For a number of reasons, security information is difficult to protect. Given a requirement for the customer to provide specific characters from a password, it must in practice be written down. If the customer has several accounts with different providers of services, each protected by a password, this presents a further dilemma: if the same password is used in each case, it will be easier to write it down in a form that disguises what it is, while leaving it still usable; but this solution has the drawback that each service provider knows a password that gives access not only to its own services but also to many others. This is very undesirable in security terms, and may be prohibited by some service providers’ contractual terms; but the alternative is to choose a different password for each service. Each must be written down in disguised form (if writing is even permitted), but in a form which still leaves the user able to know which service each password relates to. There is a very real risk that the conflict between these opposing requirements will be impossible for many users to reconcile successfully.
The problems are multiplied by the need to provide secondary security information, preferably unique for the purposes of each service for which it is required, and preferably not publicly available or generally known to the user’s family and friends. It is obvious enough that mother’s maiden name, wedding anniversary or names of the user’s children are unsuitable for these purposes; but it is notorious that such information is commonly used for exactly this purpose. Some banks’ terms explicitly prohibit the use of vulnerable information of this kind, and require further precautions, such as regular changes of password (which can cause users to choose easy-to-remember but insecure passwords, or to write them down). Such requirements are no doubt well intentioned, but they place an impossible burden of management on the customer who uses a multiplicity of password protected services; and if the consequence of a failure to observe them satisfactorily is the customer’s loss of the protection of the £50 limit, as provided in the terms of Lloyds Bank TSB and the Woolwich, the result of a mistake could be extremely harsh.
An interesting example of a term which could prove troublesome for customers is found in the card terms of First Direct, the telephone banking division of HSBC Bank. Clause 4.1 of the terms provides that the card may be used:
‘...- to pay for goods and services through the Internet using the ‘secure session’ features, which are included in the current versions of Netscapes and Microsoft browsers enabling you to send card details in encrypted form. The use of the Internet to place orders or make payments with your card is otherwise not permitted’.
Although it does not seem that the customer loses the protection of the £50 limit by disregarding this term, customers who take the trouble to read the small print may not find it easy to know whether they are compliant. Many will not know how to detect whether they are in fact using the secure session features of their browser, and unless only the latest versions of the browsers are regarded as ‘current’, it seems difficult to be sure which versions are current for this purpose.
Before we proceed to consider online banking, it may be helpful to highlight the contrast between the use of signatures on cheques or other conventional written documents for verifying the authenticity of banking instructions, and the use of some combination of card, PIN and password or other security information for the same purpose.
The procedure for verifying the authenticity of banking instructions by using a PIN, password or other security information falls into the class of procedures based on a shared secret. When the customer uses a PIN, the bank uses its knowledge of the PIN to check that it is genuine. (The PIN can be obscured from casual observation within banks by encrypting it immediately after input, and this is standard procedure. But the value of this and related techniques is severely constrained by the limited security available in the 10,000 combinations provided by 4 digit PINs.) Such procedures may be contrasted with signature verification, which relies instead on the physiological property that a person can easily make his own signature but cannot easily make another person’s signature well enough for a forgery to pass careful examination.
People cannot give away their physiological properties, but either of the parties to a shared secret can reveal it to facilitate fraudulent use. Where two parties share a secret whose misuse can cause loss, it might seem remarkable that they should agree that one of them should assume sole responsibility for the loss of the secret. But that is in effect what the banks have expected of their customers: both the bank and customer must know the PIN, the customer to use it and the bank to check it. Both could reveal it to a third party who could misuse it.
Banks are of course regulated bodies required to be managed by persons fit and proper for the purpose, and (with occasional spectacular exceptions) do not pursue financial crime as a corporate purpose. But technical security measures are very difficult to design and implement successfully. One of the more notorious weaknesses of commerce and industry in Britain has been its inability to obtain the full potential benefit of information technology through failure to integrate it with other parts of a business. The computer department, even when called the information technology department, is rarely on the career path to the boardroom. Computer specialists, even when employed by banks, are rarely either managers or integrated into the ethos of management. They can easily become impatient of mainstream managers’ failure to understand the potential of information technology. Although no less honest than other professional people, computer specialists in banks are particularly vulnerable to the stresses of cultural isolation, low esteem, and the temptation to prove they can outwit the system. These considerations militate against any claim that the culpable disclosure of security information must necessarily be more likely to originate with the customer than with the bank.
The use of biometric information to authenticate customer transactions through cash dispensers is seen as an answer to the problem of reliance on shared secrets. Iris recognition is now being tested by the Nationwide Building Society as an alternative to PINs (Hawkes98). A cash dispenser compares various properties of a card user’s iris with a stored record, making it extremely difficult for anyone but the card owner to withdraw money using it. Their system is said to make only one error in 131,000 cases if the probabilities of falsely accepting or rejecting an individual are set equal. Even this might be an unacceptably high error rate if very large numbers of false attempts were feasible, which is of course not the case where the user must be personally present and the system is operated in the presence of attendants.
The risks are different in unattended or remote operation, where a photograph or video of the user’s iris might be presented to the camera; and the risks are liable to increase significantly if use becomes widespread in a variety of applications and many businesses come to have databases of customer personal identification and linked iris codes. And it remains the case that anyone with sufficient access to a bank’s financial systems may still be able to create false transactions linked to a customer. No doubt banks have procedural mechanisms to limit such risks, but there is no independent evidence by which customers can judge for themselves the effectiveness of such procedures, despite the fact that customers may be expected to rely on them by carrying the risk of fraud.
Where the risk to the customer is effectively limited to £50, and where that limited risk can reliably be terminated by notification of the loss of a card, with the bank carrying the balance of the risk of fraudulent transactions, the outcome of the liability régime may seem reasonable enough. But where there is no financial limit, or where fraud can occur without the loss of the card to alert the customer, the outcome seems to us to be decidedly unreasonable.