security, customer protection and bank regulation

Security, Customer Protection and Bank Regulation

Ross Anderson, Saar Drimer, Steven MurdochCambridge University Computer Laboratory

ATM Fraud in the 90s

• Andrew Stone started cloning mag strip cards using shoulder surfing; others followed

• Customer complaints met with ‘Our systems are secure – you must be mistaken or lying’

• 1992: McConville and others v Barclays and others. 2000 plaintiffs, 13 defendants, £2m

• See ‘Why Cryptosystems Fail’ for lessons learned• Banks won using legal tactics• Later: Stone sent to jail

ATM Fraud in the 90s (2)

• It wasn’t just Stone and his accomplices!– Thefts from the mail– Design and software errors– Frauds by insiders– …

• The Munden case (see ‘Liability and Computer Security: Nine principles’)

• And the Banking Code!

ATM Fraud in the 90s (3)

• In the USA, the first case (Judd v Citibank) went the right way, leading to Regulation E

• In the UK, the banks’ ability to disclaim liability did not save them money!

• They spent more on security than US banks, and suffered pro rata more fraud

• This got us interested in the economics of security – this case is an example of moral hazard

It’s Not Just ATMs!

• In the late 1990s, online banking took off• Most banks rewrote their terms and

conditions so that if you accepted a password for online (or phone) banking, all fraud became your fault

• Online (and phone-based) bank fraud is now rising nicely – phishing was £35m in 2006 (and that’s only what the banks paid)

Back-end Systems

• Many systems – ATM, point-of-sale, online banking – rely on hardware security modules

• These are supposed to stop bank programmers stealing crypto keys, PINs

• We looked at them and found they didn’t work (‘Cryptographic Processors – a Survey)

• Even when fixed, they keep on being broken by new ‘features’ from VISA (see ‘A Note on EMV Secure Messaging’)

• Basic problem – systems now too complex

Chip and PIN

• The EMV (‘chip and PIN’) initiative started in the 1990s

• Described in APACS’ own documents as a ‘liability shift’

• If a PIN is used, a disputed transaction is the customer’s fault. If a signature is used, it’s the merchant’s fault.

• Guess what’s now happening to fraud?!?

What Goes Wrong

• PEDs ‘evaluated under the Common Criteria’ were trivial to tap

• GCHQ wouldn’t defend the brand

• APACS said (Feb 08) it wasn’t a problem

• Not so…

What Goes Wrong (2)• Many design errors here

too!• A good design takes PIN

and challenge, encrypts to get response

• But the UK one first tells you if the PIN is correct

• This puts your safety at risk if your bank card is CAP enabled

What Goes Wrong (3)

Redress and Regulation

• The Lords’ Science and Technology Committee inquiry into Personal Internet Security (2007): mandatory breach reporting; an end to dumping responsibility on end users; report fraud to police not banks; fix incentives (especially for banks);…

• Government response: ‘Imposing legislation on banks to be held liable for losses incurred as a result of electronic fraud does not seem to be the appropriate approach to ensuring that banks maintain their customer information securely’

Redress and Regulation (2)

• EU Payment Services Directive 2007/64/EC• Article 83: Member States shall ensure that adequate and

effective out-of-court complaint and redress procedures for the settlement of disputes between payment service users and their payment service providers are put in place for disputes concerning rights and obligations arising under this Directive, using existing bodies where appropriate.

• ECB: but for UK lobbying, would have been tougher!• Treasury: ‘Government favours maintaining existing

standards of consumer protection…’

Redress and Regulation (3)

• The Treasury would like to think the Financial Ombudsman Service (FOS) will be enough

• But FOS accepts secret evidence from banks, puts burden of proof on customers, and backs the bank against the customer. (Barclays sends in the bailiffs before the ombudsman decision is final!)

• See FIPR submission to the Hunt Review of FOS for examples of judgments that are ‘an affront to reason and to justice’

Redress and Regulation (4)

• Lord Hunt’s finding: ‘In response, FOS senior management said they looked at each individual case on its unique facts … in many cases, the overall balance of the evidence made a mistake on the part of the complainant a much more likely explanation. I saw no evidence that would lead me to dispute those claims’

Redress and Regulation (5)

• Systemic problem – destruction of evidence (cards, logs, CCTV, …)

• Systemic problem – difficulty in going to court• Systemic problem – the complaints that come to

us as last resort are almost all ethnic minority, or women, or elderly working-class pensioners

• Systemic problem – lack of proper record keeping (of what happened to complaints)

Redress and Regulation (6)

• Letter to FSA Aug 2007 after Hector Sants’ appointment

• Response: chip and pin cutting fraud; can’t comment on FOS; banking code makes liability clear; …

• Recent contact about specific problem with RBS/NatWest credit cards

• Response: FSA deals with debit cards but not with credit cards

Redress and Regulation (7)

• We were hired by the European Network and Information Security Agency (ENISA) to report on ‘Security Economics and the Single Market’ (Jan 2008)

• Our report recommended, inter alia, an EU-wide security breach reporting law; EU-wide fraud statistics; harmonised financial dispute resolution procedures

FSA Public Position

• Lord Turner: ‘There has to be a bit of humility … some of the things we said in the past must have been wrong, because otherwise it wouldn’t have gone wrong’

• According to the FT, he wants to hire more people and pay them higher salaries than in the past

• How should this be earned?

The Critical Lesson

• It’s now clear that bank regulators accepted bank financial-economics models too readily in the past

• I hope it’s also now clear that bank regulators were also complacent about bank security models

• This has led to rising fraud and persistent serious injustice

A Way Forward?

• Key proposal: the primary goal of bank regulation should not be protecting the banks but protecting the customers

• That means preventing systemic collapse – but many other things too

• Protecting customers, and maintaining customer confidence, also means stopping banks defrauding their customers

Conclusion

• For years, UK banks (unlike US banks) have got away with blaming customers for fraud

• This has twice led to waves of card fraud• It’s spreading to online banking too• It’s not sustainable for A to guard a system while

B carries the cost of fraud!• If the FSA can’t deal with this, then someone else

will have to assume that regulatory burden