Banks slip through virus loophole
Is my money safe? A quiet rule change allows British banks to refuse to compensate the victims of online fraud if they do not have "up-to-date" anti-virus protection.
A small addition to the Banking Code seems like such a minor thing. But the change, which came into effect at the end of March, has analysts and academics alike alarmed at what it could mean for online banking customers. Since the 2005 edition of the code (which dictates how UK banks do business with customers), section 12.9 has advised customers to keep their PCs secure. "Use up-to-date antivirus and spyware software and a personal firewall," it says.
The contentious addition to the new version is section 12.13. "Unless you have acted fraudulently or without reasonable care (for example, by not following the advice in section 12.9), you will not be liable for losses caused by someone else which take place through your online banking service," it says.
Thieves in the site
To banking security expert Steven Murdoch, that signals an official shift in liability for online banking fraud to the end user. "The most likely way the new rules will be applied is that the bank will decide they don't want to refund a customer, and may choose to quote this rule in their reasoning," says the researcher in the security group at the University of Cambridge's computer laboratory.
It's easy to see why banks might be worried about online security. Although losses from online banking fraud dropped a third last year compared to 2006, banks still lost £22.6m to online banking thieves. And Graham Cluley, senior technology consultant at antivirus firm Sophos, warns that banking trojans - malware that watches your PC in an attempt to steal your banking details - is becoming more sophisticated.
"The traditional way they do it is to log your keystrokes, but more sophisticated ones examine your mouse clicks or even take a little movie," says Cluley, adding that the trojans often target UK banks.
The code seems to allow it, but would banks ever really dictate that customers must use antivirus software if they're going to be compensated for internet fraud? "I wouldn't say never, but it's not on the agenda currently," says Sean Gilchrist, director of electronic banking at Barclays, which already distributes a pinpad which provides two-factor authentication for customers accessing its online banking service.
"I think that there may be particular circumstances where there has been a piece of fraud and we might challenge a customer harder," says Gilchrist, "but we're saying that we have an online fraud guarantee, and there's nothing in our plans to review that stance."
While at least some UK banks leave their options open, experts worry about other banking industries that have set a precedent by imposing draconian online security measures.
Breaking the bank
The New Zealand Bankers' Association (NZBA) revised its own banking code with a clause giving banks the explicit right to access customers' computers in the event of a fraudulent transaction. They could check whether the computer had anti-virus and anti-spyware protection, and if customers refused to hand over their equipment, their fraud claims could be dismissed.
Upset by customer protests, some New Zealand banks subsequently distanced themselves from the NZBA's code, essentially creating an unofficial, more lenient interpretation. "If they had gotten away with it, it would certainly have deterred a lot of defrauded customers from claiming," says Murdoch's colleague Ross Anderson.
"And what would happen when you bank using your PC at the Guardian, you get defrauded, [the bank] demands the PC, and the Guardian says no?" asks Anderson. "What if your wife or your daughter says no, as they have personal and sensitive data on the PC?"
Eric Domage, research manager for security products and services at analyst firm IDC, worries about social exclusion. If banks decide to interpret the UK Code in a way that forces computer users to guarantee the security of their PCs, a subset of UK society could be affected, he warns.
"Those who can't afford to have a PC but use a web cafe PC - including many immigrant workers in the UK - how would they have access?" he asks. After all, verifying the security level of a publicly used PC is as difficult as verifying the security of a private PC, weeks or months after a security breach.
Such arguments are premature, according to banking industry spokespeople eager to ease customer concerns. "This is not an offloading of responsibility," says one spokesperson at the British Bankers' Association, which administers the code. "We don't envision banks saying 'you lost money online so we're not paying you'."
Mark Bowerman, spokesperson for APACS, argues that the new provisions are there to protect customers by making responsibilities for online banking security clearer. But where one ambiguity is resolved, others may arise. "The Banking Code is a recommendation and always vague and high level," says Domage, who worries that banks may interpret the code as they see fit in the future. Are APACS and the BBA really in a position to guarantee that won't happen?
The code leaves other ambiguities, too. "For example, what is a good antivirus software?" Domage asks. Barclays is currently reviewing the F-Secure antivirus software that it provides for free to members of its online banking service and may switch packages. Would banks be happy for customers to use antivirus software that they didn't authorise? Several respected security researchers have a dim view of antivirus software overall. "It's not completely worthless, but mostly worthless," says Joe Stewart, senior security researcher at SecureWorks, who writes his own malware analysis tools from scratch.
Part of the problem is that malware writers increasingly test their work against antivirus engines before trying to infect computers with them, he says, which gives them a head start over the companies writing the antivirus software.
You can't stop them all
Most security vendors agree that there's no silver bullet for malware, and that a complete security guarantee is unlikely. But you're better off with antivirus software than without it, they add. "You won't be able to stop 100% of the viruses and infections," says Cody Pierce, a researcher at security research and intrusion prevention firm TippingPoint, "but you'll stop some of them."
But if you can't guarantee that you'll block banking trojans or other malware with antivirus software, how useful is it to mandate it in the Banking Code (or, as New Zealand's code did, to explicitly suggest that your fraud claim would be dismissed without it?)
Bowerman emphasises that banks would only begin to question customers' online security in cases of obvious negligence. "If you are the victim of a phishing attack, the vast majority of people get their money back," he says. "But if it happens seven times in seven weeks, then the bank is probably within its rights not to give you your money back."
That would be a clearcut case, but not all incidents are as black and white. Exactly what constitutes negligence when it comes to online security? "Every bank has their own fraud investigation team and will look at each instance on a case-by-case basis," says Bowerman. This makes it difficult for customers to know where the line is drawn.
Even though security experts may have difficulty agreeing on how effective online security measures really are, the Banking Code's new clause seems pretty clear on what insecurity means. Using such resolute language to address a problem as complex and volatile as online security apparently leaves the banks as the only party with room to manoeuvre.
Danny Bradbury
The Guardian, Thursday June 12 2008
© Guardian News and Media Limited 2008
Is my money safe? A quiet rule change allows British banks to refuse to compensate the victims of online fraud if they do not have "up-to-date" anti-virus protection.
A small addition to the Banking Code seems like such a minor thing. But the change, which came into effect at the end of March, has analysts and academics alike alarmed at what it could mean for online banking customers. Since the 2005 edition of the code (which dictates how UK banks do business with customers), section 12.9 has advised customers to keep their PCs secure. "Use up-to-date antivirus and spyware software and a personal firewall," it says.
The contentious addition to the new version is section 12.13. "Unless you have acted fraudulently or without reasonable care (for example, by not following the advice in section 12.9), you will not be liable for losses caused by someone else which take place through your online banking service," it says.
Thieves in the site
To banking security expert Steven Murdoch, that signals an official shift in liability for online banking fraud to the end user. "The most likely way the new rules will be applied is that the bank will decide they don't want to refund a customer, and may choose to quote this rule in their reasoning," says the researcher in the security group at the University of Cambridge's computer laboratory.
It's easy to see why banks might be worried about online security. Although losses from online banking fraud dropped a third last year compared to 2006, banks still lost £22.6m to online banking thieves. And Graham Cluley, senior technology consultant at antivirus firm Sophos, warns that banking trojans - malware that watches your PC in an attempt to steal your banking details - is becoming more sophisticated.
"The traditional way they do it is to log your keystrokes, but more sophisticated ones examine your mouse clicks or even take a little movie," says Cluley, adding that the trojans often target UK banks.
The code seems to allow it, but would banks ever really dictate that customers must use antivirus software if they're going to be compensated for internet fraud? "I wouldn't say never, but it's not on the agenda currently," says Sean Gilchrist, director of electronic banking at Barclays, which already distributes a pinpad which provides two-factor authentication for customers accessing its online banking service.
"I think that there may be particular circumstances where there has been a piece of fraud and we might challenge a customer harder," says Gilchrist, "but we're saying that we have an online fraud guarantee, and there's nothing in our plans to review that stance."
While at least some UK banks leave their options open, experts worry about other banking industries that have set a precedent by imposing draconian online security measures.
Breaking the bank
The New Zealand Bankers' Association (NZBA) revised its own banking code with a clause giving banks the explicit right to access customers' computers in the event of a fraudulent transaction. They could check whether the computer had anti-virus and anti-spyware protection, and if customers refused to hand over their equipment, their fraud claims could be dismissed.
Upset by customer protests, some New Zealand banks subsequently distanced themselves from the NZBA's code, essentially creating an unofficial, more lenient interpretation. "If they had gotten away with it, it would certainly have deterred a lot of defrauded customers from claiming," says Murdoch's colleague Ross Anderson.
"And what would happen when you bank using your PC at the Guardian, you get defrauded, [the bank] demands the PC, and the Guardian says no?" asks Anderson. "What if your wife or your daughter says no, as they have personal and sensitive data on the PC?"
Eric Domage, research manager for security products and services at analyst firm IDC, worries about social exclusion. If banks decide to interpret the UK Code in a way that forces computer users to guarantee the security of their PCs, a subset of UK society could be affected, he warns.
"Those who can't afford to have a PC but use a web cafe PC - including many immigrant workers in the UK - how would they have access?" he asks. After all, verifying the security level of a publicly used PC is as difficult as verifying the security of a private PC, weeks or months after a security breach.
Such arguments are premature, according to banking industry spokespeople eager to ease customer concerns. "This is not an offloading of responsibility," says one spokesperson at the British Bankers' Association, which administers the code. "We don't envision banks saying 'you lost money online so we're not paying you'."
Mark Bowerman, spokesperson for APACS, argues that the new provisions are there to protect customers by making responsibilities for online banking security clearer. But where one ambiguity is resolved, others may arise. "The Banking Code is a recommendation and always vague and high level," says Domage, who worries that banks may interpret the code as they see fit in the future. Are APACS and the BBA really in a position to guarantee that won't happen?
The code leaves other ambiguities, too. "For example, what is a good antivirus software?" Domage asks. Barclays is currently reviewing the F-Secure antivirus software that it provides for free to members of its online banking service and may switch packages. Would banks be happy for customers to use antivirus software that they didn't authorise? Several respected security researchers have a dim view of antivirus software overall. "It's not completely worthless, but mostly worthless," says Joe Stewart, senior security researcher at SecureWorks, who writes his own malware analysis tools from scratch.
Part of the problem is that malware writers increasingly test their work against antivirus engines before trying to infect computers with them, he says, which gives them a head start over the companies writing the antivirus software.
You can't stop them all
Most security vendors agree that there's no silver bullet for malware, and that a complete security guarantee is unlikely. But you're better off with antivirus software than without it, they add. "You won't be able to stop 100% of the viruses and infections," says Cody Pierce, a researcher at security research and intrusion prevention firm TippingPoint, "but you'll stop some of them."
But if you can't guarantee that you'll block banking trojans or other malware with antivirus software, how useful is it to mandate it in the Banking Code (or, as New Zealand's code did, to explicitly suggest that your fraud claim would be dismissed without it?)
Bowerman emphasises that banks would only begin to question customers' online security in cases of obvious negligence. "If you are the victim of a phishing attack, the vast majority of people get their money back," he says. "But if it happens seven times in seven weeks, then the bank is probably within its rights not to give you your money back."
That would be a clearcut case, but not all incidents are as black and white. Exactly what constitutes negligence when it comes to online security? "Every bank has their own fraud investigation team and will look at each instance on a case-by-case basis," says Bowerman. This makes it difficult for customers to know where the line is drawn.
Even though security experts may have difficulty agreeing on how effective online security measures really are, the Banking Code's new clause seems pretty clear on what insecurity means. Using such resolute language to address a problem as complex and volatile as online security apparently leaves the banks as the only party with room to manoeuvre.
Danny Bradbury
The Guardian, Thursday June 12 2008
© Guardian News and Media Limited 2008
