[LINK] Consumer computer security
Glen Turner
glen.turner at aarnet.edu.au
Wed Jan 24 17:12:25 AEDT 2007
Roger Clarke wrote:
> At 6:50 +1100 14/1/07, Alan L Tyree wrote:
>> I'm looking for some help here. I'm writing a submission to ASIC on the
>> review of the EFT Code of Conduct. One of the things that Industry has
>> been pushing for is to make consumers liable for losses caused by
>> computers infected with malware.
>> The argument I wish to make is that consumers are hopelessly ill
>> equipped to secure their (Windows) computers. ...
>
>
> [Just as I'm nearing finalisation of a draft paper on the topic - I'll
> post an RFC shortly - up bobs this useful article. Comments interspersed]
Since this is a code, there's no reason it can't contain
specifics. I don't buy into the argument that the banks
will do the right thing if faced by the liability. The banks
face the total liability now, and yet aren't uniformly doing
simple things like:
- script-defeating login procedures
- multi-factor authentication of transactions
- making it more difficult to intercept secret data (such as PINs)
- allowing "read only" accounts for people merely interested in
their account balances whilst budgeting
- issuing user certificates rather than using low quality
certificate authorities
- black listing browser versions with known bugs
- questioning transactions which appear from differing
ISPs in a short period
I really think ASIC needs to create a minimum list. Even if
banks accept full liability this does not mean that the customer
faces no costs -- for a welfare recipient with a small balance or
for a traveller the speed of the bank's response is important.
So there is social good beyond the liability to be gained in
restricting internet banking fraud.
The computer industry has to take some responsibility here.
Look at all the trouble Microsoft has gone to in Windows Vista
to create a secure channel for viewing high definition video.
And yet they can't even offer a secure channel for getting
a PIN to a bank.
--
Glen Turner Tel: (08) 8303 3936 or +61 8 8303 3936
Australia's Academic & Research Network www.aarnet.edu.au
More information about the Link
mailing list