When I
log on to my internet bank I am first asked to enter two ID
numbers. I didn't pick them, they don't change without reason and
they're printed on a little card that my bank sent me for easy
reference. I can also save these numbers to my computer to skip
this step on future visits. Then I'm asked for three characters
from my chosen password – today it was the 1st, 2nd and 6th
characters. I cannot skip this step. Then my account info appears
and, if I choose, I can make a money transfer to a stranger.
Soon, it will be unlawful for my bank to rely upon this security
system – yet no legislation or court rulings are needed to change
the law. It will just happen.
My bank is using single-factor authentication, in effect it is
only using one means of checking who I am by asking me to provide
details of something that I know (my password). When I try to take
money from a cash machine, my bank demands more: something that I
know (my PIN) and something that I have (my card). This is
two-factor authentication and it's the direction the industry is
already taking. But in doing so, it changes how the law must be
applied.
The reason is found in the Data Protection Act. It has a
security principle that says: "Appropriate technical and
organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data."
So when a bank holds account data, it has a duty to protect it
against theft. The Act tells banks to do this "having regard to the
state of technological development and the cost of implementing any
measures".
There is no mention of phishing, pharming or Trojans in the
legislation; but banks have to keep up with best practices in
security otherwise they fall foul of the Act. The penalty for
non-compliance is not horrific. However, it would be open to the
Information Commissioner to act on a complaint or to undertake a
review of the whole sector. And if an account holder loses money in
a phishing attack, that individual could take action.
The bank may offer to reimburse those losses in exchange for the
customer's discretion; but the savvy customer might seek to
humiliate the bank. He can sue for damages to recover his loss as
well as compensation for any distress suffered (the Act provides
for this); he can seek to recover his legal costs; and he can ask
his favourite journalists to broadcast his battle. No bank wants
that.
There is a general duty under the FSA's
Senior Management Arrangements, Systems and Controls sourcebook
(12-page / 164KB PDF) to take "reasonable care to establish and
maintain appropriate systems and controls" to address, among other
things, the risk of financial crime. Failing to keep up to date
with what is "appropriate" could result in hefty fines from the
FSA.
As for what is appropriate, there is recent evidence of change.
Last Wednesday, US banks were sent a
letter from the Federal Reserve, telling them that they
have until year-end 2006 to conform to authentication
guidance (14-page / 167KB PDF) published the previous day
by the Federal Financial Institutions Examination Council (FFIEC),
a consortium of US financial agencies.
The Council wrote: "The agencies consider single-factor
authentication, as the only control mechanism, to be inadequate in
the case of high-risk transactions involving access to customer
information or the movement of funds to other parties."
The FFIEC guidance examined various technologies. It looked at
smart cards; password-generating tokens; biometrics; out-of-band
authentication (any technique that verifies a customer's identity
through a channel other than the one the customer is using to
initiate the transaction – e.g. using text messaging to confirm a
transfer instruction received from a computer); IP address location
and geo-location services.
In the UK, APACS issued similar guidance recently: "In view of
the growing incidence of Trojans and phishing attacks directed at
internet users, banks are recommended to move towards stronger
authentication for their online banking customers."
Of course, customer lawsuits are very unlikely because banks
generally will keep up to date with the best solutions
available.
US banks are currently working together on a
standardised fob for account access, according to Michael
Jackson, associate director of technology supervision at the
Federal Deposit Insurance Corp. UK banks are working together on a
card reader for account access, according to APACS, with a
standard likely to be agreed by the end of 2005. And last week,
Lloyds TSB began trialling two-factor authentication among 30,000
customers, the largest trial of its kind in the UK.
There are many technologies on the market and the FFIEC is not
picking its favourite. Likewise, APACS is not saying that card
readers are the only way forward. The point is that if money
transfers can be made online, security that transcends a username
and password will be necessary. The law will evolve to recognise
that and the lawmaker is neither judge nor politician – it's the
banks and their security suppliers.
By Struan
Robertson, Editor of OUT-LAW. These are the personal views of
the author and do not necessarily represent the views of Pinsent
Masons.
Struan will be speaking at OUT-LAW's Phishing Conference in London on 27th
October 2005.
