We recently reported that the Commissioner of the Met, Sir Bernard Hogan-Howe, said that banks should not refund fraud victims as this would just make people careless with their passwords and antivirus. The banks’ desire to blame fraud victims if they can, to avoid refunding them, is rational enough, but for a police chief to support them was disgraceful. Thirty years ago, a chief constable might have said that rape victims had themselves to blame for wearing nice clothes; if he were to say that nowadays, he’d be sacked. Hogan-Howe’s view of bank fraud is just as uninformed, and just as offensive to victims.
Our spooky friends at Cheltenham have joined the party. The Register reports a story in the Financial Times (behind a paywall) which says GCHQ believes that “companies must do more to try and encourage their customers to improve their cyber security standards. Customers using outdated software – sometimes riddled with vulnerabilities that hackers can exploit – are a weak link in the UK’s cyber defences.” There is no mention of the banks’ own outdated technology, or of GCHQ’s role in keeping consumer software vulnerable.
The elegant scribblers at the Financial Times are under the impression that “At present, banks routinely cover the cost of fraud, regardless of blame.” So they clearly are not regular readers of Light Blue Touchpaper.
The spooks are slightly more cautious; according to the FT, GCHQ “has told the private sector it will not take responsibility for regulatory failings”. I’m sure the banks will heave a big sigh of relief that their cosy relationship with the police, the ombudsman and the FCA will not be disturbed.
We will have to change our security-economics teaching material so we don’t just talk about the case where “Alice guards a system and Bob pays the costs of failure”, but also this new case where “Alice guards a system, and bribes the government to compel Bob to pay the costs of failure.” Now we know how Hogan-Howe is paid off; the banks pay for his Dedicated Card and Payment Crime Unit. But how are they paying off GCHQ, and what else are they getting as part of the deal?
So there are still insufficient (are there any?) chief officers who understand either security economics, or computing. I’d have hoped that things would have moved on by now. I retired as a Chief Constable nearly 15 years ago, and I knew more then about computer fraud than Hogan-Howe does now. Let’s hope that someone on his staff who is suitably qualified reads this and puts him right. A good leader is always ready to listen.
Something GCHQ might get out of the deal is access to bank records without … cumbersome procedures. Knowing how and where people spend money is invaluable in investigating them.
The link with the text “technology” (http://www.cl.cam.ac.uk/~rja14/papers/SEv2-c18.pdf) is, er, outdated and gives a 404.
I have it from an inside source that in general briefings to all staff GCHQ states that staff should avoid using online banking,
Sorry, the link’s now fixed
Well, I also avoid using online banking. I wonder how many other things we agree on with the spooks?
Earlier today, I was phoned by my old card issuer’s Fraud department to confirm a suspicious transaction was indeed fraudulent. This is apparently the result of a “mass compromise” – and considering I haven’t used that particular card since it was issued, apart from one charge from the company it was issued through, there’s a pretty short list of places it could have leaked from.
Almost a shame they were so proactive – it could have been entertaining in a way to see them try to dodge the blame for a compromise which was almost certainly within their own systems…