back to article Peers call for cybercrime shakeup (again)

Peers are calling for a reversal of rules that stop UK victims reporting cybercrimes directly to the police. The House of Lords science committee is also encouraging the government to introduce a data breach notification law. A follow-up report on personal internet security by the committee of peers also calls for legislation …

COMMENTS

This topic is closed for new posts.
  1. Nic Brough
    Paris Hilton

    Grr

    We all know that the simple solution is to make the bangs automatically responsible for all security related losses, because unless we do that, they'll simply keep shifting the pain onto everyone else by coming up with half-crippled schemes like chip & (s)pin (which is worse for the consumer and less secure than a signature). If the banks are made to take the hit by default, and can only recover their loss by actively proving fraud, then they'll design a proper scheme that works.

    Where are the Bruce Scheier and Ross Anderson icons?

    In the meantime, Paris, because even she could work that out!

  2. Anonymous Coward
    Coat

    Erm

    Banks already often re-imburse people for losses due to phishing etc, should they really be responisble for that? The robbery in the street analogy for that one goes like this "Hi I'm joe from your bank, can I have your card and PIN number? Thanks"

    If I told the old bill I'd given someone my card and PIN number and all my money's gone, they're going to laugh at me.

    The customer isn't always right, often the customer is a right royal idiot! Sure the banks should be responsible if it's actually their fault, mostly it's the muppet on the street though.

    /Now lets see how this one goes...

    /I'll have the asbestos one pleae...

  3. amanfromMars Silver badge

    Grr too ....

    As all money, whether obtained by fair means or foul, always ends up in the Banking System eventually, [which is a very convenient arrangement, is it not?] , third party losses are always eventually recovered by the Banks and therefore customers should never be penalised for obviously inadequate security arrangements.

    And any and all monies that they would spend on securing the System and Systems will always end up back with them ... thus being yet another very convenient, no cost, value added option which would be easy to justify and most awkward to deny?

  4. Maurice Shakeshaft

    Getting the Banks to pay will .....

    Still make the customers pay.

    Until the bank senior staff have their liberty put at risk through failure of the systems employed to provide all reasonably practical security for their customers online transactions, then nothing will change. The prospect of gaol time might actually encourage CEO's to put pressure on the police and judiciary to shut the scammers and phishers down.

    Fines on the banks will be payed out of increased charges. I do like the idea of shifting the burden of proof to the banks though! But that is as likely to fly as the CEO having a porridge breakfast at HM's pleasure.

    The answer is for customers to do less on-line until it is safe to do so but that's a "Catch 22".

  5. Anonymous Coward
    Go

    Reporting to police

    "It is also vital that the victims of e-crime can report crime directly to the police."

    It is of course vital that the victims of ALL crime should be able to report that crime direct to the police. And high time it was made COMPULSORY for the police to accept all such reports.

    In the case of all non-urgent reports, that should be possible via a web interface that ensures people can and do report all crime, no matter how small or large.

  6. The Cube

    Re: Reporting to police

    Of course, the idea that only the banks should report crimes to the police so that they can cook the books, never report their own incompetence, pass the cost onto their customers instead etc etc is so obvious it should not need discussion.

    On the topic of "possible via a web interface" though, have you any idea what a gravy train that will be for some bunch of incompetent thieves (sorry tier 1 outsourcing providers) that will be, how late it will run and how much overbudget before being shut down?

    Also, this will come back to bite the public, there will be lots more reported crimes that the piggies have not solved and they will have to put up more speed cameras to fudge the numbers back, they will probably also go out and beat up Brian Haw a few times and shoot some Brazilian plumbers just to make themselves feel better.

  7. Martin Edwards
    Stop

    More blame on customers

    AC further up the page rightly suggests that we should be more willing to blame customers for their own losses if they are careless with malware or using weak passwords. The biggest cybercrime problem is the average user. Better systems to educate the public will be necessary, but once they're in place, I think it really will be fair that customers who are careless with security pay the price for such carelessness themselves.

  8. Graham Marsden
    Stop

    @More blame on customers

    What Martin Edwards and the AC from the "Erm" post don't seem to realise is that the banks use the Chip and Pin system to absolve themselves from any losses caused by card fraud.

    They go "Your card was abused? Well it was done with a PIN, so it must be your fault, so we're not going to give you a refund", despite the fact that this is an abuse of the Banking Code which requires that the banks *prove* gross negligence instead of just *claiming* it.

    This means that the customer (and often the business the goods came from) get screwed and the banks are laughing all the way to... well...

    Banks have only *now* started pushing the "protect your PIN" message, something which they should have done right from the start. The number of times I could have shoulder-surfed someone's PIN doesn't even bear thinking about, but if you point this out to people their attitude is "well you shouldn't have been looking" as if a criminal would care!

