09 April 2008

Security? - Don't Bank on It

A useful article here dissecting what's wrong with the latest version of the UK Banking code, "the voluntary consumer-protection standard for UK banks", which was released last week:

Until the banks are made liable for fraud, they have no incentive to make a proper assessment as to the effectiveness of these protection measures. The new banking code allows the banks to further dump the cost of their omission onto customers.

When the person responsible for securing a system is not liable for breaches, the system is likely to fail. This situation of misaligned incentives is common, and here we see a further example. There might be a short-term benefit to banks of shifting liability, as they can resist introducing further security mechanisms for a while. However, in the longer term, it could be that moves like this will degrade trust in the banking system, causing everyone to suffer.

The House of Lords Science and Technology committee recognized this problem of the banking industry and recommended a statutory change (8.17) whereby banks would be held liable for electronic fraud. The new Banking Code, by allowing banks to dump yet more costs on the customers, is a step in the wrong direction.

I also wonder what the banks' attitude to people using GNU/Linux systems might be, given the following requirement:

Online banking is safe and convenient as long as you take a number of simple precautions. Please make sure you follow the advice given below.

• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.

Since GNU/Linux users tend not to run anti-virus programs, and don't use traditional firewalls: does that mean they're always liable?

No comments: