Today Which? released their survey of online banking security. The results are summarized in their press release and the full article is in the September edition of “Which? Computing”.
The article found that there was substantial variation in what authentication measures UK banks used. Some used normal password fields, some used drop-down boxes, and some used a CAP smart card reader. All of these are vulnerable to attack by a sophisticated criminal (see for example our paper on CAP), but the article argued that it is better to force attackers to work harder to break into a customer’s account. Whether this approach would actually decrease fraud is an interesting question. Intuitively it makes sense, but it might just succeed in putting the manufacturers of unsophisticated malware out of business, and the criminals actually performing the fraud would just buy a smarter kit.
However, what I found most interesting were the responses from the banks whose sites were surveyed.
Barclays (which came top due to their use of CAP) were pleased:
“We believe our customers have the best security packages of all online banks to protect them and their money.”
In contrast, Halifax (who came bottom) didn’t like the survey saying:
“Any meaningful assessment of a bank’s fraud prevention tools needs to fully examine all systems whether they can be seen directly by customers or not and we would never release details of these systems to any third party.”
I suppose it is unsurprising that the banks which came top were happier with the results than those which came bottom, but to a certain extent I sympathize with Halifax. They are correct in saying that back-end controls (e.g. spotting suspicious transactions and reversing fraudulent ones) are very important tools at preventing fraud. I think the article is clear on this point, always saying that they are comparing “customer-facing” or “visible” security measures and including a section describing the limitations of the study.
However, I think this complaint indicates a deeper problem with consumer banking: customers have no way to tell which bank will better protect their money. About the only figure the banks offered was HSBC saying they were better than average. Fraud figures for individual banks do exist (APACS collects them), and they are shared between the banks, but they are withheld from customers and shareholders. So I don’t think it is surprising that consumer groups are comparing the only thing they can.
I can understand the reluctance in publishing fraud figures — it makes customers think their money is not safe, and no bank wants to be at the bottom. However, I do think it would be in the long-term best interests of everyone if there could be meaningful comparison of banks in terms of security. Customers can compare their safety while driving and while in hospital, but why not when they bank online?
So while I admit there are problems with the Which? report, I do think it is a step in the right direction. They are joining a growing group of security professionals who are calling for better data on security breaches. Which? were also behind the survey which found that 20% of fraud victims don’t get their money back, and a campaign to get better statistics on complaints against banks. I wish them luck in their efforts.
3 thoughts on “Which? survey of online banking security”
I regard Barclays as the best of a very bad bunch, and very far from Which?’s given rating of excellent.
Few if any banks actually authenticate the transaction in any meaningful way, and none that I’m aware of come even close to doing it properly.
My advise to people is,
If your bank or building society offer you Internet Banking read the small print on who’s liable, then tell them no thank you. If they add it to your account as a default or as a courtesy, change bank as fast as you possibly can.
It has been known for something like ten years what is needed in principle if not practice but the banks appear not to get it (or don’t want to).
The fraud figures for individual banks are, indeed, collected by APACS but are only shared with the banks in aggregate – unless you stumble across information in the pub or in relation to a specific incident, you may know who is doing particularly well or spectacularly badly but you won’t have hard data on anybody other than yourselves.
I was an ineffective proponent of requiring CAP at log-in (or, at least, allowing the customer to choose) or limiting the transactions available on a 4P login. Unfortunately, this was not popular with the customer groups (in fact, the whole card reader thing was massively unpopular) and was not implemented in my time (and is still not there).
The bandwidth available with CAP is very poor so the effort has gone in to attacking the most vulnerable stages of the fraud – the transfer of the money from the initial victim’s bank (not necessarily their bank account) and the subsequent transfer out of the UK banking system. Unfortunately, successes in these areas don’t lend themselves well to headline nor to uninformed external analysis.
A change in the law to the American model, where liability is clearly with the banks, is something Ross has been campaigning for for years and is long overdue. On the other hand, we should not conflate the necessity for “security breach reporting” with a desire for more information on fraud – the two are very different.
could you elaborate on what a ‘4P login’ refers to?
this is an interesting article. i’m currently writing a short paper on user behaviour in relation to security for online banking. the perspective you suggest – that the complexity and overhead this entails for the user can be avoided (or is worthless) if sufficient smarts are applied to monitoring and automatically blocking transactions which appear abnormal – is certainly interesting in the context of my research. i suppose we end up back at Security Theatre.