    IMO this is gross negligence by the banks, but nobody can be bothered to take them to task over it.

  9. Roger Heathcote
    Alert

    Pardon be but...

    Isn't it a banks PRIMARY FUNCTION to look after my money and make sure nobody steals it? I mean after that it's all gravy init?

    If people are being tricked out of their pins and passwords in significant numbers then that says to me that what security they do provide is inadequate or, more likely, people en mass aren't aware of what security there is and how to use it.

    All any UK bank have to do to fix 90% of online fraud is issue their customers with secure tokens and maybe offer them a free version of Kaspersky. Maybe a short video or two about what phishing is and why you need good passwords wouldn't hurt either but what do we have now? Lloyds have a paltry 2 sentence "be careful of phishing" easily ignored textual warning every now and then when you login to your online banking, just to cover their arses.

    Roger Heathcote.

  10. Anonymous Coward
    Stop

    Blame the victim?

    I am a systems administrator. My weakest password is an eight character, randomly generated alphanumeric password that I forced myself to memorize. My regular ones are 31 characters, a combination of text, and randomly generated alphanumeric sequences. I have a little bot that regularly updates my firewall with the malwaredomains.com list. I use firefox with a nice set of extras, and I have some custom cross-site-scripting detection programs that have served me well.

    My bank uses multi-tired authentication to access the online systems, and I have subscribed to all the lovely little "verified by visa" programs etc, and taken every conceivable security precaution online.

    You know how they got me? My garbage. I shred everything I can, or, if I don't have a shredder, I tear up anything that has personal information on it.

    Doesn't matter, at one point I let a phone bill and a visa bill get away unscathed. It was all that was needed. (Don't ask me how that was enough, I am still trying to figure it out.) I received a bill from my mobile provider saying I had added a phone to my contract, and taken out a data plan for $150 a month, on a 5 year contract. The phone was only partly covered by the contract, and still dinged me about $300.

    It took a few months, but I got the company to admit that there is no way they should have been able to ding me for that phone. Since the bastards ordered it over the intertubes, and had the unit shipped to them, the cops caught the individuals in question, whereupon they were found with my visa bill and phone bill, and of course, some shiny pile of phones they had ripped off the phone co.

    Oh, and BTW, they used the internet, but got the information for their scam from the garbage.

    So to those of you who say "it's all the consumer’s fault" you know what, EFF YOU. Seriously, just G the F O. I take every precaution I can, every single time I can. I am considered by most people paranoid about identity theft. (If only because, as a sysadmin, I know how easy it is.) If you are trying to tell me I should be (potentially) on the hook for a few thousand dollars because I missed shredding my bills once?

    What if the criminals in question had the time to piece together some of my shredded bills Is that my fault too? Where does it stop being something you can blame the consumer for, and start being something where the profit-mongering businesses have to take responsibility for verifying the identity of the consumer?

    If my precautions aren't in your mind enough, and you believe every consumer in the world should have to be even more paranoid, then I truly would abhor living in the type of society you idolize.

    I hope you get hit for a large and unpleasant sum of money, and then sir, I will blame YOU for your incompetence, and you can see how it feels.

  11. Christoph
    Black Helicopters

    Well of course

    "It stated that requiring victims of fraud to report it to their banks rather than to the police is leading to under-reporting of e-crime"

    Isn't that the whole point? If the reporting numbers are kept down, that's proof that the government is keeping the crime down.

    If they didn't do that, the government might have to pay attention to what's happening in the real world rather than to meaningless statistics!

  12. Mr Pedantic
    Alert

    Lords want to increase CPS powers, according to Reg article

    You say "Their Lordships' second report renews a call for the government to do more to protect the public cybercrimes such as identity theft scams and auction fraud."

    So in other words the Lords want to extend the Criminal Protection Service's remit to include protecting cybercriminals, alongside burglars and muggers against law-abiding citizens who legitimately protect their persons and property.

    If this goes ahead, report a cybercrime and you may find the CPS coming after you for slandering the cybercriminal.

  13. David
    Flame

    @Blame The Victim AC

    Your arguement seems a little flawed. You say you regularly shred your bills. Why? Is it because you know that cyberscum look through people's rubbish to get personal info? It's not like it hasn't been widely reported, and Im guessing you were shredding your docs because you didn't want to take the risk of it happeniong to you. Then on the one time you forget to shred your stuff, you get your ID ripped off. Unlucky for sure, but not unexpected.

