* Ian G.: > Banks are the larger and more informed party.
But not as far as client-side fraudulent activity is concerned. After all, the attacked systems are not under their administrative control. > They need to provide systems that are reasonable given the situation > (anglo courts generally take this line, when pushed, I'm unsure what > continental courts would do with that logic). We have courts that are traditionally bank-friendly, and courts that aren't. While we do not heavily rely on case law, it's a bit of luck which one sets the precedent (which will eventually help to shape legislation). And what's worse, the situation is so unstable that a case that gets decided in favor of one party might actually end up shifting the risks to the other party in the long run because the environment keeps changing rapidly. > Customers aren't in any position to dictate security requirements to > banks. And vice versa. It might even happen that we see competion from foreign, EU-based banks that offer transactions without the safeguards German banks have agreed to among each other. We'll see if this increase in convenience turns out to be a major selling point. > Unfortunately for the banks, there is a vast body of evidence that > we knew and they knew or should have known that the PC was insecure > [1]. I think the extent to which end users, hardware and software manufacturers, and ISPs don't care about compromised machines was a real surprise. If there's malware on the PC, it's not just banking that is affected. You'd expect people to do something about it, but no one does without significant external pressure. And if you look closely at which attacks security experts predict (and not just self-proclaimed ones!), and which actually materialize, there are significant differences. These differences are usually mulled over by ambiguous terminology, but the gap is there. > So, by fielding a system -- online commerce -- with a known > weakness, they took responsibility for the fraud (from all places). They didn't build the Internet, they didn't provide the PC and its software, they don't even run the most-frequented online commerce applications. But in a moment of weakness, they started to take responsibility. And the real difficulties began. For a rare security success story, look at how ISPs manage to sell a completely insecure product which puts their customers at significant risk, and take virtually no blame for it. And technologically, banks are not that different from mail providers. They just pass around messages. Why should they be responsible for their content, if ISPs aren't? > Now they are in the dilemma. The customer can't provide evidence of > the fraud, because the system fielded doesn't support it (it's login > authentication not transaction authorisation). Non-digital crime faces the same problem. You haven't got a cryptographically secured audit trail, either. But clues can still be found. > [1] To my knowledge, continental banks knew of the risks and acted in > the 90s, then scaled it down because the risks proved overstated. > Brit banks knew of the risks and didn't care. American banks didn't > care. The American banking system is mainly protected by its obsolescence. It's not an end-to-end transaction system, unlike the European ones. > [2] Again, continental banks are shifting to SMS authorisation > (dual-channel) ... Brit banks are unsure what to do ... The new APACS standard should be a huge leap forward for the UK. AFAIK, it includes the limited form of transaction signing that is possible within the constraints. Of course, it's still not foolproof, but the non-fools can actually detect a compromised terminal. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
