Banks are rushing to offer more services online - as long as
customers bear the risk in an uncertain environment. Nicholas Bohm
investigates
In the offline, paper driven world, customers knew that in most
cases they would be covered as banks would bear the loss. That is
because it is very difficult to forge someone's handwritten
signature so well that they have to bear the resulting loss.
Banks do pay out on forged cheques from time to time, mainly
where they are for small sums and close examination is not
worthwhile.
But even where a forgery has at first succeeded - despite close
examination - it is very rare for a forgery to be good enough to
deceive fully equipped scientific document examination.
That means that the bank will bear the loss, since it has no
authority to debit the customer's account with a cheque the
customer did not sign.
The bank can manage its risk by deciding how much effort to put
into signature verification, in the knowledge that sufficient
effort will produce almost any required level of assurance. It
becomes a familiar exercise in cost/benefit analysis.
Digital signatures have completely different characteristics,
which are not yet widely understood, let alone used. There is a
single verification process, which either succeeds or fails. There
is no opportunity for a bank to put more or less effort into the
process, and secure more or less certainty of result.
If it was impossible for a forged digital signature to be
verified, this would present no problem. But preventing the forgery
of a digital signature requires users to keep a cryptographic
signing key or other information secret and under their sole
control, very difficult to do with the equipment available at the
moment.
The user can give the encryption key away, let someone else use
it, or carelessly allow someone else access to it.
They may suffer an attack by malicious software that
surreptitiously steals a copy of the key and any access control to
it, despite all the care the user took and without the user knowing
about or having any evidence of the act. Recent virus attacks have
shown how vulnerable modern systems are to just such attacks.
Even where the user has a PC with a smartcard reader, and the
key is held in a smartcard which never leaves the user's
possession, malicious software in the PC might surreptitiously
cause several instructions to the bank to be signed where the user
is aware of only one of them.
Allocating the risks
The difficulty is that all of these cases are indistinguishable
by the bank, which knows only that the resulting digital signature
verifies correctly. It is understandable that banks wish to treat
them identically, and at best offer the customer the chance to
prove he or she was not at fault.
But while a bank faced with a claim that a cheque has been
forged has the resources to employ scientific document examination
with every prospect of getting a decisive result one way or the
other, a bank customer does not. They are not necessarily well
placed to get a scientific security examination of the system that
may have been attacked, and in any case, cleverly written malicious
software might leave no trace of its own past existence or
operations.
And the fact that a customer could have been at fault, for
example by giving the key away, should not justify the bank in
expecting the customer to prove that this wasn't the case. A
customer could equally claim that a genuinely signed cheque was in
fact a forgery, but this possibility is not enough to shift the
burden of proof from the bank.
The liability process is in danger of becoming so complicated
that customers faced with complicated procedures are more likely to
shun the process altogether.
If the banks wish to offer their customers electronic online
banking, with the massive savings in bank overheads which can
result, then they ought not to expose them to new risks which
customers should not be expected to manage.
Yet some banks are using standard terms and conditions to do
just that. The following terms taken from those of the Egg online
banking service demonstrate how the customer can end up bearing all
the risk. Phrase (3.2) "you will be responsible for any instruction
in writing or by telephone or Internet which we receive and act on,
even if it was not given by you", and phrase (5.1) "even if the
order was given by someone else using your security information and
passwords" use language designed to transfer onto the customer the
whole risk of fraud by a third party.
Is it fair to make it the customer's problem?
According to Regulation 5 (1) of the Unfair Terms in Consumer
Contracts Regulations 1999, a contractual term which has not been
individually negotiated shall be regarded as unfair if, contrary to
the requirement of good faith, it causes a significant imbalance in
the parties' rights and obligations arising under the contract, to
the detriment of the consumer.
For the reasons above, expecting customers to meet the very
difficult technical burden of proving that a digital signature
forgery occurred without fault on their part can only cause just
the sort of "significant imbalance" contemplated by the regulation
above. And, for the banks to claim, as they do, that they will be
reasonable in enforcing their unfair powers, is not good enough.
The Regulations make unfair terms completely unenforceable, and so
the banks will be left to carry the risk.
What about the future?
If the banks are to carry the risk of third party fraud, they
will have the necessary incentive to devise some means of reducing
the risk (something the customer can hardly be expected to do).
If the only important relationship were that between the
customer and the bank, a significant part of the problem could be
solved by providing customers with tamper-evident hardware devices
for use in the verification of digital signatures. Some banks are
doing this now as a way of keeping important security secrets out
of the vulnerable part of the infrastructure, the customer's
PC.
But this works only between two parties, and does not solve the
wider problem of secure signatures in electronic commerce
generally.
This problem will become pressing when merchants - who customers
buy from - are no longer willing to accept the risk of customers
repudiating - i.e. denying online transactions. This could happen
soon if the credit card system begins to increase the costs that
merchants bear in that event.
If credit cards become less acceptable, and electronic cash
schemes such as Mondex, WorldPay and Paypal continue to make no
headway, then, a general purpose secure digital signature will
become a necessary foundation for electronic commerce.
Such a device would need a secure operating system (which has
yet to be written), and would need to be held in a form which could
not be altered.
It would also need to be tamper-resistant and tamper-evident. It
would have to generate its own keys, but never export private keys.
It would benefit from secure access control through fingerprint or
iris scanning.
There is nothing too far-fetched in such a specification, even
if it is well beyond anything yet available on the market.
But it will never be built unless the risks of fraud fall on the
backs of those in a position to commission the research, finance
the development and subsidise the deployment of the device.
An important part of the future of electronic commerce depends
on getting the risk allocation right.
Nicholas Bohm is a member of the advisory council of the
Foundation for Information Policy Research and of the Law Society's
electronic commerce working party
This article is based on a paper by Nicholas Bohm, Ian Brown and
Brian Gladman available at fipr.org
3.1 We may establish security procedures with you either by
post, telephone or Internet (when available). You must keep your
security details and password secret. If you make written records
of any security details or password, you must disguise them so that
they cannot easily be understood by anyone else.
3.2 You must tell us as soon as possible if:
- you think that someone else knows your security details or
password;
- you have forgotten your security details or password;
- you think that someone else (other than a joint account holder
or authorised person) is trying to use your account.
Until you tell us, you will be responsible for any instruction
in writing or by telephone or Internet which we receive and act on,
even if it was not given by you. Normally we will pay back into
your account the amount of any payments we make after you have told
us. But, if we can show that you have acted fraudulently or have
been grossly negligent or have not kept your security details and
password secret you will be responsible for all payments we make
and all losses on your account. We will have no other liability to
you.
3.5 We will do all that we reasonably can to prevent
unauthorised access to our Internet banking service and make sure
that it is secure.
3.8 You will tell us as soon as you can if you find any failure,
delay or error in our Internet banking service, especially in the
sending or receiving of instructions. Our records of your Internet
instructions will be conclusive unless there is a clear
mistake.
Likewise, Condition 5, dealing with "taking money out of your
accounts", is also relevant:
5.1 We can make payments and account transfers on instructions
you give us:
- by using any card we have provided on your account;
- on documents you or an authorised person have signed (but not
copies or facsimiles);
- by telephone and Internet (when available), subject to our
withdrawal limits, as long as we have
- checked your identity from the security information and
passwords and even if the order was given by someone else using
your security information and passwords.
Online Banking - How the top Internet banks have
fared
| Bank | Parent | Launched | Problems |
| Smile | Co-op | Oct 1999 | None |
| Egg | Prudential | Oct 1998 | Log-off glitch leaves
client details exposed |
| Cahoot | Abbey
National | Jun 2000 | Site crashes on first
day |
| Barclays | Barclays | Nov 1999 | Suffers July security
glitch, exposing a/c details |
| Intelligent
Finance | Halifax | Due Sept | Launch put back from
July over capacity fears |
The Risk Issue
Cheques
- Banks bear loss of forged cheques, because it is rare for
forgeries to be good enough to prevail over a customer's rejection
of a signature
- Banks can manage risk by deciding how much to spend on
signature verification
- Customers are generally covered by banks' stance
Online transactions
- Banks know that customer's PCs are insecure against security
threats such as virus attacks, but they still put the onus of proof
on them
- Contracts unfairly "weighted" towards banks, because customers
unlikely to be able to prove their case over technical issues with
digital signatures
Why banks want us online
Cost to a bank of carrying out a transaction:
Branch $1.07
Telephone $0.52
ATM $0.27
PC Banking $0.015
Internet $0.01
Source: Booz-Allen Hamilton survey of US financial
institutions with Web site