A new code reserving the right of banks to check the security of customer PCs in fraud cases has raised questions and quite a few hackles among users and commentators.
Talk about Computerworld’s June 25 scoop, which was republished in the US and followed up locally by The Dominion Post as well as rattling up 267 comments on technology uber-site Slashdot, has turned the spotlight on the banks’ own security measures, or lack of them, to improve confidence in internet banking.
One comment was typical: “Don’t banks themselves have a responsibility to use something just a little more secure than simple ID/password authentication before they start trying to deny liability?” asked Bruce Simpson on his blog www.aardvark.co.nz.
Spokespeople for the BNZ, National and ASB banks were quick to point out that they do offer two-factor authentication, whereby a confidential one-time code is sent to the customer’s cellphone or other special-purpose device; the customer then has to enter that code before being allowed access to their account. Registration for the scheme is free at the BNZ and 130,000 customers have adopted the feature to date, says spokeswoman Brenda Newth.
The ASB claims “more than 100,000” customers are using its two-factor identification through either a special-purpose token or cellphone. The bank also points out that customers can select their own limits on how much can be withdrawn during one transaction. However, “there is a trade-off between security, convenience and cost,” says the ASB’s representative.
To judge from other commentators threatening to think twice about continuing with internet banking, the banks could be walking a fine line between deterring customers by unduly complex security precautions and putting off customer who don’t like the idea of having to prove their own security measures to their bank.
But the banks do get some support. “Fair enough too,” says a contributor with the peusdonym “allblack” on our sister publication PC World’s PressF1 forum. “Heaven forbid, personal responsibility! What is the world coming to,” he/she adds sarcastically. “After working for [a bank] for 24 years I have little sympathy for those who blame everyone else for their slack approach to risk and loss.”
“Mac H8er” agrees: “Honestly, it’s not that hard to install antivirus, anti-spyware software and maybe a firewall and set the scanners to do a weekly scan at a time you’re not using the computer — in most cases they update themselves so there really is no excuse. People should be taking these sort of precautions anyway if they are even thinking about moving any amount of money online.”
However, MacH8er says, “if the banks start [saying] ‘you must install X [antivirus] and X anti-spyware to use our service go here to pay $XXX’, then I will get irritated ever so slightly.”
Overseas comments echoed Simpson’s at Aardvark: “If the NZ banks are so hung up on security, then perhaps they should offer a comprehensive security package as part of their banking services,” wrote another US commenter. Such a package should be “client-server based and have updates applied each time the user logs in, at the bank’s expense,” he says. “And the bank will upgrade their own security procedures to a computer-security industry level to provide peace of mind for the customer.”
The commenter sees US banks as lacking in security. “I deal with six online banks and only one displays any measure of access competency,” he says. “One (Chase) requires a time-consuming renewal each time you try to access an account. And their customer service response was incompetent and rude. Most of the others require simple ID/password combinations that could be easily hacked.
“Only one (a credit union) requires multiple correct answers to questions not easily discerned by a hacker and of the type that do not need to be saved on a computer. It obviously took some intelligence and work to implement this.”
National Bank’s managing director of retail banking, Craig Sims, says he doesn’t expect the clause under which banks can request inspection of a customer’s PC to be invoked very often.
“We don’t anticipate invoking this clause except in very rare circumstances,” Sims says. This would be “with the specific purpose of seeking as much information as possible on how the loss may have occurred, and protecting against future losses.
“As the [banking] code indicates, this would only be with the consent of the customer concerned,” he says. “Given the very recent introduction of this provision, we are yet to finalise our policy in this regard.”
In April, National introduced two-factor authentication, called Online Code, for customers making online banking transactions, Sims says. This sends an eight-digit one-time code to the customer’s mobile phone when any relevant online banking function is used.
Forensic expert raises concern about privacy
Another theme in comments about the new Banking Code of Practice is, not unsurprisingly, customer privacy.
Christchurch-based computer forensic specialist Mike Chappell says people have a lot of very personal information and sometimes a lot of personal pictures, movies and so forth stored on their drives.
“They certainly wouldn’t want the bank examiners looking at that. This whole thing opens up a minefield,” he says.
Chappell also questions whether a bank inspector, finding evidence of other suspicious activity by the user — or by a cracker invading the user’s machine — would have the knowledge to deal with the evidence correctly.
“Will [bank investigators] fully examine the computer to see exactly what happened or just see if the security software is installed and up to date,” he asks.
It could be that the customer does not have adequate firewall and antivirus software but the penetration was achieved in another irrelevant way — even one traceable to a failure of bank security.
The user’s coincidental shortcomings could nevertheless absolve the bank from liability, he says.
“Are the banks going to use qualified analysts, trained in computer forensics, who have obtained suitable qualifications? They can’t just use any old IT professional as I have seen more damage done [to the trail of evidence] by those guys than anyone else.”