Peers call for cybercrime shakeup (again)
Say banks should pay for fraud
Peers are calling for a reversal of rules that stop UK victims reporting cybercrimes directly to the police. The House of Lords science committee is also encouraging the government to introduce a data breach notification law.
A follow-up report on personal internet security by the committee of peers also calls for legislation to ensure that banks are held responsible for losses caused as a result of electronic fraud. The three recommendations are the main findings from a second round of hearings on the issue of internet security carried out by the peers.
The government failed to take on board the recommendations that came out of the peers' first set of hearings last year, but the fallout from the HMRC data loss debacle has brought the importance of internet security into focus for government ministers, two of whom appeared before the committee during its second round of hearing.
Security experts criticised government officials for ignoring recommendations in the initial report, published last August. Since then, and after the November data loss by the HMRC, ministers took on board some of the proposals, including moving towards a code of conduct for ISPs and kite-marking websites.
These were some of the minor points in the initial report. Disagreements remain on cybercrime reporting and the liability of banks for online fraud.
Their Lordships' second report renews a call for the government to do more to protect the public from cybercrimes such as identity theft scams and auction fraud.
The government maintains that the Banking Code offers enough protection for customers. The latest House of Lords report argues that banks often refuse to refund customers in cases where a PIN or password is used in an online fraud.
The committee heard evidence that the Financial Services Ombudsman and the courts are unable to offer redress from customers in these circumstances, prompting the Lords to argue that laws need to be enacted that push the balance back in favour of the consumer. Holding banks statutorily responsible for phishing and skimming fraud would encourage them to improve e-commerce security, peers argue.
Richard Clayton, a computer security researcher at the University of Cambridge and expert advisor to the committee, backed this recommendation: "Banks choose the security mechanisms and how much effort they put into detecting patterns of fraud, so they should stand the losses if these systems fail. Holding individuals liable for succumbing to ever more sophisticated attacks is neither fair, nor economically efficient."
The Committee's second report, published on Tuesday, also repeated its call for an overhaul in e-commerce reporting procedures. It stated that requiring victims of fraud to report it to their banks rather than to the police is leading to under-reporting of e-crime.
"It is also vital that the victims of e-crime can report crime directly to the police. If you were robbed in the street you would expect the police to recognise it as a crime and try to catch the person responsible. If you are a victim of online fraud, you should be entitled to the same protection," said Lord Sutherland of Houndwood and chairman of the Lords Science and Technology Committee.
The Committee's Personal Internet Security: Follow-up report can be found here (pdf). ®
Over 10 years ago the Royal bank of Scotland issued me with a debit and credit card with my photo and signature laser etched onto it. To do online banking you could only use the one PC and if you formatted you had to restart the procedure from the beginning as it was tied into that machine and copy of windows....
With all the scam bank emails doing the rounds you'd think they'd be doing more to protect their customers - after all, the customer is saying to them, ' I trust you with my money.'
With the obscene profits they're making (apart from, obviously, Northern Rock), they really should be held legally accountable for letting money leave your account when it's not you taking it out, surely it's up to them to verify who's asking for the money.
The pirate - because obviously piracy has moved from anarchic individuals in ships to blood sucking corporations in high finance.
Phorm is a crime or isn't? Well there are laws that say interception is illegal...
...but no-one seems to want to do anything about it!
I wrote to our police chief constable to report the crime BT seemed to have admitted to on Channel 4 News (April 3rd 2008) - regarding intercepting communications of their customers without legal warrant and without customer knowledge.
Later the leaked BT document was released that spoke about the secret trial interceptions.
I got a letter back from a Detective Inspector which said that any RIPA issues had to be sent to The Interception Of Communications Commissioner (Sir Paul Kennedy, The Commissioner) in London.
He did issue a crime reporting number and said nothing about investigating my report of the incident.
So I wrote to Sir Paul's office...
Sir Paul's office points out that RIPA 2000 defines their role and it is not to investigate potential crimes under RIPA. No. That activity, they say, and I quote: "would be a matter for the prosecuting authority, namely the police and the Crown Prosecution Service." Which is almost exactly what Lord Spithead said in Hansard (i.e. the official parliamentary record)
==== Read my drafted reply to our Police service here:
==== Read what The Commissioner's office has to say about interception of communications when they wrote back to me:
We cannot have large corporates doing what they please in this area of technology. Not when there are rules to follow (nay, laws, in fact!).
It is simply not on.
And I don't want Phorm, or Webwise. In fact, although I have nothing to hide, I think I don't really want BT any more either.
A bank certainly does pass the blame onto the consumer if they get held up. They increase fees to pay for the added security instead of decreasing their profits. If there is anything to be done, you can be assured it will come at the expense of the consumer, never at the expense of their margins!
Your statements say "if you screw up, you should have to pay for it," but you only seem to see this applied to the individual rather than the corporation. You believe that we should exist in a perpetual state of paranoid fear, keeping a watchful eye on every possible item of personal information, because every loss of identity is the fault of the consumer? I say that a failure to properly secure one's premises, digitally or physically is the fault of the corporation, be they a bank or a company.
If you don't believe identity theft should be pushed off as irrelevant, and that both the consumer and the corporation have important roles to play preventing it. A couple of bills should not be enough to cause my mobile company to run of a few grand in charges, full stop. Banks should be working in tandem with consumers and other corporations to provide truly secure policies, procedures and technologies for verifying identity, and corporations should be legislated into compliance.
At the same time, no consumer should be giving out their PIN, password, or any personally identifiable information if they can possibly help it. It is almost impossible to prevent personal information from leaking out, and some of it people can find out simply by social engineering staff at companies into giving it out.
So the consumer has to work to minimize the loss of information, and so do corporations. The consumer and the corporations both have to work together to ensure that purchases using any form of electronic currency verify identity as absolutely as is reasonably possible.
Your assertion that the onus is entirely on the consumer leads to a society where only the very paranoid, the lucky, or the rich have any real rights or expectations of living a fraud-free life.
Do you work for a bank? Or are you just such a hard core capitalist that you earnestly believe the corporation can do no wrong, and everything is the fault of the victim?