    If the bank can be proved to be at fault then for sure, they should pay, and someone in management should see the inside of a prison cell, to hammer home the message to the arrogant bankers that this is our money they're dicking about with. If it's just a case of someone's put their details into a phishing website, or not taken care with their personal details then how is the bank to blame? It's not their fault you weren't careful with your data is it. I also think it's a little ludicrous that you think criminals will sellotape all your shredded documents together, but just to be on the safe side, I've never thrown away a single bill or bank statement I've ever recieved. You never know when you might need them

  14. b

    @@Blame The Victim AC

    And there we have it: Never throw anything away ever again.

    Still no belming icon?

  15. galbak

    any point in shredding/firewalls etc

    every goverment department, bank. shop etc seems to be happily loosing laptops. cds and bin bags, full of peoples personal information, then all the utiity companys quite happily send everyones information to which ever country they have outsourced the helpdesk to this month. Why bother protecting your own data, when the people paid to look after the data properly are just giving it away.

  16. Anonymous Coward
    Stop

    @ David

    Any corporation, bank or otherwise, that deals with MY MONEY, (and yes, the money belongs to the person, it is not an inherent "right" of the corporations to take it from you by hook or by crook,) had da*ned well better verify that I am who I say I am when I go to use electronic forms of payment.

    According to your argument, it's the consumer's fault he decided to have a bank account, or a credit card, or any form of electronic payment, because if he had just kept his money in gold coins locked in an underground vault protected by a loyal guard of militant Iranians why then this would never have happened would it?

    Reality check: that's not how the system works. In the real world, you need a bank account to get most jobs. Why? Because most of them will refuse to pay you any way but direct deposit. In my country, yes, they have the right to refuse to pay you if you don't accept payment through direct deposit. Corporations have more rights than people, as they do in your dream utopia.

    In the real world, without establishing credit, you can't do simple, yet vitally important things like obtaining a mortgage. This more or less requires a credit card. For that matter, there are now a number of places that only accept payment by credit card, or debit card, and will not deal in cash of any sort.

    All of this means that unless you are already rich enough to simply do what you wish in the world, rather than having to play by it's rules simply to survive, you must have some form of electronic currency. If you don't have absolute control over who can access that money and when, there are some pretty sever issues with the system.

    That money belongs to the me, (the CONSUMER,) not to the bank, and certainly not to a corporation. It is not the god-given right of a criminal or fraudster to rip me off for that money. Since I don't control the method of accessing that money, but simultaneously am required by multiple elements of society to keep money in that electronic account, then the gate keepers of that money (who make a fair amount of coin to BE the gatekeepers to that money, bear in mind,) should be legally bound to verify my identity before allowing anyone access to it.

    Chip and PIN, (or just PIN,) signatures, passwords, none of this is remotely enough. Until the banks are held liable for every single fraud and loss, they won't bother putting the effort into earning the fees they charge for the "privilege" of allowing all and sundry to rip you off.

    And any corporation, (such as a mobile service,) that retains financial information about you allowing them to access funds in your account should be held to the same high standards to verify your identity before making *any* change to the agreed upon and contracted amount.

    Furthermore, both banks and corporations need to be legislated into paying massive fines for every single scrap of personal information lost. How many corporations have the ability to pull funds from my bank account? By my count, 12. In at least 8 of those cases, they simply would not deal with me any other way, and they can cheerfully refuse to deal with anyone who doesn't play by their rules because of course, here, corporations have more rights than people.

    At the end of the day, it's MY money, and the banks are paid to safeguard it. If they aren't doing their job, they need to be punished. If corporations leak your data, giving criminals all the information they need to get past the weak safeguards of the banks, those corporations should also be punished.

    This isn't a matter of "it's the consumer's responsibility to never give anyone his data, and should never keep money in banks because they are potentially insecure, harrumph, doesn’t every keep their money in gold, protected by militant iranians? You there, pass me my martini!"

    I WORK for a living, and so I have to play by the same rules as any other joe. Which means the corporations have more rights than me to my own money.

    So go to hell.

    This sh*t has to change.

  17. David
    Flame

    @@David AC

    Err, you've completely misread what I said, but seeing as your an angry prat that doesn't surprise me. I never said DONT have a bank account, I just said be aware of the fact that there are ID fraudsters out there and take some responisbility for your personal data. The fact that you claim to shred your docs suggested to me that you understood that. As you say it's YOUR money so YOU should take responsibility for it where you can. How is it the banks responsibility if YOU don't shred your docs in keeping WITH YOUR OWN POLICY???? Banks don't blame you if they get help up at gunpoint, so why should you blame them if you can't keep your information secure?

