Tuesday, March 08, 2005

Banks and fraud

(no not that one)

Westpac are claiming that their Internet banking system is "secure and had never been infiltrated by hackers".

While this is probably the case, in that it is unlikely that anyone has found a back door into the system without a password, it is not the whole story. It is, as has been pointed out in the media recently, very easy to install monitoring software on a PC that will store any logins and passwords used on that machine.

It has been suggested (by Russell Brown and the IT Minister, David Cunliffe) that the onus is on Internet cafes to improve security. Personally, I can't ever see an Internet cafe being a secure environment. Even if they run fully locked down consoles (and the trouble with these is they tend to restrict games - which seem to be the main source of revenue for most Internet cafes) there is still every opportunity for a dodgy employee to install keyloggers using their admin rights.

Personally, I think expecting end users to take responsibility for securing their Internet connection is ridiculous. The banks need to agree (or be forced by legislation) to limit user liability to cases of recklessness (like telling someone a password or writing it on a card). Doing that puts the onus on banks to either accept losses from fraud or do something about it - just as with VISA cards - if someone steals your card and fakes your signature, then it's the bank's (or possibly the merchant's) problem.

No comments: