it's super convenient, the utility office is on the way to the pub.

  64. Ben Tasker
    Stop

    I've written to my bank

    To ask how it applies to me running Linux (I do have AV, and a hardware firewall, and Firefox's anti-phishing lists, and some common sense) but whilst I was writing to them I discovered something interesting on their site.

    HSBC Customers pay attention!!!!!!!

    Phorms system (AFAIK) will not disregard alpha-numeric strings, HSBC Internet Banking I.D.s take the form

    IB1234567

    and are entered on an unsecured page, so Phorm will be able to read it. Now by entering it, am I taking undue care (as far as the banking code goes) or are HSBC not taking enough care by not securing the stage of entering my user ID. If you can track user ID IB1234567 to me, it's only a case of entering my Date of Birth and having a stab at 3 numbers out of a combination of up to 8 for my security code.

    Well thought out HSBC's system!!!! I told them that if they did not feel the measure I take to ensure my security were sufficient, then they could go ahead and close my IB account, and I'd find another bank. Be interesting to see what they say about the Phorm issue as well (felt I better tell them about that ;-) )

  65. Andrew Wigglesworth

    @banks???

    You can pay just about any utility bill at the Post Office. You even get a receipt which is better than some banks...

    I have internet with Zen who seem to accept payment by almost any method, though I don't see any mention of Flainian Pobble Beads on their website.

    I do have a bank account (with the Co-op/Smile) but to I avoid Credit/Debit cards and Direct Debits. I don't go as far as AC above as I do pretty much trust the Co-op to look after my money.

  66. Anonymous Coward
    Anonymous Coward

    Surely it's about the monkeys?

    People are coming up with a whole lot of nonsense in this thread.

    Surely this is about the morons that will dish out their account numbers, pin numbers and logins to any chump that emails them?

    Why should the banks (and in the end every bank customer) have to pay for their moronity?

    My bank phoned me this week about my life insurance. They asked me for my date of birth and my postcode. After me arguing with them for a little while they told me half of the answers which persuaded me it was them, and they already had the information. If your bank phones you and asks for your account number or password, move banks.

  67. Martin Usher

    Banks could start to get sensible

    Most people have quite predictable patterns to their spending. If someone, after years of mundane mortgage and grocery payments, suddenly needs to transfer all the money in their bank account to somewhere in Nigeria the bank's software should stop and think a bit. But its easier to blame the customer (cheaper, too).

  68. Mike Hyslop
    Unhappy

    HSBC + Weak Logins

    The HSBC system employs IB numbers (which we are lead to believe are to identify internet banking users, and the IS number is linked to something else within the bank to identify you.

    What HSBC actually do is use the IB number as your reference for everything, if you go into a branch and have a look at the screens on their systems everything is run using the IB numbers to identify you.

    Now the login page with no SSL actually has SSL, you just have to change the URL to get it to kick in, I've pointed this out to them numerous times and it is still passed in plain html.

    the business banking side is hardly any better, they use cheap fobs for their "rsa-esque" login system, the fobs are ridiculously easy to kill, no more about the fobs, certain business accounts have fobs and some don't, the ones that do bring up a 2 line box, the ones that don;t bring up a 1 line box, and no lines means you have entered an account that isn't recognised.

    which makes it easier to phish users details as you can tell if they have a fob or a password / cert to get in.

  69. Anonymous Coward
    Thumb Down

    Banks - don't like phishing

    I have always reported any phishing emails that hit my mailserver to both netcraft.com and banksafeonline.org.uk

    The sytem would work well if the last 2 phishing emails which I sent through had not been bounced by banksafeonline as undelivered after 5 days. Netcraft recognised them as new phishing URLs.

    When I set up a new business bank account, choice of bank was how easy it was for me to find information on the site without using javascript. However, I would not recommend anyone use their internet banking as the first page of the sign-up process is not https and asks for your username. And all checking is done using javascript.

    Stupid banking system.

    This same bank also phoned a few times to discuss my account. I did the usual: write to me spiel. A few days later I got another phone call, from a different name. At least he apologised that I had not received the letter I had asked for. About a week later I did get a letter to confirm that the bank was trying to ring me and would ring again - nothing to say how the caller would identify themselves as working for the bank and being authorised to phone me. I am still waiting for the call.

  70. Anonymous Coward
    Anonymous Coward

    I just happen to work on ebank security

    First, the bad news.

    Practically ALL current solutions are open to MITM (man in the middle) attacks, which can be installed via various means (malware redirecting or messing with DNS settings, dodgy WiFi twins or trusting a cyber cafe). The problem is that it's for Joe End User pretty hard to discover that his instructions are "translated" somewhere, so the current bank counter measure is usually scanning for questionable transactions and delaying them. In the UK there is less incentive to do this as the banks have successfully transferred liability to the end user (did you really think Chip&PIN was for YOUR safety? Better read "security economics" by Ross Anderson for a primer).

    The problem, however, remains: how to get feedback securely to the end user?

    Two ways: "in band" by using another approach that thus needs to rely on different protection than "regular" SSL (you wouldn't need that if people actually checked the Cert). The second way is "out of band" by using a different transport mechanism such as SMS. The latter is low cost, but becomes unsafe (and uncontained) the moment the SMS has to travel abroad past "inter telco" gateways. This is, however, a solution about to go live in a number of places simply because it's easy to get going. You'll find it for randomising logins (to defeat key logging) as well as transcation confirmation (true value of transaction and target, and a confirmation code).

    And so we hit another issue that will keep showing up. We have static components in the logon, which can be used for denial of service attacks. 3x a logon means a blocked account and an angry customer.

    I have seen a number of approaches, and the nicest one is one that does away altogether with a user name. Think of a session key acts as a salt to a known sequence - the result can be worked back to one specific user, but the algorithm + changing session key will make it much harder to hack together a combination that works as a valid account.

    The issue is not an easy thing to work on because you have to balance usability and hassle against safety and available budget, but I have seen decent solutions emerge - you'll start seeing them go live in a number of places over the next few months, including new ways to manage your electronic identity in a way that YOU are back in control.

    IMHO it's about time.

  71. Mark
    Thumb Up

    One time key fob

    Is used by HSBC in Australia. It's no bigger than one of the RSA number generators most people using remote company logins will be familiar with and is required not only for login but also for each and every financial transaction. I think they may required it's use for address changes also, which would make sense. Seems to me they can get it right if they can be arsed. Maybe Oz is the trialling ground for HSBC Worldwide and the UK will get the system shortly?

  72. Tim Strutt Silver badge
    Gates Horns

    @Mark - Oz Banking

    Thanks for info. My Oz bank charges me $7 a month for the privilege of using my accounts, and a further $85 a year for a credit card. Almost every time I log in (using Debian or OS X) the bank's site 'reminds' me to check I have an up to date anti-virus programme installed. Perhaps I should change to HSBC?

    One good thing that they do, is that they send me an SMS text message with a one-time confirmation code if I add a new debtor or send money abroad - Probably costs them (me) a bit though...

    Alternatively I could suggest that my bank should offer a discount on these account charges if the user has a hardware based firewall/router/modem. A further discount if IE is not used, and perhaps they should pay me not to use Windows?

  73. Mo
    Stop

    Here's an idea

    Maybe the banks (mentioning no HSBCs and MBNAs, amongst others) could stop hosting their 3-D Secure Verification service on a server which looks like it's a phishing site, or failing to renew their SSL certificates. Maybe then consumers would stop ignoring telltale signs of phishing expeditions.

    That's right, they don't use subdomains of their own domain. They use https://www.securesuite.co.uk/<bankname>/.

  74. Matt Lee
    Thumb Up

    Switch to GNU/Linux

    If banks want users to switch to a secure operating system, they should encourage users to switch to GNU/Linux.

  75. Anonymous Coward
    Anonymous Coward

    They Tried That...

    here in New Zealand. The new Banking Code put the onus on customers to cover all losses unless the customer could prove it was the bank's fault. However one or two banks kept the old approach of covering the customers regardless. Then they all bailed and the code was changed back the way it used to be.

  76. This post has been deleted by its author

This topic is closed for new posts.