Online Banking: Is Security Up to You?
Malware protection out of date? Then don't blame us if your online bank account gets hacked. That was the message sent out by the UK banking industry when the British Bankers' Association (BBA) updated its Banking Code and Business Banking Code last Monday, according to a Friday article on The Register.
The Codes--essentially user agreements that all participating BBA banks use (you can read them here and here)--warn online banking customers that they might be responsible for their own losses if they "act without reasonable care," citing two sections as examples. One of those sections reads: "Keep your PC secure. Use up-to-date antivirus and spyware software and a personal firewall." It should be noted that the clause existed in the code in previous editions; The Register was merely noting that, even with the Codes' revisions, it's still there.
Of course, it's wishful thinking that anyone actually reads their banking agreements that far without going into legalese-induced shock. (When my bank recently made changes to its privacy policy, I called to opt out of their data collection "service." The person who helped me seemed genuinely surprised that I had actually read through all of the fine print.) And anyone who has had any dealings with insurance or banking companies will likely suspect that this clause is through the efforts of an in-house lawyer who found another way to avoid paying out damages.
Let's stop and consider this for a moment. Is this a case of preemptively blaming the victim, or a stern reminder to ordinary folks that security is important? It should be noted that the Banking Codes are written in plain English -- a pleasant surprise -- which implies that the BBA actually expects its customers to read through them. Section 12, which contains the part about keeping your PC secure, is entirely made up of advice for keeping your bank account information safe, including such mundane things as shredding old statements and writing checks carefully.
The BBA says it is unaware of the clause ever being invoked, but that's a little like getting ready to run across a busy highway because it worked out fine the last three times. The fact that the clause exists is enough. The question is, how responsible can we expect consumers to be? On the one hand, people will have very little sympathy for someone who gets robbed if they make a habit of leaving their doors unlocked. But even a young child knows how to lock a door, and why you need to lock it; many computer users don't know how to properly maintain their anti-malware defenses, or even why they should.
Years ago, I told an older friend of mine that she needed to get a firewall for her recently upgraded system. Her response was, "I don't have anything anyone would want to steal." Tech-savvy users might roll their eyes, but think about that for a moment: she didn't know anything about botnets, zombie computers, e-mail viruses or Trojan horses. And why should she? From the average computer user's perspective, that's a little like asking people to explain the mechanics of an automatic transmission just because they can drive.
However, car owners are expected to at least perform basic maintenance, and--in a perfect world--banks should no more be liable for users' security lapses than car makers should be for people who haven't changed their oil in three years. The challenge is to software makers to make better, more secure software; to anti-malware software makers to make their products less obtuse to the average user; and to all of us technical folks to explain in clear terms to the less nerdy why and how they should be careful. (And don't be too smug: even smartypants get burned online.) With luck, the BBA will never have to invoke that clause.
(Thanks to Slashdot for the pointer.)
PC World's Marketplace
PC World's Free Whitepapers
tech news tech blogs community & forums laptop prices software reviews downloads
British Bankers' Association here! Good article. Let's get this straight though: it is still the case that customers are not responsible for losses on any of their bank accounts unless they have acted fraudulently or without reasonable care.
Yes we do advise customers to keep their computers secure by using up to date security software. And we also warn against responding to suspicious emails (as do banks).
But the key point is that failure to follow this advice will not necessarily result in a customer being asked to foot the bill for losses. Each bank will have its own approach and will assess each case on its merits. And the burden of proof will always lie with the bank to prove the customer has behaved unreasonably or fraudulently.
And yes please do read the Code for yourself: we worked hard to make it an easy read!
Why take the risk? All operating systems (OS) firmly installed on re-writable media such as harddisk are prone to attacks. As a customer just use an operating system which boots your PC from a NON-REWRITABLE media such as a normal CD explicitely for the banking session. Enough of them are available (Knoppix, Kanotix, PuppyLinux etc.). The CD contains all utilities you need for Online-Banking. For the duration of your Session, it is a hard nut to crack. A back-door left in a session would disappear when you boot your PC again. Give it a try. And to those in the banking establishment: Do you think you have a chance, if a customer prooves, he/she used this method. The PC may show a lot of traces of trojans etc., but these have not a heck of a chance, if the customer boots the PC using the CD. The Logs on Banking-server must show, what OS and Browser was used by cutomer!