Barclays cock-up the tip of an ugly, secret iceberg
UK financial sector should follow US lead
Analysis When Barclays' newly-upgraded on-line banking service went live with a ludicrously obvious bug enabling users to access other customers' accounts this past weekend, the only real surprise was how long it had taken for a major balls-up like it to emerge publicly and fascinate the mainstream press.
The event itself and its root causes were anything but unique and surprising; it all boils down to spending too little on security and rushing to market with new services - temptations which quarterly earnings reports and a perception that putting business on the Web is somehow indicative of space-age superiority make all but irresistible.
The pressures on management to establish a Web presence at breakneck speed are several, and chief among them is the bottom line. It simply costs less to offer banking services on line than it does to hire staff and insure and maintain them in a brick-and-mortar facility. And the staff they do hire need not be in any way presentable like the polite, manicured, articulate (in some language, anyway) tellers and managers we interact with daily; they can be unkempt, semi-homeless ex-convicts, (hopefully) recovering addicts, exchange students, illegal immigrants, disgraced schoolmasters and clergy, and the like. They may not be 'professional' by anyone's definition, but they work cheap, and customers can neither see, nor smell, any of them.
Then of course, the marketing and PR flacks stamp their feet and weep, crying that the company's 'brand' needs an on-line presence to look at least as good as the competition. They want management to give them the props with which they can enact 'the theatre of the scientifically advanced', which, as marketing surveys too numerous to mention indicate, the public greatly relishes. The problem here, of course, is that flacks, being innocent of the complex technical niceties involved in maintaining a relatively secure Web server, are perfectly satisfied if their props should at least look real from the orchestra seats. And as Barclays recently discovered, they often do little more than that.
Then there is the all-dreaded quarterly earnings report, bane of bread-heads everywhere, in which hefty, short-term investments, such as going on-line with an expensive 'upgrade', can look uncannily like significant losses to twitchy shareholders and cynical stock analysts. Anyone who thinks management doesn't shave as much as possible, and then some, off these investments needs a few quiet weeks in detox.
As soon as some bold, 21st Century venture, such as the Barclays software upgrade, blows up in the company's face, consumer confidence plunges to even new lows, as if the international banking debacles of the 1980's and 90's were somehow inadequate to convince us that the financial sector world-wide is run by greedy imbeciles.
Thus, regaining a fraudulent sense of trust, upon which every bank operates, soon becomes paramount to all other concerns. So immediately after the Barclays hole was reported, the bank rushed to assure customers that its new on-line system was not fully functional at the time, so no illegal transactions could have been made. Whether that was true or not, the statement overlooks a crucial component of customer confidence, namely privacy. The bank is insured; they can easily replace money lost in fraudulent transactions. What they can't give back is privacy.
In a world where everyone and his mother are going on line, and often disclosing sensitive personal data while making purchases and financial transactions, data protection, for which no insurance exists, becomes considerably more important than cash protection, for which quite adequate insurance has existed for decades. This alone should provide motivation enough for UK banks to proceed with extreme caution whenever tempting the fates on line, but, as the record shows, they simply are not getting the message.
Better products through hacking
Because the Internet was conceived to enable the sharing of information, rather than protect it, it should surprise no one that securing an on-line database is an exceptionally challenging trick to pull off. From the Net's basic architecture, to the server and client software which runs on it, everything is oriented towards moving data packets efficiently and conveniently between remote points via a flexible, indeed fluid, international network.
This inescapable, indeed fundamental, weakness, combined with the ever-present market pressures to release increasingly feature-filled server and client software as quickly as possible, amounts to a nightmare for any company hoping to offer both convenient access and secure data storage to its customers. Some would argue that this is fundamentally a zero-sum game -- that whatever one adds to make access more convenient will automatically subtract from security.
Whether because it did business with amateurs either in development or implementation, or because it demanded too much convenience and not enough security of its upgrade application, or because it was in a hurry to go live with a product it was foolish enough not to test thoroughly, Barclays went on line with a classic piece of crap software, and there is nothing even remotely odd about that. It happens every day.
Most often, when a hole like that is discovered, a hacker will have found it first. If the hacker has a conscience - and most do - he will notify the victim and give them a few weeks to bung the hole before publishing his findings on the Web and getting the credit he deserves. All too often, he is rewarded for his efforts with threats of prosecution.
On-line companies like to discourage hackers from pulling their trousers down for them in public; they desperately wish to conceal how piss-poor their network security really is. Legislation is rammed through parliaments and congresses the world over on a daily basis, with the ultimate aim of making it a crime for a hacker to so much as test the security of a network or a piece of software, though he may have not the slightest intention of doing harm.
Yet these White Hat hackers are the public's first line of defence against the shoddy coding which gets rammed through development houses and brought to market months before it's ready to go live. The public-interest issue with hacking is complicated and controversial, but we applaud those hackers who find holes, steal nothing, and publish their exploits after giving the victim a few weeks to cover its ass.
It's fair to say that about 80 per cent of security weaknesses in Web software have been found by non-malicious hacking, and that scant few of them would ever have seen the light of day otherwise. Commercial entities, we have learned from experience, are hardly in the habit of blowing the whistle on themselves.
On-line banking is a good deal more than mere e-commerce. If some relatively modest e-commerce site should suffer a major security stuff-up, the consequence to them might be as insignificant as a bad quarter, or it might be as severe as bankruptcy; but to the financial world at large, the result is a mere hiccup. But for national and international banks, and similar large financial institutions, the stakes are vastly greater. Losses of confidence in this sector have, on numerous past occasions, resulted in the destruction of entire national treasuries.
And it is here that the Yanks can be most instructive. The United States of America, in its infinite commercial wisdom, has come to view its financial sector as a crucial national asset. Consequently, the US national security apparatus routinely consults with senior management in banking on techniques and products which offer better than the going commercial standard in data protection. Often, proprietary software and hardware products designed for one find their way onto the networks of the other. It is a voluntary relationship, but one from which both sides benefit. Everyone sleeps better knowing that the banks have got, if not perfect network security, at least as good security as they can reasonably obtain.
The Barclays online debacle proves one of two things: either the spooks down at MI's Five and Six have got nothing in the way of cutting-edge technology to offer the private sector, which means they are utter frauds unworthy of the publicly-funded budgets they command; or they are unwilling to share their precious high-tech goodies with such unclean beasts as loan officers, insurance men and bankers.
If the latter is the case, then surely it's time for them to stop being quite so morally superior and irrationally jealous of their tricks, and start sharing a few of them with those private enterprises which the Government, that they are sworn to defend, could not survive two weeks without. ®
Sponsored: RAID: End of an era?