[LINK] Consumer computer security

[Roger Clarke]

[Karen Dearne's piece in Oz IT this morning includes this quote:
"It is generally that insecurity of end-user equipment is a major 
source of vulnerability to malicious software, and a properly secured 
PC is one of the best defences available," [ASIC's discussion paper] 
says.

[Can anyone envision this chimera 'a properly secured PC'?]

[Ah yes, silly me - a diskless device with no wired connection to any 
network, locked in a Faraday cage to preclude any form of unwired 
connection.  I suspect there may be a sci-fi story somewhere that 
involves a device of that nature slowly going mad from the loneliness 
of it all]



Users won't foot fraud bill: ASIC
Karen Dearne
The Australian IT Section
JANUARY 23, 2007
http://australianit.news.com.au/articles/0,7204,21100671%5E15306%5E%5Enbv%5E,00.html

MEDIA reports that banks have lobbied the Australian Securities and 
Investment Commission to pass on online fraud costs to consumers are 
incorrect, ASIC and the Australian Banker's Association say.

The idea that online account holders should bear some responsibility 
for losses caused by security breaches to their home PCs is raised in 
a discussion paper ahead of a review of the Electronic Funds Transfer 
industry code of conduct.

There is no suggestion that banks are seeking to offload liability 
for internet banking fraud, estimated to cost about $25 million a 
year, nor has there been any lobbying on the matter, ABA chief 
executive David Bell said.

ASIC runs the voluntary code of practice, which provides consumer 
protection in autoteller and eftpos payments as well as phone and 
online transactions.

The code was last reviewed in 2001 and there have been substantial 
changes in the payments market - particularly online, ASIC consumer 
protection executive director Greg Tanzer said.

"We've been in discussions with industry organisations over the 
review, and the discussion paper sets out what we see as the key 
issues," Mr Tanzer said.

"There have been suggestions that we might have been subject to 
fairly active lobbying in a particular direction, but that's not the 
case."

Internet banking has sparked a range of new concerns, including 
liability if a customer has keyed in a wrong account number, 
resulting in an incorrect payment or if a customer has accidentally 
left their card in an autoteller, and it is then used by someone to 
withdraw money.

At the moment, the code protects consumers in these circumstances, 
and the debate is about "whether there is a point at which the 
consumer should bear more responsibility" than at present, he said.

The paper notes that a fraudulent transaction profits the criminal, 
leaving the loss to be borne by innocent parties - the financial 
institution, the customer and payment third parties.

"It is generally that insecurity of end-user equipment is a major 
source of vulnerability to malicious software, and a properly secured 
PC is one of the best defences available," it says.

"Nonetheless, research suggests that many online users do not 
adequately protect their equipment. Given this, some propose that 
users could be made liable for losses from malicious code 
compromises."

But the paper notes that a shifting of liability "may reduce the 
incentives" for financial providers to invest in online security.

In any case, it says, most consumers could not adequately secure 
their PCs against complex phishing and Trojan attacks on account 
information.

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW