Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 680 - 699)

WEDNESDAY 28 FEBRUARY 2007

PROFESSOR ROSS ANDERSON AND PROFESSOR MARK HANDLEY

  Q680  Lord Sutherland of Houndwood: I would like to take a little bit further this issue of not reporting to the police. If I recall correctly the recent case in Leicestershire involving one of the big petrol station chains was picked up by an alert local police station when motorists came in and said they thought it was that particular cash machine. Is the issue that the police are no longer required or allowed to take on such reports? Do you know about the case I am referring to?

  Professor Anderson: I do not know about the Leicester case but I know of a significant number of other cases. One of the most recent cases was at the BP garage at Girton in Cambridge. I have a local neighbourhood watch wanting me to go round and give a talk to them. The thing is also potentially high profile in that there is some suspicion of terrorist involvement, in particular that the Tamil Tigers are targeting Tamil speakers who work in retail, getting them to put these skimmers on. There is some evidence for this which has to do with money being taken out in places like Thailand where operational supplies are bought and shipped across to Sri Lanka. In this particular case the insecurity of chip and pin terminals may be contributing materially to war.

  Q681  Lord Sutherland of Houndwood: The question really was, was there a police involvement that helped detect this because if there was that is really quite important?

  Professor Anderson: The police involvement that alerted everyone to this going on was a police officer in the Thai resort of Phuket who caught a chap using white plastic and turned down a bribe of seven million baht, arrested the guy and went to the hotel room and found this large suitcase of white plastic. That is basically what caused everybody to realise that there was significant organised crime going on. Until that happened, as far as I am aware, the various policemen had been dealing with local issues and just thought it was some bad man locally. In one particular case where we assisted, the banks were unwilling to admit that skimming of a chip and pin terminal was even technically possible.

  Q682  Lord Harris: You have said several times that the police standard practice is to refer people to their banks, but my understanding is that practice varies very widely. Could I just clarify that you are saying that it is standard practice always to refer people to their banks or that there are plenty of instances where that happens.

  Professor Anderson: I am informed by the police officers that we have dealt with on this that since January the rule has been that they are to refer people to the banks who will be the first responders to allegations of card fraud.

  Q683  Lord Harris: The rule they describe, is that in a particular force or is that a rule set for the country as a whole?

  Professor Anderson: I understand that it is a rule set for the country as a whole. I could not quote the exact guidance on that.

  Q684  Lord Harris: If you are able to provide us with more information that would be very interesting because my understanding was that that was not what the police were saying nationally, but that does not mean that another bit of the police are not saying that.

  Professor Anderson: I will write to you on that.

  Q685  Lord Howie of Troon: The more evidence I hear, the more I get dismayed. I really do. This brave world does not seem to be doing all that well. What I want to ask you is that the FIPR evidence told us quite a bit about misaligned incentives. Can you tell me where are the main areas where incentives should be realigned in order to improve security, which seems to be in need of improvement?

  Professor Anderson: The main ways in which incentives can be realigned I think are areas we have already covered such as the matter of the kind of contracts that the bank has with their customers where, until very recently, there was settled law which said, for example, if you sign something with a manuscript signature then there are certain protections and that a forged signature could not be held against you and the bank was not allowed to re-write its terms and conditions so it could debit your account with a forged cheque. Of course this has changed over the last few years in respect of bankers' contracts with their customers in electronic matters. That is perhaps the single most important thing as far as the bulk of harm that has been done to people through credit card fraud and other types of financial fraud is concerned. The second set of incentives that you have are those incentives for software and service providers to provide, shall we say, more secure software and less damaging services. Here it becomes more complex. It would indeed be useful if we could get software vendors to accept more liability for the consequences of what they do but it comes more complex because of externalities. To take one example, browsers can be set to have a certain language called JavaScript on or off. If you have it on you become more vulnerable in that, for example, you can go to a web page which then tells your browser to change its DNS settings somewhere else and you then go to a phishing site instead of to a bank's website. If you do turn off JavaScript in your web browser then you find that you cannot buy a ticket from EasyJet.

  Q686  Lord Howie of Troon: That seems a good idea!

  Professor Anderson: So you end up with, shall we say, sub-optimal ways of working being very well embedded in the world because of hundreds of thousands of little design decisions taken by third parties. It is these externalities which cause most of the stickiness which stops us improving things directly. If Bill Gates were to ship Windows from next week with JavaScript turned off by default there would be a huge outcry from people who could not book flights or could not shop or whatever, and would find a way to turn it on and more websites would have to be re-written. It is this kind of inertia that we are up against.

  Q687  Lord Harris: Can I just ask, can you not book flights with EasyJet without having JavaScript turned on? Is that such an impossibility?

  Professor Anderson: There is a chap who wrote a front end for the British Rail timetable which enabled you to enquire about train timetables without using JavaScript. So yes, one enthusiast could perhaps write a shell for one website which makes the problem go away, but suppose Professor Handley were to write a front end for EasyJet you would then be trusting him with your credit card number every time you bought an airplane ticket. It is complicated.

  Q688  Earl of Erroll: Is the answer that we should have some scripting languages which have certain things not embedded into them. Could someone produce a browser Java version which does not allow certain functions?

  Professor Anderson: That is an interesting possibility; I should probably kick that out to my students to think about. It is unclear how you would generate a sub-set of a language that was on the one hand useful in the sense of it being sufficiently compatible with what is out there, and on the other hand not expose you to the standard vulnerabilities.

  Q689  Earl of Erroll: If there were sufficient financial incentives, as you suggest, perhaps someone would do it.

  Professor Handley: Again one of the possibilities here is the possibility of defence in depth. You can run these things from a sandbox so that whatever Java does it has limited ability to cause damage to your own system and at least to compromise the rest of your machine. That is not a complete solution but it restricts the damage that can be done.

  Q690  Lord Sutherland of Houndwood: That would mean that if the punter like myself were to have to make choices of that kind—do I want this system or that?—we would be making it fairly blind because I would not know what I was excluding myself from by choosing this one rather than that one.

  Professor Handley: Exactly, and that is where the issue of liability comes in and whether the software vendor is following what would be regarded as best practice in the industry and in the case of JavaScript the answer is probably not unless you sandboxed it.

  Q691  Lord Broers: It might also be possible just to enable JavaScript for a single transaction, as it were, and then disable it again.

  Professor Anderson: That is one possibility. There are some features of JavaScript that some filters do turn off, for example pop-up blockers. It is a difficult problem because of the assumptions of compatibility which are built into so many websites. Ultimately, when trying to design such things, you are not designing for geeks because geeks can look after themselves. I always ask myself when such questions come up, "Well, what about my mum?"

  Q692  Lord Howie of Troon: Is this an area where regulation might be appropriate?

  Professor Anderson: The problem prima facie with regulations is that Britain is five per cent of the world in terms of what goes on on-line, as with GNP. There are some things where we can have leverage—things like banking regulations—and there are some things where it is difficult to have leverage such as, for example, default designs of browsers. Certainly working through the European Commission we could, over time, exert influence over fundamental architectures, and questions such as the competition policy aspects of Microsoft software end up being dealt with by DGCom rather than by the DTI for that reason. I think one has to try to figure out what the UK Parliament can usefully do and what has to go to other fora for it to be effective.

  Q693  Lord O'Neill of Clackmannan: Do you think companies generally, and the banks in particular, are doing enough to prevent phishing?

  Professor Handley: No, I do not think they are. I think if the banks really cared about phishing and they were losing a lot of money from it, there are definitely things they could do to combat it. I can come up with one trivial example which would be that if my bank shipped me a web browser that was their custom tailored version of the web browser and they said to me, "You will only browse from this web browser; we will not admit anything else" then a lot of the phishing problems would go away, not quite everything because phishing is a social engineering problem and you usually find some way to socially engineer people but at least it would make things an awful lot simpler for the normal user to tell the difference. That is not to say that provides a solution to the problem, but I am just trying to give you an example. There are things which the banks could do which would be inconvenient for them and the customers but would greatly solve the problem. I think they could definitely do quite a bit more. Then there are some banks which just do not seem to care. I do not have a particularly good British example but I have a Bank of America account and they are constantly sending e-mails trying to get me to try out their additional services with links to their website. That is a perfect way to get the customer to click through any Bank of America e-mail into their website which sets up their customers' phishing attacks. If they really cared about phishing they almost certainly would not be trying to get me to click through that e-mail to get to their website on a regular basis. I actually got one when I was standing outside in the security line just now.

  Professor Anderson: Phishing is interesting because electronic banking was a UK invention; the Bank of Scotland in 1984 came out with the first retail system that used Prestel. That was very conservatively designed. If I wanted to pay my gas bill I would have to walk into a Bank of Scotland branch and sign a piece of paper saying, "Please pay no more than £200 a month to Scottish Gas, account number such and such". That was secure because there was no practical way for a bad guy to get money out of it. If he guessed my Prestel password he could have paid my gas bill twice and then I just would not have to pay it next month and it would not be a big deal. However, a few years ago in the dotcom rush, the banks removed these back end controls, controls of what they could do on-line and how much money you could transfer, how much you could transfer to what. The banks assumed they could make the front end authentication carry all the load. I do not think it can. The issue has not been severe for them up until last year when phishing losses went up into the £30 million to £40 million bracket. Given that most of the losses are apparently being sustained by one bank, that is into the range where it is worth the chief executive's time to spend a couple of hours thinking about the problem. If it continues growing at its current rate and goes into the hundreds of millions this year then it will get attention. I believe that what is going to have to happen is that you will restrict people to what they can do on-line, so that if you are working from your usual PC at home then you might be allowed to pay bills up to, say, £1000 but to make large fund transfers you might have to walk into a branch and sign a piece of paper. If you are browsing from a random Internet café then perhaps all you will be allowed to do is to move money between your current account and your savings account. Let us face it, is there anybody who is going to have a legitimate need to sit down in an Internet café in Peshawar and re-mortgage his house and send all the money to an account in the Philippines? If somebody wants to do that there are four or five different government agencies who would like to interview him anyway because of the amount he has transferred.

  Q694  Lord O'Neill of Clackmannan: At the end of the day can we, as individual bank clients, have confidence that e-banking is safe or are we better off signing the bits of paper and going to the bank?

  Professor Anderson: I do not personally use e-banking; I walk into the branch and sign a piece of paper. For me personally the idea that I sign away my rights by accepting an electronic banking password and accepting that if anything goes wrong it is my fault, this is one bridge too far for me. I have no doubt that as phishing becomes much more prevalent and as people learn more about it, the banks will realise that there is a significant opportunity cost involved in not making secure banking available, because they have to pay people salaries to wait on me in the branch when I come in waving my cheque book. Ultimately I think we are going to go towards a more mature approach to this. A nudge in the right direction from Parliament whether by regulation or by exhortation certainly would not go amiss.

  Professor Handley: I do use e-banking but I have specifically told my parents not to because I believe that I am above average in the ability to secure my machines. I do not respond to any bank e-mail no matter whether it is legitimate or not but I do not trust my parents' ability to make those same kind of decisions because they simply do not have the information to make those decisions rationally. I do not think at the moment for many people e-banking is terribly safe. It is quite notable that the different banks actually have quite different policies in terms of what they will allow you to do and what they will not allow you to do on-line. I just move house recently and one of my banks would let me move my address on-line, the other bank would not. I considered it a good thing that I had to go into the branch and show my passport to be able to move my address. I was quite shocked that one of them would let me do it with no problems at all. My American bank explicitly says that I have zero liability for any fraud. They make a big deal about the fact that you do not carry any liability if anything goes wrong through Internet banking. British banks, they push it all onto me, I carry the risk.

  Professor Anderson: It must also be realised that this is not just banking. Phishing is an issue for a number of on-line commerce sites. If you have an account at Amazon, for example, somebody who gets your password could log in as you, change your address and perhaps order quite expensive goods in your name. If you own stocks and shares then somebody might somehow or another phish your account with your share registrar and could move significant amounts of your investment about. It is not just retail banking; an awful lot of on-line services as well are likely to end up in the same boat.

  Q695  Lord O'Neill of Clackmannan: I had the experience last week of having a telephone conversation with my bank and being asked a number of security questions, to which all the answers could have been provided had the person even considered that I might be in Who's Who. When I pointed that out to them they said, "You do not have to worry because there are a lot of other things that we do that you and I would not understand". That is probably correct but it was little consolation.

  Professor Anderson: It is little consolation if you end up in court against your bank and you try to rely on the things that you do you not understand. I think the judge would give you rather short shift.

  Q696  Lord O'Neill of Clackmannan: Professor Anderson, your institution suggested that the UK should adopt the US Regulation E to force banks to take responsibility for electronic transactions. If the problems are caused by insecure end-user systems, is this fair on the bank?

  Professor Anderson: The bank must simply take a view on what sort of end systems are out there and how users can be reasonably expected to behave, especially after they have been trained by a lot of e-mails from their bank to click on attachments, especially when banks send out e-mails that even experts cannot distinguish from spam. There was one famous case where even the bank itself thought was a phish rather than a spam. The banks must take a view on the risks and they must decide whether home banking customers will be allowed to transfer all their money or 500 dollars a day or just move it between their own accounts or do nothing at all. That then becomes a risk management decision that the bank can take and it is in a position to take it because it has an awful lot of knowledge from the industry, about what the fraud history is, it has access to an awful lot of consultancies and other people with greater expertise, and it is in a position to design systems. It can decide, if it wishes, to send all their customers a hand-held password generator in the way, for example, that Coutts do. If this is fine for the wealthy then how come the rest of us do not also get it? Questions like this need to be asked.

  Professor Handley: The bank also sees the big picture. They see what is happening across many thousands of accounts. As an end user you only see one so you have no clue what the big picture is. The bank can obviously change its policy if it sees that the trend is suddenly getting very bad. The end user is just going to get steam-rollered by that trend without knowing.

  Q697  Lord O'Neill of Clackmannan: I am not really interested in the big picture; the wee picture is big enough for me.

  Professor Handley: It is only the bank that has the big picture.

  Q698  Lord O'Neill of Clackmannan: Your institution talked about a trust-gap with the US so that we are using US websites without US style protection. Is there a case for looking for harmonisation? We know that in accounting standards the reverse might be the argument and maybe we have embraced too much. How do you feel about this issue? We give a great deal of attention understandably to Europe but in fact so much of our financial activities are related to the US. How do you feel about that?

  Professor Anderson: Indeed there are not just financial activities, there is a much broader range of issues related to competition such as the cost of goods, such as the benefits you get. Why is it that as a UK customer of an airline you only get Air Miles if you fly business class whereas as an American you get them if you fly economy? There are a hundred and one issues like this. Why is it that Britain is Treasure Island to the world's retailers? We end up paying the highest prices just about in the developed world and get the worst terms of service. That is a big, big question with a lot of facets to it. Part of the solution to it was supposed to be joining the European Union to create a bigger market in which there would be more competition, but it certainly has not been the whole of the solution. I think that a political party which decided to take a strongly consumerist view might actually find itself rather attractive at the next election. A parliament that took the view that wherever British people were paying significantly more than American people then something was wrong and something would be done about it would no doubt be very popular. That of course is a question for the other place.

  Q699  Lord O'Neill of Clackmannan: CDs were one of the classic examples although there has now been quite a significant change in pricing because of the focus of attention. There are now additional currency exchange issues but are you saying that at the moment if we do not focus attention on the disparities between protection in one country and another then we do not get any action and this is where it might be up to people like us and a committee like this to focus more attention on it and require the Government to answer the anomalies?

  Professor Anderson: I do not think there is a magic solution for the competitiveness gap between Britain and America; we have to look at one thing at a time. If you could hit the terms of service that card holders and bank account holders generally get in the UK that is great. If you can also look, for example, at the price of software—why is it that Vista costs the same in pounds here as it costs in dollars in America?—these things all pile up. Why do we get such a bad deal on so many fronts?

  Lord Broers: It is worse than that in my experience. In hardware you pay less in dollars than you pay in pounds.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007