Examination of Witnesses (Questions 680
WEDNESDAY 28 FEBRUARY 2007
Q680 Lord Sutherland of Houndwood:
I would like to take a little bit further this issue of not reporting
to the police. If I recall correctly the recent case in Leicestershire
involving one of the big petrol station chains was picked up by
an alert local police station when motorists came in and said
they thought it was that particular cash machine. Is the issue
that the police are no longer required or allowed to take on such
reports? Do you know about the case I am referring to?
Professor Anderson: I do not know about the
Leicester case but I know of a significant number of other cases.
One of the most recent cases was at the BP garage at Girton in
Cambridge. I have a local neighbourhood watch wanting me to go
round and give a talk to them. The thing is also potentially high
profile in that there is some suspicion of terrorist involvement,
in particular that the Tamil Tigers are targeting Tamil speakers
who work in retail, getting them to put these skimmers on. There
is some evidence for this which has to do with money being taken
out in places like Thailand where operational supplies are bought
and shipped across to Sri Lanka. In this particular case the insecurity
of chip and pin terminals may be contributing materially to war.
Q681 Lord Sutherland of Houndwood:
The question really was, was there a police involvement that helped
detect this because if there was that is really quite important?
Professor Anderson: The police involvement that
alerted everyone to this going on was a police officer in the
Thai resort of Phuket who caught a chap using white plastic and
turned down a bribe of seven million baht, arrested the guy and
went to the hotel room and found this large suitcase of white
plastic. That is basically what caused everybody to realise that
there was significant organised crime going on. Until that happened,
as far as I am aware, the various policemen had been dealing with
local issues and just thought it was some bad man locally. In
one particular case where we assisted, the banks were unwilling
to admit that skimming of a chip and pin terminal was even technically
Q682 Lord Harris:
You have said several times that the police standard practice
is to refer people to their banks, but my understanding is that
practice varies very widely. Could I just clarify that you are
saying that it is standard practice always to refer people to
their banks or that there are plenty of instances where that happens.
Professor Anderson: I am informed by the police
officers that we have dealt with on this that since January the
rule has been that they are to refer people to the banks who will
be the first responders to allegations of card fraud.
Q683 Lord Harris:
The rule they describe, is that in a particular force or is that
a rule set for the country as a whole?
Professor Anderson: I understand that it is
a rule set for the country as a whole. I could not quote the exact
guidance on that.
Q684 Lord Harris:
If you are able to provide us with more information that would
be very interesting because my understanding was that that was
not what the police were saying nationally, but that does not
mean that another bit of the police are not saying that.
Professor Anderson: I will write to you on that.
Q685 Lord Howie of Troon:
The more evidence I hear, the more I get dismayed. I really do.
This brave world does not seem to be doing all that well. What
I want to ask you is that the FIPR evidence told us quite a bit
about misaligned incentives. Can you tell me where are the main
areas where incentives should be realigned in order to improve
security, which seems to be in need of improvement?
Professor Anderson: The main ways in which incentives
can be realigned I think are areas we have already covered such
as the matter of the kind of contracts that the bank has with
their customers where, until very recently, there was settled
law which said, for example, if you sign something with a manuscript
signature then there are certain protections and that a forged
signature could not be held against you and the bank was not allowed
to re-write its terms and conditions so it could debit your account
with a forged cheque. Of course this has changed over the last
few years in respect of bankers' contracts with their customers
in electronic matters. That is perhaps the single most important
thing as far as the bulk of harm that has been done to people
through credit card fraud and other types of financial fraud is
concerned. The second set of incentives that you have are those
incentives for software and service providers to provide, shall
we say, more secure software and less damaging services. Here
it becomes more complex. It would indeed be useful if we could
get software vendors to accept more liability for the consequences
of what they do but it comes more complex because of externalities.
To take one example, browsers can be set to have a certain language
vulnerable in that, for example, you can go to a web page which
then tells your browser to change its DNS settings somewhere else
and you then go to a phishing site instead of to a bank's website.
that you cannot buy a ticket from EasyJet.
Q686 Lord Howie of Troon:
That seems a good idea!
Professor Anderson: So you end up with, shall
we say, sub-optimal ways of working being very well embedded in
the world because of hundreds of thousands of little design decisions
taken by third parties. It is these externalities which cause
most of the stickiness which stops us improving things directly.
turned off by default there would be a huge outcry from people
who could not book flights or could not shop or whatever, and
would find a way to turn it on and more websites would have to
be re-written. It is this kind of inertia that we are up against.
Q687 Lord Harris:
Can I just ask, can you not book flights with EasyJet without
Professor Anderson: There is a chap who wrote
a front end for the British Rail timetable which enabled you to
one enthusiast could perhaps write a shell for one website which
makes the problem go away, but suppose Professor Handley were
to write a front end for EasyJet you would then be trusting him
with your credit card number every time you bought an airplane
ticket. It is complicated.
Q688 Earl of Erroll:
Is the answer that we should have some scripting languages which
have certain things not embedded into them. Could someone produce
a browser Java version which does not allow certain functions?
Professor Anderson: That is an interesting possibility;
I should probably kick that out to my students to think about.
It is unclear how you would generate a sub-set of a language that
was on the one hand useful in the sense of it being sufficiently
compatible with what is out there, and on the other hand not expose
you to the standard vulnerabilities.
Q689 Earl of Erroll:
If there were sufficient financial incentives, as you suggest,
perhaps someone would do it.
Professor Handley: Again one of the possibilities
here is the possibility of defence in depth. You can run these
things from a sandbox so that whatever Java does it has limited
ability to cause damage to your own system and at least to compromise
the rest of your machine. That is not a complete solution but
it restricts the damage that can be done.
Q690 Lord Sutherland of Houndwood:
That would mean that if the punter like myself were to have to
make choices of that kinddo I want this system or that?we
would be making it fairly blind because I would not know what
I was excluding myself from by choosing this one rather than that
Professor Handley: Exactly, and that is where
the issue of liability comes in and whether the software vendor
is following what would be regarded as best practice in the industry
you sandboxed it.
Q691 Lord Broers:
transaction, as it were, and then disable it again.
Professor Anderson: That is one possibility.
off, for example pop-up blockers. It is a difficult problem because
of the assumptions of compatibility which are built into so many
websites. Ultimately, when trying to design such things, you are
not designing for geeks because geeks can look after themselves.
I always ask myself when such questions come up, "Well, what
about my mum?"
Q692 Lord Howie of Troon:
Is this an area where regulation might be appropriate?
Professor Anderson: The problem prima facie
with regulations is that Britain is five per cent of the world
in terms of what goes on on-line, as with GNP. There are some
things where we can have leveragethings like banking regulationsand
there are some things where it is difficult to have leverage such
as, for example, default designs of browsers. Certainly working
through the European Commission we could, over time, exert influence
over fundamental architectures, and questions such as the competition
policy aspects of Microsoft software end up being dealt with by
DGCom rather than by the DTI for that reason. I think one has
to try to figure out what the UK Parliament can usefully do and
what has to go to other fora for it to be effective.
Q693 Lord O'Neill of Clackmannan:
Do you think companies generally, and the banks in particular,
are doing enough to prevent phishing?
Professor Handley: No, I do not think they are.
I think if the banks really cared about phishing and they were
losing a lot of money from it, there are definitely things they
could do to combat it. I can come up with one trivial example
which would be that if my bank shipped me a web browser that was
their custom tailored version of the web browser and they said
to me, "You will only browse from this web browser; we will
not admit anything else" then a lot of the phishing problems
would go away, not quite everything because phishing is a social
engineering problem and you usually find some way to socially
engineer people but at least it would make things an awful lot
simpler for the normal user to tell the difference. That is not
to say that provides a solution to the problem, but I am just
trying to give you an example. There are things which the banks
could do which would be inconvenient for them and the customers
but would greatly solve the problem. I think they could definitely
do quite a bit more. Then there are some banks which just do not
seem to care. I do not have a particularly good British example
but I have a Bank of America account and they are constantly sending
e-mails trying to get me to try out their additional services
with links to their website. That is a perfect way to get the
customer to click through any Bank of America e-mail into their
website which sets up their customers' phishing attacks. If they
really cared about phishing they almost certainly would not be
trying to get me to click through that e-mail to get to their
website on a regular basis. I actually got one when I was standing
outside in the security line just now.
Professor Anderson: Phishing is interesting
because electronic banking was a UK invention; the Bank of Scotland
in 1984 came out with the first retail system that used Prestel.
That was very conservatively designed. If I wanted to pay my gas
bill I would have to walk into a Bank of Scotland branch and sign
a piece of paper saying, "Please pay no more than £200
a month to Scottish Gas, account number such and such". That
was secure because there was no practical way for a bad guy to
get money out of it. If he guessed my Prestel password he could
have paid my gas bill twice and then I just would not have to
pay it next month and it would not be a big deal. However, a few
years ago in the dotcom rush, the banks removed these back end
controls, controls of what they could do on-line and how much
money you could transfer, how much you could transfer to what.
The banks assumed they could make the front end authentication
carry all the load. I do not think it can. The issue has not been
severe for them up until last year when phishing losses went up
into the £30 million to £40 million bracket. Given that
most of the losses are apparently being sustained by one bank,
that is into the range where it is worth the chief executive's
time to spend a couple of hours thinking about the problem. If
it continues growing at its current rate and goes into the hundreds
of millions this year then it will get attention. I believe that
what is going to have to happen is that you will restrict people
to what they can do on-line, so that if you are working from your
usual PC at home then you might be allowed to pay bills up to,
say, £1000 but to make large fund transfers you might have
to walk into a branch and sign a piece of paper. If you are browsing
from a random Internet café then perhaps all you will be
allowed to do is to move money between your current account and
your savings account. Let us face it, is there anybody who is
going to have a legitimate need to sit down in an Internet café
in Peshawar and re-mortgage his house and send all the money to
an account in the Philippines? If somebody wants to do that there
are four or five different government agencies who would like
to interview him anyway because of the amount he has transferred.
Q694 Lord O'Neill of Clackmannan:
At the end of the day can we, as individual bank clients, have
confidence that e-banking is safe or are we better off signing
the bits of paper and going to the bank?
Professor Anderson: I do not personally use
e-banking; I walk into the branch and sign a piece of paper. For
me personally the idea that I sign away my rights by accepting
an electronic banking password and accepting that if anything
goes wrong it is my fault, this is one bridge too far for me.
I have no doubt that as phishing becomes much more prevalent and
as people learn more about it, the banks will realise that there
is a significant opportunity cost involved in not making secure
banking available, because they have to pay people salaries to
wait on me in the branch when I come in waving my cheque book.
Ultimately I think we are going to go towards a more mature approach
to this. A nudge in the right direction from Parliament whether
by regulation or by exhortation certainly would not go amiss.
Professor Handley: I do use e-banking but I
have specifically told my parents not to because I believe that
I am above average in the ability to secure my machines. I do
not respond to any bank e-mail no matter whether it is legitimate
or not but I do not trust my parents' ability to make those same
kind of decisions because they simply do not have the information
to make those decisions rationally. I do not think at the moment
for many people e-banking is terribly safe. It is quite notable
that the different banks actually have quite different policies
in terms of what they will allow you to do and what they will
not allow you to do on-line. I just move house recently and one
of my banks would let me move my address on-line, the other bank
would not. I considered it a good thing that I had to go into
the branch and show my passport to be able to move my address.
I was quite shocked that one of them would let me do it with no
problems at all. My American bank explicitly says that I have
zero liability for any fraud. They make a big deal about the fact
that you do not carry any liability if anything goes wrong through
Internet banking. British banks, they push it all onto me, I carry
Professor Anderson: It must also be realised
that this is not just banking. Phishing is an issue for a number
of on-line commerce sites. If you have an account at Amazon, for
example, somebody who gets your password could log in as you,
change your address and perhaps order quite expensive goods in
your name. If you own stocks and shares then somebody might somehow
or another phish your account with your share registrar and could
move significant amounts of your investment about. It is not just
retail banking; an awful lot of on-line services as well are likely
to end up in the same boat.
