But even if banking computer systems were perfect, the majority of the computers used by customers for on-line banking will be home PCs that are most unlikely to meet any serious security requirements.
The difficulties that users have in managing PINs and passwords have already been discussed, but a number of further problems arise from the use of PCs. People tend to be very trusting of others and can often be persuaded to reveal their PINs and passwords when they should not do so. Many people have difficulty installing software on their PCs and find an ‘expert’ neighbour or friend to help. It is not unusual to find that the helper will be given the codes needed to operate the service being installed, in order to check that it is working and to demonstrate its use to the real customer. Undoubtedly most helpers are honest but inevitably a few will use such knowledge for fraudulent personal gain.
A further concern is that typical PCs do not provide much real protection for PINs and passwords unless careful control is maintained over access to the PC as well as control over the software that is installed. PCs used for home banking will often be used by several family members for a wide range of different pursuits. It is not difficult for anyone who has ongoing access to install software that will capture sensitive account and password data entered by users for later collection. This could easily be achieved by another family member or by someone called in to maintain the machine.
Such attacks can be even easier to mount if the software used for online transactions is not very carefully designed. Most modern PC operating systems can appear to run several applications at once. They do this by temporarily moving applications and the data they are using from memory on to files on disc called swap files. Such files will often hold sensitive data such as passwords or security keys themselves, and they can be read with utilities that are widely available. A knowledgeable programmer could easily write software that searches the swap file to find the information. Recent research has shown that some security information has characteristics that are easy to detect unless it has been deliberately disguised, and this makes such attacks all the easier to design. A computer maintainer armed with software of this kind could easily recover such information as a matter of routine.
Although these forms of attack are probably rare at present, this is not the result of any inherent technical difficulty but because the gains are limited while online banking is not yet widespread.
In addition to attacks requiring physical access, PCs used on the Internet are vulnerable to attacks in which software is remotely installed to capture and transmit a user’s keyboard data to a remote locations. Since users are routinely asked to install ‘add-ons’ such as applets and active controls, most users accept this as routine and will not understand how easy it is for a fraudulent site to install an applet that appears to offer one service but in reality captures and transmits security data back to the site in question. It would also be perfectly feasible to modify and redistribute an honest applet from a reputable company to do this. A number of cases have been reported recently in which commercial software has been found to provide its supplier with information about its user’s activities, without the user having been made aware of the fact.
An even more potent attack would be one based on a computer virus (software designed to transfer itself from one computer to another unknown to their users, either on diskettes or over the Internet, and capable of affecting the working of any computer it reaches). Current viruses exhibit a range of behaviours from benign (or even beneficial) effects through to those of a highly malicious character, designed to inflict substantial damage on a victim’s PC or the data it contains. But it is straightforward to write a virus that, once installed, looks for and captures PINs, passwords, account details and other sensitive data for transmission back to the virus writer when the victim next goes on line. By making such a virus covert – that is, as silent as possible, so that a PC user is unaware of its presence – it could easily do its job over months or even years without being detected.
Although we are not aware of such viruses having been written or released, the steady growth of online banking and electronic commerce will make the possibility a virtual certainty in the not too distant future. It is a threat against which many PCs have little defence. The BBC provided a vivid illustration of this type of attack on 22nd November 1999 in a programme in its Crime Squad series. A remote user was shown using the Internet to monitor a session in which a customer used an online banking service. The remote user was able to capture the security information necessary to carry out a successful subsequent transaction on the customer’s account. The basis of this attack was not explained in detail, but it could easily have been mounted by installing a special program (in this case probably not a spreading virus) using a macro contained in a document attached to an email message (like the Melissa virus but less visible in its effect). Such possibilities must be regarded as far from remote.
To counter attacks of these types, Microsoft has introduced a capability for software to be signed with a digital signature so that its origin can be checked. Such signatures allow the operating system to verify the signature on a piece of code before it is allowed to run. In an ideal world this would offer a meaningful improvement in security if customers were willing and able to use it; but even if all suppliers of software could be persuaded to offer signatures, the operating system has to be trusted to carry out reliable checking of the signatures involved, and this is not as easy as it might seem.
The inherent difficulties involved in computer security are discussed in The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, a paper by scientists from the US National Security Agency (Loscocco98). That agency is responsible for the security of US Government communications and for monitoring and deciphering foreign communications for intelligence purposes. Any paper by the NSA on computer system security carries very high weight indeed. The thrust of this paper’s argument is that it is unrealistic to expect that security mechanisms can be implemented in software without computer operating systems that offer effective security features of a kind that do not exist in current products.
Although purely software based PC banking procedures seem acceptable now, for reasons such as those discussed it is hard to believe they will continue to be seen as a robust online banking solution for the longer term. Although the use of signature keys based on public key cryptography can greatly reduce the risks presented by the use of PINs, passwords and other shared secrets, even then the customer is dependant on keeping the private key secret despite the need to use it in a PC. In such an environment the customer is exposed to risks of the private key being compromised without having any means of detecting the compromise until fraudulent use comes to light. A sophisticated attack might leave no evidence of how it occurred, and the customer is therefore weakly placed to resist an assertion by the bank that the transaction must have been authorised.