  18. Anonymous Coward
    Anonymous Coward

    Phorm is a crime or is not,There are rules that would suggest that it is...

    i liked the part of the report that highlights this...

    as Robert points out here

    http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-762.html#post34595475

    "Good night, and good morning. Another nice quote here from the same report:

    http://www.publications.parliament.u...ch/131/131.pdf

    Q31 Earl of Erroll: A quick rider before I start. The

    first thing I was going to say was that I did not feel

    there was disrespect in the response from the

    Government at all. I rather felt that there were

    probably problems of budget and a feeling of how

    were you going to get it out of the Treasury, therefore

    the usual thing was to say “Well, let’s talk about it a

    bitmore and then hope that something appears in the

    next budget round” or something like that, which

    was disappointing.

    [b[I think what the Earl of Northesk

    was asking was slightly different from what I am

    about to ask which was that he was thinking about

    how this was classified and whether Phorm is a crime

    or is not. [/b]

    [b]There are rules that would suggest that it is

    but no government department wants to pick it up

    and say that it is. [/b]

    Everyone wants to shift the buck"

  19. Anonymous Coward
    Stop

    @@David AC

    A bank certainly does pass the blame onto the consumer if they get held up. They increase fees to pay for the added security instead of decreasing their profits. If there is anything to be done, you can be assured it will come at the expense of the consumer, never at the expense of their margins!

    Your statements say "if you screw up, you should have to pay for it," but you only seem to see this applied to the individual rather than the corporation. You believe that we should exist in a perpetual state of paranoid fear, keeping a watchful eye on every possible item of personal information, because every loss of identity is the fault of the consumer? I say that a failure to properly secure one's premises, digitally or physically is the fault of the corporation, be they a bank or a company.

    If you don't believe identity theft should be pushed off as irrelevant, and that both the consumer and the corporation have important roles to play preventing it. A couple of bills should not be enough to cause my mobile company to run of a few grand in charges, full stop. Banks should be working in tandem with consumers and other corporations to provide truly secure policies, procedures and technologies for verifying identity, and corporations should be legislated into compliance.

    At the same time, no consumer should be giving out their PIN, password, or any personally identifiable information if they can possibly help it. It is almost impossible to prevent personal information from leaking out, and some of it people can find out simply by social engineering staff at companies into giving it out.

    So the consumer has to work to minimize the loss of information, and so do corporations. The consumer and the corporations both have to work together to ensure that purchases using any form of electronic currency verify identity as absolutely as is reasonably possible.

    Your assertion that the onus is entirely on the consumer leads to a society where only the very paranoid, the lucky, or the rich have any real rights or expectations of living a fraud-free life.

    Do you work for a bank? Or are you just such a hard core capitalist that you earnestly believe the corporation can do no wrong, and everything is the fault of the victim?

  20. Hank
    Alert

    Phorm is a crime or isn't? Well there are laws that say interception is illegal...

    ...but no-one seems to want to do anything about it!

    I wrote to our police chief constable to report the crime BT seemed to have admitted to on Channel 4 News (April 3rd 2008) - regarding intercepting communications of their customers without legal warrant and without customer knowledge.

    Later the leaked BT document was released that spoke about the secret trial interceptions.

    I got a letter back from a Detective Inspector which said that any RIPA issues had to be sent to The Interception Of Communications Commissioner (Sir Paul Kennedy, The Commissioner) in London.

    He did issue a crime reporting number and said nothing about investigating my report of the incident.

    So I wrote to Sir Paul's office...

    Sir Paul's office points out that RIPA 2000 defines their role and it is not to investigate potential crimes under RIPA. No. That activity, they say, and I quote: "would be a matter for the prosecuting authority, namely the police and the Crown Prosecution Service." Which is almost exactly what Lord Spithead said in Hansard (i.e. the official parliamentary record)

    ==== Read my drafted reply to our Police service here:

    http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-763.html#post34595686

    ==== Read what The Commissioner's office has to say about interception of communications when they wrote back to me:

    http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-763.html#post34595713

    We cannot have large corporates doing what they please in this area of technology. Not when there are rules to follow (nay, laws, in fact!).

    It is simply not on.

    And I don't want Phorm, or Webwise. In fact, although I have nothing to hide, I think I don't really want BT any more either.

    Hank

  21. Tony Paulazzo
    Pirate

    Bank Security

    Over 10 years ago the Royal bank of Scotland issued me with a debit and credit card with my photo and signature laser etched onto it. To do online banking you could only use the one PC and if you formatted you had to restart the procedure from the beginning as it was tied into that machine and copy of windows....

    With all the scam bank emails doing the rounds you'd think they'd be doing more to protect their customers - after all, the customer is saying to them, ' I trust you with my money.'

    With the obscene profits they're making (apart from, obviously, Northern Rock), they really should be held legally accountable for letting money leave your account when it's not you taking it out, surely it's up to them to verify who's asking for the money.

    The pirate - because obviously piracy has moved from anarchic individuals in ships to blood sucking corporations in high finance.

This topic is closed for new posts.

Other stories you might like