it.gen.nz

Updated 29 August.

Internet banking is used by many New Zealanders every day. People like it because it’s quick and convenient and banks like it because it’s cheap to run. And on the rare occasions when it has gone wrong and people have had money stolen, the banks have always covered. That’s changing: a few weeks ago the New Zealand Bankers’ Association released a new code of practice which makes the banking customer – that’s you and me – at least partly responsible for the security of Internet banking. If you report a fraud, the banks are demanding the right to inspect your computer to see if you have secured it, and “may decline your claim if you refuse”. Hmm.

I talk here about whether we should trust Internet banking if the banks are no longer prepared to pick up the tab when people get their accounts drained by thieves. Links at the end.

Q: We’ve heard a lot about this issue this week, with the Bankers’ Association releasing a code of practice which appears to put the onus of Internet banking security onto the customer. Does that put those of us who use Internet banking at risk?

A: Yes – some banks’ customers anyway. Frankly, the whole of computer security is a mess. It’s hard even for professionals to be certain that we have secured our machines. The main threats here are phishing – emails looking as though they come from a bank and asking you to put your password into a web site which looks like its from the bank – and spyware, which you will also hear called Trojans or keyloggers. Either of those can be used – and are being used – to capture people’s banking passwords.

Q: OK, so what can we do about this?

A: Until recently we have always tended to treat computer security as a communications problem, let’s just educate the public on how to protect itself – use up to date security software and so forth. But that’s patently not been working. And it’s not hard to see why. Most security software works by looking for suspicious activity and alerting the consumer. So, for instance, your web browser will put up a message saying there’s an invalid certificate sometimes. Do you know what that message means?

Q: No idea.

A: Quite. And you need pretty deep knowledge to understand what a certificate and why its important. As far as just about anyone is concerned, you just press OK and keep going. Look at it from the consumer’s point of view: you have gone to the site to do Internet banking, and your computer puts a message saying blah blah blah – would you like to continue? Of course everyone just clicks OK. This is where I take issue with the woman from the Bankers’ Association you had on the other day – communications have to be timely, relevant etc. She said that this was timely and relevant – I say it’s completely lost in the noise – people have gone there to do their banking, not deal with messages that hinder them from banking – messages that don’t even make sense to most of us. I’m not bagging the Bankers’ Association here, the whole model that treats computer security as something the user can take responsibility for is completely broken.

Q: That’s a pretty sweeping statement – what do you mean?

A: The security model we use for computers is basically that we have security programs that look for known malicious code. That’s all they do. It’s as though you secured a building by checking everyone who comes through the door against a list of faces faxed to you every week by the police. It assumes that only people on the list will do anything bad, and it assumes that you can recognize the bad guys; they aren’t disguised or just wearing glasses today. Excerpt that it’s not your house we are talking about – it’s the contents of your bank account. Frankly, this is crazy.

Until now this hasn’t bothered people too much because the banks have always covered any losses from online banking. To the banks this is just a cost. It’s far less than the cost of credit card fraud, for instance, and hugely less than the cost of providing enough tellers to serve everyone if they went into the branches instead of banking online. The banks really really want you to use online banking because it keeps their costs down, and most of us like it because it’s convenient.

Q: But that’s changing – the new code says the banks won’t always take responsibility if someone uses Internet banking to drain your accounts. And that’s the big question – should we be using Internet banking?

A: Actually, no. Not unless you have two-factor authentication – that’s a system where you need more than your userid and password. You wouldn’t let people you don’t know wander round your house and leave all your money in cash on the dining room table. That’s what you are doing if you set up Internet banking with just a userid and password. Lots of banks offer a stronger system. I’m going to use ASB as an example because I know about it. ASB will text you a password every time you try to pay money away using Internet banking, that’s reasonably safe because it means that someone would have to have your mobile phone as well as your password to drain your account. Or ASB will provide you little gizmo to keep on your keyring that spouts numbers at you all day – that does much the same thing. But these things are optional. They shouldn’t be. The bank charges you for them. They shouldn’t. Some of the other banks do similar things with little cards covered in numbers that you keep in your wallet. Some banks – for shame – don’t do any two factor authentication.

Q: Which banks are they?

A: I don’t have a list. But the person from the Bankers’ Association the other day said that some of their member banks don’t do two-factor authentication – we really need a better name for that, by the way – and that’s just unacceptable, triply so if they are trying to push some of the liability back onto customers.

Q: How can I tell if my Internet banking has this two-factor authentication?

A: Think about what happens when you use your online banking to pay someone else. The system will you for your id and password – does it ask you for something else, something that is different every time, like a number you read from a text message or off a separate machine? If so, you are much much safer than with just a password. The point is that a password alone is not good enough – worse than not good enough, it places your entire bank account at risk.

Q: So what should I do if my Internet banking doesn’t have the 2 factor authentication?

A: Call your bank and ask if does have two-factor authentication for its Internet banking it and sign up for it. Be grumpy about having to pay for it if they insist that you pay. And if your bank doesn’t have two factor, cancel your online banking password. Just stopping using it isn’t enough.

Q: You’re serious? You’d stop using Internet banking for that?

A: I’d stop using that bank. Seriously. Remember, you are letting people get the keys to your bank account and that bank is potentially going to welsh if someone takes money out of your account.

Q: So this is all because of the change in the bankers’ code of practice.

A: Yes, that’s what has shifted the liability away from the banks, with all the millions they can spend on security, towards the ordinary customer. After all, we wouldn’t expect the bank to make us liable if its vault got broken into!

Q: But that’s not what they are getting at – the Bankers’ Association is concerned about what happens of customers’ computers, whether they secure them properly. Isn’t it reasonable that someone who doesn’t do that should wear the risk of Internet banking fraud?

A: No, it’s not – because adequately securing a computer is not possible, certainly not for the average consumer. I don’t mean we should not take precautions. Everyone who uses Windows needs up to date security software. Unfortunately that’s the price of admission on the Internet these days. But that’s not enough. Security software won’t keep out every nasty, and people often ignore its recommendations anyway. The new code of practice leaves a big grey area in the middle – what is an adequate attempt to secure a computer? You’ll notice that the person from the Bankers’ Association the other day wouldn’t be drawn on exactly what constituted adequate security – that’s totally unacceptable. It leaves so much scope for a bank to wriggle through.

What if your anti virus subscription is one month out of date? What if you are on dial-up and it hasn’t updated itself for a while? What if you use a Mac computer or a Linux computer that aren’t generally subject to these nasties – do you risk your accounts being drained with out compensation if you don’t run extra security software that won’t actually make any difference on you computer? And, as a condition of covering a fraud, the banks demand the right to inspect your computer – how many people are going to want that? What if it was your employer’s computer because you had done some Internet banking from work?

The only way to be safe here is to use a system that requires two-factor authentication. If you have an Internet banking password that doesn’t use two-factor authentication, change it so it does use two-factor authentication, or cancel the password. Don’t keep an unprotected Internet banking password around – it’s not worth the risk.

Q: So what do you think about the revised code of practice

A: It’s incredibly an incredibly short sighted move by the Bankers’ Association. They are risking the whole notion of Internet banking – the whole “channel” as the person from the Bankers’ Association kept calling it the other day. The banks lose very small amounts through covering this – why put that burden on their customers. Not only is that greedy, it’s likely to put people off using Internet banking altogether

Incidentally, I should note that there are some banks which are not members of the NZBA and don’t subscribe to this view – I see you had Rabobank in the other day arguing the other side – perhaps they actually have a clue here. They make a big deal of the fact they have always done two-factor authentication and made it free to the customer. Good on them.

Update – today, 28th August, Westpac announced its Online Guarantee. It says that, unless you have used machine knowing it to be infected by spyware, they will cover any losses due to fraud in online banking. That’s a good thing, and its the right thing for Westpac to do by its customers. I would have far less concern about using Westpac’s online banking system as a result.

Let’s hope the other banks are prepared to come out and offer their customers the same level of protection.

Links

The Bankers’ Association code of practice – check page 36.

Netsafe’s page on securing your own computer.

A link to New Zealand security expert Peter Gutmann’s paper on phishing; i.e. tricking people into revealing banking passwords.

A press release from Rabobank which explains their form of two-factor authentication, and another from ASB.