Wednesday, 22 October 2008

Who should be liable for online fraud?

Posted by Anita Hawser

Who should be liable/responsible for personal internet security? It is a subject that has stimulated much debate in the UK Houses of Parliament with the House of Lords Science and Technology Committee publishing its damning Personal Internet Security report last year.

Highlighting the increasing incidence of online fraud, ID theft and phishing, the report recommended establishing a framework for collecting and classifying data on e-crime, and “more rigorous and co-ordinated analysis” of the incidence and costs of such crime. The latest APACS figures show that online banking fraud losses increased 185% to £21.4 million in the six months to June.

It also talked about deployment of security software at ISP level, the need for a dedicated regulator for the online world, and for Government to increase banks' fraud liability. In essence the report said that instead of the weight of responsibility for online security falling on individuals, responsibility should be "distributed".

More than a year since the committee published its report, there is talk of
a specialised e-crime police unit being established. Other recommendations such as the passing of legislation to ensure banks take responsibility for losses incurred by electronic fraud and rules forcing software companies to accept culpability for damage caused by security flaws, which would allow individuals to report online fraud to the police rather than to their bank, have not been implemented.

With banks already having to receive a lifeline from the government just to finance their normal operations, it seems unlikely that the government (who is now a shareholder in UK banks) will pressure them into incurring liability for losses resulting from online fraud.

It comes back to that all important question I asked at the beginning - who should be culpable? And as responsibility for online fraud is distributed - amongst banks, ISP providers and hardware and software vendors - who is the most liable or culpable at any given point in time?

Phil Hickman, chairman of ValidSoft – internet security and transaction verification experts – argues that service providers should take responsibility for the security of users:

“Traditional security provisions employed online have been shown time and time again to be ineffective at protecting users from the threats presented by advanced fraudulent techniques. Authentication techniques used by financial institutions, for example, have so far proved unsuccessful at preventing identity theft and electronic fraud. Defence techniques currently used are simply not sophisticated enough to counter Man-in-the-Middle/Man-in-the-Browser attacks or information stealing techniques like phishing.”
The Parliamentary Committee has debated the idea of a "code of conduct" or "kite mark" for ISPs, this may be difficult to enforce and could increase costs for internet access. And given the "layered" nature of the internet, attribution of liability is problematic.

With the banks already focused on anti-money laundering and issuing customers with one time only password generators for online banking,it seems that UK politicians favour raising "the bar of expectation" on software vendors, either voluntarily or at the EU level.

Surely more needs to be done around giving the Data Protection Act more teeth, and in the case of government leakages or breaches of personal customer data imposing hefty fines equivalent to those imposed on private companies?

This is likely to become more of an issue given that the UK government wants to compile a huge centralised database containing personal details of people's communications in order to supposedly combat terrorism.

No comments: