David Kitchen

It seems that in March 2008 the voluntary banking code that banks in the UK comply with was changed.

Part of this change includes this paragraph:

Online banking
12.9 Online banking is safe and convenient as long as you take a number of simple precautions. Please make sure you follow the advice given below.
* Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.

And a little further down is this:

Liability for losses
12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

And there it is in black and white, if you do not follow the advice from the banks then you have not taken ‘reasonable care’ and any losses that you suffer will not be protected by the bank.

Why is this a big deal?

• If you use Linux or Mac, are you using Anti-Virus?
• If you use a mobile device (an iPhone or Blackberry for example), is a firewall installed?

There are many real world scenarios in which the advice given by the banks cannot be applied. But by not applying the advice and ensuring you have anti-virus software (kept bang up to date), a firewall you are liable for any losses suffered as a result of your account being compromised. Don’t even get me started on “spyware software”, anti-spyware surely?

And still the majority of banks in the UK continue to not conform to good security practises.

You are only secure if your online banking is protected by two of the following:

1. Something you have
2. Something you know
3. Something you are

So if your online bank gives you an RSA code key and asks for your login credentials… then you have both 1 & 2 fulfilled. If you are lucky enough to have a biometrics system and also use a password, then you have 2 & 3.

But… if you only are asked for your account details, PIN, secret information… it only conforms to #2 above, “Something you know”. Even asking for 100 pieces of information you know is not secure… you are only secure if the login process asks you to provide 2 of the above types of data, not many of 1 type of data.

It really angers me that banks are attempting to shift liability in an age of increasing risk as a result of electronic identity theft, when those same banks are failing to provide security and authentication procedures that are actually secure in the first place.