1 / 21

Security, Customer Protection and Bank Regulation

Security, Customer Protection and Bank Regulation. Ross Anderson, Saar Drimer, Steven Murdoch Cambridge University Computer Laboratory. ATM Fraud in the 90s. Andrew Stone started cloning mag strip cards using shoulder surfing; others followed

regis
Télécharger la présentation

Security, Customer Protection and Bank Regulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security, Customer Protection and Bank Regulation Ross Anderson, Saar Drimer, Steven Murdoch Cambridge University Computer Laboratory

  2. ATM Fraud in the 90s • Andrew Stone started cloning mag strip cards using shoulder surfing; others followed • Customer complaints met with ‘Our systems are secure – you must be mistaken or lying’ • 1992: McConville and others v Barclays and others. 2000 plaintiffs, 13 defendants, £2m • See ‘Why Cryptosystems Fail’ for lessons learned • Banks won using legal tactics • Later: Stone sent to jail

  3. ATM Fraud in the 90s (2) • It wasn’t just Stone and his accomplices! • Thefts from the mail • Design and software errors • Frauds by insiders • … • The Munden case (see ‘Liability and Computer Security: Nine principles’) • And the Banking Code!

  4. ATM Fraud in the 90s (3) • In the USA, the first case (Judd v Citibank) went the right way, leading to Regulation E • In the UK, the banks’ ability to disclaim liability did not save them money! • They spent more on security than US banks, and suffered pro rata more fraud • This got us interested in the economics of security – this case is an example of moral hazard

  5. It’s Not Just ATMs! • In the late 1990s, online banking took off • Most banks rewrote their terms and conditions so that if you accepted a password for online (or phone) banking, all fraud became your fault • Online (and phone-based) bank fraud is now rising nicely – phishing was £35m in 2006 (and that’s only what the banks paid)

  6. Back-end Systems • Many systems – ATM, point-of-sale, online banking – rely on hardware security modules • These are supposed to stop bank programmers stealing crypto keys, PINs • We looked at them and found they didn’t work (‘Cryptographic Processors – a Survey) • Even when fixed, they keep on being broken by new ‘features’ from VISA (see ‘A Note on EMV Secure Messaging’) • Basic problem – systems now too complex

  7. Chip and PIN • The EMV (‘chip and PIN’) initiative started in the 1990s • Described in APACS’ own documents as a ‘liability shift’ • If a PIN is used, a disputed transaction is the customer’s fault. If a signature is used, it’s the merchant’s fault. • Guess what’s now happening to fraud?!?

  8. What Goes Wrong • PEDs ‘evaluated under the Common Criteria’ were trivial to tap • GCHQ wouldn’t defend the brand • APACS said (Feb 08) it wasn’t a problem • Not so…

  9. What Goes Wrong (2) • Many design errors here too! • A good design takes PIN and challenge, encrypts to get response • But the UK one first tells you if the PIN is correct • This puts your safety at risk if your bank card is CAP enabled

  10. What Goes Wrong (3)

  11. Redress and Regulation • The Lords’ Science and Technology Committee inquiry into Personal Internet Security (2007): mandatory breach reporting; an end to dumping responsibility on end users; report fraud to police not banks; fix incentives (especially for banks);… • Government response: ‘Imposing legislation on banks to be held liable for losses incurred as a result of electronic fraud does not seem to be the appropriate approach to ensuring that banks maintain their customer information securely’

  12. Redress and Regulation (2) • EU Payment Services Directive 2007/64/EC • Article 83: Member States shall ensure that adequate and effective out-of-court complaint and redress procedures for the settlement of disputes between payment service users and their payment service providers are put in place for disputes concerning rights and obligations arising under this Directive, using existing bodies where appropriate. • ECB: but for UK lobbying, would have been tougher! • Treasury: ‘Government favours maintaining existing standards of consumer protection…’

  13. Redress and Regulation (3) • The Treasury would like to think the Financial Ombudsman Service (FOS) will be enough • But FOS accepts secret evidence from banks, puts burden of proof on customers, and backs the bank against the customer. (Barclays sends in the bailiffs before the ombudsman decision is final!) • See FIPR submission to the Hunt Review of FOS for examples of judgments that are ‘an affront to reason and to justice’

  14. Redress and Regulation (4) • Lord Hunt’s finding: ‘In response, FOS senior management said they looked at each individual case on its unique facts … in many cases, the overall balance of the evidence made a mistake on the part of the complainant a much more likely explanation. I saw no evidence that would lead me to dispute those claims’

  15. Redress and Regulation (5) • Systemic problem – destruction of evidence (cards, logs, CCTV, …) • Systemic problem – difficulty in going to court • Systemic problem – the complaints that come to us as last resort are almost all ethnic minority, or women, or elderly working-class pensioners • Systemic problem – lack of proper record keeping (of what happened to complaints)

  16. Redress and Regulation (6) • Letter to FSA Aug 2007 after Hector Sants’ appointment • Response: chip and pin cutting fraud; can’t comment on FOS; banking code makes liability clear; … • Recent contact about specific problem with RBS/NatWest credit cards • Response: FSA deals with debit cards but not with credit cards

  17. Redress and Regulation (7) • We were hired by the European Network and Information Security Agency (ENISA) to report on ‘Security Economics and the Single Market’ (Jan 2008) • Our report recommended, inter alia, an EU-wide security breach reporting law; EU-wide fraud statistics; harmonised financial dispute resolution procedures

  18. FSA Public Position • Lord Turner: ‘There has to be a bit of humility … some of the things we said in the past must have been wrong, because otherwise it wouldn’t have gone wrong’ • According to the FT, he wants to hire more people and pay them higher salaries than in the past • How should this be earned?

  19. The Critical Lesson • It’s now clear that bank regulators accepted bank financial-economics models too readily in the past • I hope it’s also now clear that bank regulators were also complacent about bank security models • This has led to rising fraud and persistent serious injustice

  20. A Way Forward? • Key proposal: the primary goal of bank regulation should not be protecting the banks but protecting the customers • That means preventing systemic collapse – but many other things too • Protecting customers, and maintaining customer confidence, also means stopping banks defrauding their customers

  21. Conclusion • For years, UK banks (unlike US banks) have got away with blaming customers for fraud • This has twice led to waves of card fraud • It’s spreading to online banking too • It’s not sustainable for A to guard a system while B carries the cost of fraud! • If the FSA can’t deal with this, then someone else will have to assume that regulatory burden

More Related