back to article UK's Get Safe Online? 'No one cares' - run the blockbuster ads instead

The UK's Get Safe Online campaign has failed to teach Brits how to secure their computers - so says the ex top cop who established the information security awareness effort in 2004. John Lyons, former crime reduction coordinator at the National Hi-Tech Crime Unit, said the Get Safe Online project had done "little to change …

COMMENTS

This topic is closed for new posts.
  1. Vimes

    Now if only the government could adopt a similar position in regards to the internet and porn instead of opting for bullying the ISPs to put filtering in place.

    Education there will always be the biggest component to solving that issue - not just the kids but the parents too.

  2. Pete 2 Silver badge

    Blaming the victim?

    > If you lose money from your bank account the banks give it back to you.

    But is that what really happens?

    The way I see it is that a bank has a duty to put in place sufficient security for it to keep our money safe. That's safe from (traditional) theft, safe from internet theft and safe from themselves being unable to give it back to us when we ask for it.

    So far, cash machine security measures haven't evolved much beyond the PIN-code systems that were around in the 1970's - though my PIN in those days was 6 digits, instead of the 4 we have today. Is that really progress?

    Although for home banking I now have a nice little card reader, courtesy of my bank, that "proves" I am in posession of my card when I log on to their computers, I still feel that the onus is on the banks to make sure their security is up to scratch to protect our money. There will always be some crime, the goal for security measures is to reduce it to a level that we customers are willing to pay: both in terms of losses from theft and the cost of the measures to prevent it.

    1. Tom_

      Re: Blaming the victim?

      The bank is legally required to give you the money back. It's then up to the bank whether or not to try and pursue the person who stole it.

      1. Ian McNee
        Stop

        Re: Blaming the victim?

        This just is not how it actually works in the real world: a great deal of the "security" banks implement is designed to exonerate them of any responsibiltiy and "prove" that the user was either irresponsible (divulged PIN, lent card to friend, etc.) or attempting to defraud the bank. Browsing the banking security posts a Cambridge Computer Lab's Light Blue Touchpaper blog demonstrates that.

        On the main topic it's no surprise the Get Safe Online campaign didn't take off: their advice is at best incomplete and full of platitudes and often just plain wrong, e.g. advising complicated hard to remember passwords.

        And if this report is correct Mr Lyons isn't getting any cleverer: "attacks on computer networks could soon threaten critical infrastructure" (the usual security terror scare stories), "wearable technologies...will be...hacked" (oooh...bears/woods/pooh??), "Techniques developed to beat biology-based authentication systems, such as fingerprint recognition, will also be a major headache" (wow...no-one saw that coming...oh wait, 2002 is calling, a gummi bear wants the Chaos Computer Club to check if you have any significant brain function).

        Until we have some real security people leading these initiatives rather than govt./business friendly PR wonks like Lyons we will get nowhere.

      2. VinceH

        Re: Blaming the victim?

        "The bank is legally required to give you the money back. It's then up to the bank whether or not to try and pursue the person who stole it."

        My reading of Pete 2's comment suggests that wasn't the point he was making - rather that what he quoted John Lyons as saying (which was, with my emphasis, "If you lose money from your bank account the banks give it back to you" rather strongly implies that any loss must be the customer's fault. Pete was pointing out that isn't necessarily the case - sometimes, maybe, but not always.

      3. Nuke
        Holmes

        @Tom_ Re: Blaming the victim?

        Wrote :- "The bank is legally required to give you the money back."

        Not if it was your fault. TFA is about the degree of security in people's behaviour. The bank must give you your money back if it is their fault, but that is not what the Get Safe Online campaign is about.

        FTFA, John Lyons said :-

        "If you lose money from your bank account the banks give it back to you. Nobody cares."

        What bollocks. Finding money dissappearing from their bank account is people's worst nightmare. Even though they should get it back IF it is shown not to be their own fault, that is not people's first thought.

    2. dajames

      Re: Blaming the victim?

      So far, cash machine security measures haven't evolved much beyond the PIN-code systems that were around in the 1970's - though my PIN in those days was 6 digits, instead of the 4 we have today. Is that really progress?

      No, it's not progress. It's just that there are bazillions of cash machines -- mostly in North America -- that are too old to be upgradable to use longer PINs, and too expensive to replace. It's cheaper to suffer a little fraud.

      Although for home banking I now have a nice little card reader, courtesy of my bank, that "proves" I am in posession of my card when I log on to their computers...

      I have something similar. I have noticed, though, that since the bank implemented the scheme they've started to require the use of the little card reader on fewer and fewer occasions because the users find it too difficult, or can't be bothered to carry the cardreader around when they might need it.

      It's an old truism that you can't have ultimate security and ultimate convenience ... but can we have acceptable security and acceptable (in)convenience? I'm not sure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Blaming the victim?

        "since the bank implemented the scheme they've started to require the use of the little card reader on fewer and fewer occasions"

        Assuming that you are referring to online banking activity, this is often simply because the risk scoring mechanism you have invoked by your actions has learned from your prior behaviour and has assessed the risk as low, too low for a need to challenge your identity.

        1. gazthejourno (Written by Reg staff)

          Re: Re: Blaming the victim?

          I infrequently order pizza online. Whenever I do this, I find myself having to reset various rarely-used banking passwords to order my pizza because those sites are the only time they ever trigger the extra protections.

          Learned, my arse, the pizza-denying gits.

          1. Kubla Cant

            Re: Blaming the victim?

            Don't you find the pizza from your bank is expensive and stodgy?

  3. adnim

    UK's Get Safe Online? 'No one cares'

    No one cares?

    Does anybody know?

    I have never heard of this, should I have done? Is it my fault?

    Or is it the responsibility of those that start such campaigns to ensure the target audience is made aware?

    1. Anonymous Coward
      Anonymous Coward

      Re: UK's Get Safe Online? 'No one cares'

      Absolutely true. I've certainly never heard of it. Is it an advert? If so, then I suppose that's the problem, I don't watch them. Still, would have noticed it in blipvert form when fast-forwarding you'd think.

      I mean absolutely everyone has heard of the porn filter thing, but does anyone even know what Anti-virus is? Noooooo. Why the HELL isn't it built in to all these devices? Oh what, anti-competitive bullshit? Fuck that, stick a basic free version in, people that don't have a clue about it aren't going to buy your con-artist software. It's got a browser by default hasn't it? Why the FUCK hsan't it got anti-virus by default.

      This is the fault of the manufacturers, with possibly the government. FFS, make it illegal to sell a device that can easily be screwed up by simply connecting to the net and clicking on a link. It should be easy, if it's not, people will ignore it.

      1. Sir Runcible Spoon

        Re: UK's Get Safe Online? 'No one cares'

        Great idea...instead of a series of rapidly disappearing flashing images when people FF the adverts on their SKY/Tivo boxes etc. if the advertisers just put a static screen up for 30 seconds I bet people would still notice what it was advertising etc. even though they are wizzing past it.

  4. Ketlan
    Meh

    Hopeless...

    'John Lyons, former crime reduction coordinator at the National Hi-Tech Crime Unit, said the Get Safe Online project had done "little to change attitudes".'

    That's because their emails were only sent out occasionally and contained such gems as warning you not to give your passwords to passing strangers and not giving your bank details to any stray Nigerian princesses.

    1. Frankee Llonnygog

      Re: Hopeless...

      That's funny. When he was still head, it was all marvellous. It's only now he's left that he's joined the rest of us in thinking it a colossal waste of time and money. I went to one of their seminars once. They rivalled the Government Digital Service for their indulgence in mutual backslappery

  5. Khaptain Silver badge
    Meh

    Word of advice

    Dear Mr John Lyons,

    It is my unfortunate task of having to inform you that it may be necasssary for you to change tactics. You have taken the approach that the majority possess at least some intelligence. Whilst this indeed is correct, I believe that you have misjudged the quantity of intelligence. It is far below that which you have aimed your campaign.

    The internet for many people is a fun place; there is football, porn, fun little games and knitting patterns. There is also that tedious possibility of online banking which doesn't include any porn or fun things....

    Online banking and such requires difficult to understand concepts about security, html, Cross Site Scripting , Java One Day exploits, script kiddies and a lot of other things that don't include porn or football etc...

    The computer and the internet are like big mysterious black boxes that we can use to see more porn.... Everything else is difficult........

    Cordially Yours

    Apor Nuser.

    Seriously though, most people do not have the slightest clue about IT in general, and especially not about the capacity for the hackers to infiltrate a PC.

    The protection systems needs to be further increased in the OS, the applications and also the Banking Industry in general. People need to be protected from themselves.......

    Linux does offer a lot of advantages but does not offer everything.....it’s a good start though. The banking industry should be "obliged" to provide 3 step authentication, RSA keys or keypass calculators etc. I presume that the bankers have done their stats though and it is financially beneficial to give people back their money rather than employ tellers at a counter....go figure

    The internet needs a little shake up because people will inherently continue to be stupid..... The alternative is to forbid certain people from accessing the web, or at least the Banking part.

    1. dajames
      Devil

      Re: Word of advice

      Online banking and such requires difficult to understand concepts about security, html, Cross Site Scripting , Java One Day exploits, script kiddies and a lot of other things that don't include porn or football etc...

      Really? My bank seems unable to understand the concept that I might be happier with their banking systems if they refrained from telling me how they were 'proudly' supporting some farcical football tournament in which I have no interest whatsoever every time I logged in.

      I understand their desire to advertise their sevices, and I understand that sponsorship brings their name into public view ... but they don't have to sound so smug about spending their profits on something I detest.

      I suppose they're hardly going to sponsor porn, though ...

      1. Khaptain Silver badge

        Re: Word of advice

        "if they refrained from telling me how they were 'proudly' supporting some farcical football tournament"

        Now you know why your interest rates are so low.

        "I suppose they're hardly going to sponsor porn, though .."

        Could be interesting:

        The Royal Bank of Scotland proudly presents "Ana Lorgy", voted most promising Star for 2014. The jury was presided by Stephen Hester and Marc Dorcel.

  6. nematoad
    Thumb Up

    And...

    "We're raising awareness about tech possibilities and associated risk,"

    I do hope that they will mention the NSA ,GCHQ and friends. If they were to start addressing the threat that these organisations pose to an individual's privacy then the campaign will be really worthwhile.

    I'm not hopeful that they will though.

  7. Nigel Brown

    Bring back the early 90's

    The problems all started when they made the internet easy to use by thick people....

    1. Anonymous Coward
      Anonymous Coward

      Re: Bring back the early 90's

      +1

      Only those with a computer science degree allowed anywhere near the Internet.

      Hands up those who have had to help friends/relatives/morons with systems infested with spyware etc ?

    2. Sir Runcible Spoon

      Re: Bring back the early 90's

      just not the 14k modems though yeah?

  8. codejunky Silver badge

    ???

    What is safe online? Considering the first point of manipulation is the user then that requires people all taught to understand in depth the changing face of internet threats. The same public containing gems like 'kid bought a real JCB on daddies ebay account'. This isnt entirely the fault of the person, they have been sold the wonders of this magic box of wonder and glory with little else to go on.

    Obviously the next problem is the computer (or smart phone, or tablet). Is it secure? Do they know how to run updates on their os, anti virus, firewall and do they care? Of course its secure because it has a firewall and anti virus that the *insert techie of the family* comes and updates it every few months. When the computer is misbehaving do these people know what to look for? Or even how to reinstall?

    We have yet to get to the network with the provided cheap router with default settings and insecure wifi or the many machines between that and the bank.

    How many people know that java is a security problem excluding techies? Everyone related to online sales has oversold their capability. Security is a dream which the govs of the world might be slightly aware after the NSA's exposure. Simply buying online isnt safe and managing money online isnt safe. Yet I have to explain this to the banks every time they offer it to me.

    The light at the end of the tunnel is credit cards and the protection they offer. In fact I bought one on the understanding that I am protected. Not because such a card keeps me safe but because the banks fraud algorithms look out for odd activity and if I see anything the bank cancels that transaction at no loss to me. This has been tested once so far.

    1. Flocke Kroes Silver badge

      Unusual transactions

      I tried to buy a big TV - not something I do every decade. Someone claiming to represent the vendor asks me for the publicly available information my bank asks for when 'verifying' my identity. I explained that I did not give that information to unknown callers for security reasons, but I would be happy to call the vendor or the bank to answer the questions. This basic security measure was beyond the understanding of the caller and her computer was not programmed to offer any sensible solution, so the purchase is cancelled.

      I repeated the above with a different vendor. After the deal got cancelled, I got a call from someone claiming to represent the bank who said that someone might be trying to use my card. Again I refused to answer the questions. I called the bank, answered the questions and explained what was going on. They removed the block on my card, but could not do anything about processing the payment. [The solution was to go to the first vendor's shop, and pay there - I paid the internet price rather than the shop price because of the failed online transaction.]

      If a few computer illiterates take a passing interest in online security then the first time they try to apply their new knowledge they will be stonewalled by the vendors' and the banks' brain dead payment processing systems. The place to start online security eduction is with the banker responsible for making the bank's web site look stylish. Also the programmer responsible for hiding the 'http://' in Firefox should receive some proper security training with a clue bat.

      1. Anonymous Coward
        Anonymous Coward

        Re: Unusual transactions

        Interesting, I have had emails/calls when a transaction has failed, but they have told me to contact the bank, then after talking to the bank to confirm it was me the retailer reprocessed the transaction...

        Never have I had the company call me, usually that would indicate they were doing it wrong...

        And I have spent over 7k in one go on a Credit Card online before with no queries...

  9. Anonymous Coward
    Anonymous Coward

    ""people tend to adopt technologies and think about security issues later, if at all. Facebook is a prime example. We are aiming to change behaviours"."

    Let the weak fall!

    Fakebook users deserve it especially.

  10. CaptainHook
    Facepalm

    Here's A Crazy Idea

    "The study warns that attacks on computer networks could soon threaten critical infrastructure"

    ****

    Don't put critical infrastructure on networks accessible from internet. Even if you think you have a firewall filtering that traffic... don't do it.

    Put an air gap in front of everything critical, it really is that simple.

    1. MrXavia

      Re: Here's A Crazy Idea

      I agree that the critical things should be separate,

      but there are plenty of valid reasons for allowing remote access, such as monitoring, but the only exposed access should be via a VPN..

      1. Jonathan Richards 1
        Alert

        Re: Here's A Crazy Idea @MrXavia

        > there are plenty of valid reasons...

        Nope, I disagree. For *critical infrastructure*, if it needs monitoring, then put an authorised and trained human adjacent to it in order to monitor it. Or an untrained man and a dog. The man watches the monitors, and the dog bites the man if he tries to touch anything ...

        1. Will Godfrey Silver badge

          Re: Here's A Crazy Idea @MrXavia

          But... But...

          Won't somebody think of the shareholders?

  11. LazyLazyman

    The user is not the only fault

    One of the biggest problems, to me, seems to be the tech industry (Us lot). There is defiantly an attitude (as shown by the comments here) that these things are not complex, but that everyone is stupid. It's the same thing I see on car forums. "ABS is a wast of time. Learn to drive properly" and "The only point in the MoT is people are to lazy".

    Unfortunately most people don't give a shit how there PC works, how the Internet functions or how to safely navigate black ice. They understand there part of the world and don't care about the rest. They just want it to work with minimal input. Until the IT industry at large excepts that this is the case and this dose not make them stupid we will continue to have these problems. We will continue to have routers sent out with default passwords and firewalls that throw a wobbly from time to time forcing people to either learn how they work or switch them off. Unsurprisingly people switch them off because it is something complex getting in the way of what they want to do right now.

    Apple seem to have got this to some extent. So do phone manufacturers. Car makers understand that most people don't want to get greasy and fix there car, just go to a garage and say "It's broken. Fix it". Anyone saying "Use linux" has missed this by so far they require a long-haul flight to get back to the point. I use linux myself, but it is not currently a practical choice for the general public.

    The IT industry needs to understand the public rather than looking down on them.

    1. Anonymous Coward
      Anonymous Coward

      Re: The user is not the only fault

      'Unfortunately most people don't give a shit how there PC works, how the Internet functions or how to safely navigate black ice. They understand there part of the world and don't care about the rest. They just want it to work with minimal input'.

      True, but it's not a necessarily a justifiable position, is it? I'm hopelessly dependent on my car dealership to deal with problems and service my car. However, I still have a rudimentary duty of care - checking oil, checking tyre pressures etc.

      Unfortunately now what the 'great unwashed' are looking for in IT is the same as in any other area of their lives - absolution of responsibility. That's a problem, and not just in IT. I know people not just with cavalier attitudes toward IT security but with wilfully dismissive attitudes (as in they think it's funny), and the same perspective applies to all areas of their lives.

      Another issue is that IT security is not, and will never be marketably 'sexy'. Especially now in the trout-pouting 'celeb' glitz era in which we live, there's little time in these people's domes for anything that's not fish-lips pictures on Facebook.

      1. Sir Runcible Spoon

        Re: The user is not the only fault

        "However, I still have a rudimentary duty of care - checking oil, checking tyre pressures etc.

        Unfortunately now what the 'great unwashed' are looking for in IT is the same as in any other area of their lives - absolution of responsibility."

        Totally agree. After all, who crashes into the tree if the brakes fail?

        Absolution of responsibility is not actually possible when it comes to your own safety - all you are doing is saying to the world "look at me, I am not in control of myself - please do it for me" (just with a more arrogant tone)

        1. LazyLazyman

          Re: The user is not the only fault

          Yes, that is true, but rather than saying "hold on a minute, perhaps we should have an easy way to check the engine oil and tyre pressure" much of the IT industry is saying the equivalent of "Why do you need a dip stick? Anyone who can't just remove the sump bolt, measure the oil volume, then pour it back in shouldn't be driving!".

  12. Anonymous Coward
    Anonymous Coward

    lose money from your bank account, nobody cares

    Well, I have an idea then - make the loser pay the bank double they got stolen from, that'll teach them, and they will care. Banks are happy, thieves are happy, everybody cares. What's not to like? :(

  13. Anonymous Coward
    Anonymous Coward

    Can we have a grown-ups internet?

    One for the kiddies

    One for the Facebook/cat video/Farmville/Twerking crowds

    One for the grown-ups.

    Thankyou

  14. Anonymous Coward
    Anonymous Coward

    Get Safe Online yearly shindig

    Every year they have a conference, your tax money pays for "international crime agency people" to have a jolly in london for a week.

    every year the blaze of publicity within SOCA to this little gem is asounding....yet no one outside uk.gov hears much about it apart from a few quotes whenever someone famous get their hacked bank account story in the news.

    get safe online is just a quango, and most of it's staff are former hi-tec crime unit bods

  15. jacksongreen

    The various companies we interact with online need to up their game as well as they constantly send mixed messages which then leads to complacency and/or confusion within the average consumer base.

    A prime example are the various banks. If I access my bank acounts online I require multi-factor authentication with smartcard readers or pin code type tokens from one of the various vendors. If I phone them up on one of their published numbers they require me to answer security questions to authenticate myself.

    All well and good so far.

    The banks also make a point of printing on my statements that they will never ask me for account details etc in email or over the phone - and then completely break that rule every single time they phone me! The conversation goes something like

    them: "Hi this is XXX calling from YYY. Could I just take you through security to verify your identity ?"

    me: "No because you called me so I have no idea if you are who you say you are"

    They usually get quite irate at that point for reasons that are beyond me. However the point is if our banks insist on phoning us up and asking us to give them security check information is it any wonder your average consumer then falls prey to various phishing scams since they have been conditioned that whilst their bank says they do not do it they do it every time they call them!

    1. Sir Runcible Spoon

      I had to complain to HSBC credit card support about this* a few years back.

      When it happened again I escalated it to their manager who told me that they had been trained now and should be adopting new processes.

      Next time it happened they called and gave me a number to call that I knew was their number so we could discuss things - but they still wanted me to verify stuff on my CC that was hard to keep track of even with my statement in front of me! So I suggested that next time they call we exchange bits of info that only each other would know.

      Now that's what they do each time they need to call. They give me one part of my info, I give them the rest.

      So sometimes they learn.

      Mind you, I don't know who programs their systems because once I had to go back into a shop to buy the load of bread that I forgot and it got flagged, yet when I bought a £7k motorbike it went through without a blip - go figure.

      *this = the 'bank' calling me to ask me personal questions

  16. Anonymous Coward
    Anonymous Coward

    Penalties are not severe enough & Banks need to know their customers better

    Let's try a different tack here...How about making the penalty for deliberate banking, credit or identity fraud, life in prison ( I'd rather give them the death penalty but then you Europeans would consider that "harsh".) then have absolutely no mercy on the convicted and make public examples of them wherever possible. On top of the life in prison, confiscate absolutely EVERYTHING the thief owned

    Personally, flogging with a Cat O' Nine Tails, dipping in salty lemon juice, dousing with napalm and being dropped into the very pits of Hell are not good enough punishment for these thieves.

    How about the banking people actually "looking" at the customers buying history before screwing up valid transactions? For example I am on BofA and they regularly mess with my NewEgg transactions to the point where I have to call the frigging fraud department BEFORE I make a transaction or even go out of town on vacation so the dumbassess in the call center don't arbitrarily kill my purchase/deny my card/screwup my hotel reservation etc.

    I could understand if the transaction was to be shipped to Timbuktu or happened off continent, but my home and place of business are quite clearly stated in my banking records. Funny though, they did not hassle my more expensive purchase at CampMor so there is no logic or reason in their system. I buy at both companies online stores but purchase way more frequently from NewEgg.

    Even then, they will call my home phone # instead of the cell # I have told them to call so I won't find that they called until the transaction has been irrepairably voided, making me have to do it all over again and possibly losing a deal in the process.

    There just HAS to be a better way to do this.

  17. Camilla Smythe
    Meh

    Good to see...

    That the advertising industry is well ahead of the curve in respect of 'Consumer Choice' and education thereof. Why.. only yesterday I visited their 'opt-out' site and all of the 'participants' failed to install cookies on my computer. I must be doing something wrong.

  18. Henry Wertz 1 Gold badge

    Optional

    "The way I see it is that a bank has a duty to put in place sufficient security for it to keep our money safe. That's safe from (traditional) theft, safe from internet theft and safe from themselves being unable to give it back to us when we ask for it."

    They do, and in the US it is by law (for credit cards and bank accounts US law requires protection -- but NOT debit cards! However most banks cover debit as well.) BUT, I do feel for banks that are expect to cover transactions where you never update your decrepit copy of Windows, take no precautions, but for some reason keep your credit card info there anyway, and it gets taken. That is really on you, and not at all on the bank, although banks generally will reverse charges and give you the money back anyway.

    Re: "Unusual Transactions". My mom's had the same problems... both the bank, the cell phone company, and DirecTV, they of course say to NEVER give account info to anyone unless you can verify their identity, for instance on incoming calls. She's gotten incoming calls from them a ll: "To verify your identity please blah-de-blah", and they are just SHOCKED when she says "your own security rules disallow me to do that, I will call in, thanks". She calls in and Yeah, it was the bank or cell co, requesting she violate their own security rules -- and it was not a security test (i.e. chew her out for breaking the rules if she gives up the info), it would just be for whatever.

    Re:"I mean absolutely everyone has heard of the porn filter thing, but does anyone even know what Anti-virus is? Noooooo. Why the HELL isn't it built in to all these devices?" etc....

    Get away from Windows and you will find you don't run into these rampant virus problems. And you will not get infected by just clicking a link. For that matter, Windows XP, Vista, and 7 all have Security Essentials FOR FREE, just like you want. (XP didn't ship with it, but it installs via windows update... as far as I know Vista and 7 include it.)

This topic is closed for new posts.

Other stories you might like