Friday 25 March 2016

Blame the victim?

Bernard Hogan-Howe, the Met police commissioner, suggested that banks should stop refunding victims of fraud.

Well, it depends.

If someone comes to your front door and offers to bless you in exchange for £1000 and that this blessing will reward you tenfold, and if you go for it and subsequently decide that this was fraudulent because the hoped-for £10,000 didn't materialise, should your bank refund you?

Of course not.

On the other hand, if you suddenly find that £1000 has been removed from your bank account without your knowledge or consent because someone turned up at the bank pretending to be you, and the bank believed them because they were able to recite your mother's maiden name, then should your bank refund you?

Of course they should.

It depends on whose fault it is. Sometimes it will be the victim, sometimes the bank.

My experience with banks, has made me feel that they really aren't serious about security. How often have I been phoned up by my bank, and then they start asking me my security questions! And they're surprised when I refuse to answer, on the grounds that "how do I know that you're really my bank?"

And, by the way, when I'm asked to set up security questions like this, I don't give my mother's real maiden name, which could probably be discovered by someone interested enough. I make up a name and give that instead; I then record that answer against the organisation that I gave it to. Yes, I write it down! Because that's more secure than using the easily-discoverable real name.

And likewise for any other security questions, "name of first pet, brand of first car, name of first school".

So anyway.

Recently, I tried to pay for fuel at my local garage using my credit card, and I got the PIN wrong. Because I was exhausted after a great day's caching. And then I got it wrong again. And then I checked where I have it written down. Yes, I write down my PIN number, but not as it is, I add (or subtract) a magic number from it and write that down. So that all the written-down PINs aren't the real PIN, and I don't write down my magic number.
Anyway - because of exhaustion, I got it wrong a third time, and that locked the card out. So far, so good. Mildly annoying, but obviously my own fault, and I dealt with it by paying cash.

A little while later, I looked into the question of, how do I reactiviate the card. I thought it would need an in-person visit with some proof of identity required. But no. All I had to do, was put the card into an ATM, choose "PIN services" and it unlocked the card.

Wow. That was easy! Too easy.

But back to Hogan-Howe.

The problem is, computer security is *difficult*. Computers are difficult for many people; computer security is *difficult*. I don't believe that "educating the user" works; it certainly hasn't in the past, so why should it in future? Maybe people should install security software, but the problem there is that, as far as I can tell, there isn't any that's actually useful against the threats of today. Sure, there's plenty of software that deals with the threats of ten years ago. How useful is that?

What there is, is a torrent of emails bearing malware, and if you click on any of them, you're stuffed. What there is, is malvertising, so if you visit even a reputable web site, you can be stuffed. What there is, is javascript that, if you run it, will download something nasty (probably ransomware) to your computer, at which point, you're stuffed.

And with the currently available antivirus software, you're lucky if one out of every ten of these is flagged. You can test this for yourself - take one of the emails that arrived recently, carefully detach the attachment, and show it to Virustotal. Note carefully the very small number of products that flag it. Antivirus products aren't dealing with today's threat.

So should the bank fork out when you accidentally, through no fault of your own, install something on your computer that watches what you do and sends any credit card info, or online banking info (by the way, I do not use online banking, because the banks are so careless about security)? The problem with the bank paying, is that it isn't the bank that pays. It's me. It's everyone who uses the bank system, because the costs of those payouts will be built in to the price of banking.

So is it fair that I pay for the gullibility and/or carelessness of another citizen?

I don't think it's fair. I think that the cost of gullibility, carelessness, ignorance and faith should be borne by the gullible, careless, ignorant and faithful.


  1. Perhaps you should try some online banking. Just with a few pennies - it would give you a better idea what the rest of us endure.
    The woman on the radio last night raised an interesting point: bank had said that if she supplied card info to retailer for use in Digital Wallet for future One-Click-Ordering, then any fraud redress should ten be borne by that retailer, not the bank.

  2. No thanks. I'm not going to put my hand in the fire either, just to see what it feels like.

    And I doubt if I'll use "Digital Wallet". That shoujld be fun, being bounced between the retailer and the bank.