Q695 Lord O'Neill of Clackmannan:
I had the experience last week of having a telephone conversation
with my bank and being asked a number of security questions, to
which all the answers could have been provided had the person
even considered that I might be in Who's Who. When I pointed
that out to them they said, "You do not have to worry because
there are a lot of other things that we do that you and I would
not understand". That is probably correct but it was little
Professor Anderson: It is little consolation
if you end up in court against your bank and you try to rely on
the things that you do you not understand. I think the judge would
give you rather short shift.
Q696 Lord O'Neill of Clackmannan:
Professor Anderson, your institution suggested that the UK should
adopt the US Regulation E to force banks to take responsibility
for electronic transactions. If the problems are caused by insecure
end-user systems, is this fair on the bank?
Professor Anderson: The bank must simply take
a view on what sort of end systems are out there and how users
can be reasonably expected to behave, especially after they have
been trained by a lot of e-mails from their bank to click on attachments,
especially when banks send out e-mails that even experts cannot
distinguish from spam. There was one famous case where even the
bank itself thought was a phish rather than a spam. The banks
must take a view on the risks and they must decide whether home
banking customers will be allowed to transfer all their money
or 500 dollars a day or just move it between their own accounts
or do nothing at all. That then becomes a risk management decision
that the bank can take and it is in a position to take it because
it has an awful lot of knowledge from the industry, about what
the fraud history is, it has access to an awful lot of consultancies
and other people with greater expertise, and it is in a position
to design systems. It can decide, if it wishes, to send all their
customers a hand-held password generator in the way, for example,
that Coutts do. If this is fine for the wealthy then how come
the rest of us do not also get it? Questions like this need to
Professor Handley: The bank also sees the big
picture. They see what is happening across many thousands of accounts.
As an end user you only see one so you have no clue what the big
picture is. The bank can obviously change its policy if it sees
that the trend is suddenly getting very bad. The end user is just
going to get steam-rollered by that trend without knowing.
Q697 Lord O'Neill of Clackmannan:
I am not really interested in the big picture; the wee picture
is big enough for me.
Professor Handley: It is only the bank that
has the big picture.
Q698 Lord O'Neill of Clackmannan:
Your institution talked about a trust-gap with the US so that
we are using US websites without US style protection. Is there
a case for looking for harmonisation? We know that in accounting
standards the reverse might be the argument and maybe we have
embraced too much. How do you feel about this issue? We give a
great deal of attention understandably to Europe but in fact so
much of our financial activities are related to the US. How do
you feel about that?
Professor Anderson: Indeed there are not just
financial activities, there is a much broader range of issues
related to competition such as the cost of goods, such as the
benefits you get. Why is it that as a UK customer of an airline
you only get Air Miles if you fly business class whereas as an
American you get them if you fly economy? There are a hundred
and one issues like this. Why is it that Britain is Treasure Island
to the world's retailers? We end up paying the highest prices
just about in the developed world and get the worst terms of service.
That is a big, big question with a lot of facets to it. Part of
the solution to it was supposed to be joining the European Union
to create a bigger market in which there would be more competition,
but it certainly has not been the whole of the solution. I think
that a political party which decided to take a strongly consumerist
view might actually find itself rather attractive at the next
election. A parliament that took the view that wherever British
people were paying significantly more than American people then
something was wrong and something would be done about it would
no doubt be very popular. That of course is a question for the
Q699 Lord O'Neill of Clackmannan:
CDs were one of the classic examples although there has now been
quite a significant change in pricing because of the focus of
attention. There are now additional currency exchange issues but
are you saying that at the moment if we do not focus attention
on the disparities between protection in one country and another
then we do not get any action and this is where it might be up
to people like us and a committee like this to focus more attention
on it and require the Government to answer the anomalies?
Professor Anderson: I do not think there is
a magic solution for the competitiveness gap between Britain and
America; we have to look at one thing at a time. If you could
hit the terms of service that card holders and bank account holders
generally get in the UK that is great. If you can also look, for
example, at the price of softwarewhy is it that Vista costs
the same in pounds here as it costs in dollars in America?these
things all pile up. Why do we get such a bad deal on so many fronts?
Lord Broers: It is worse than that in
my experience. In hardware you pay less in dollars than you pay