Phantom withdrawals on the Internet

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Wed, 05 Jul 2000 12:35:45 +0100 

List members might be interested in the following press release. It's
a new FIPR report, by Nick, Brian and Ian, on nonrepudiation. This is
about to become hot again as the DTI contemplates the regulations to
be issued under the EC Act, and as Americans start digesting the
implications of their own new E-sign Act.

I do hope that Nigel's old colleagues at the DTI don't use the current
furore over the RIP bill to sneak through something unpleasant!

Ross

****


	SHARP PRACTICE IN E-BANKING - FIPR REPORT

At present, the risk of a forged signature is carried by whoever
relies on it. If a shopkeeper accepts a forged cheque on your account,
that is his bad luck; and if the bank pays it, it's the bank's bad
luck. Governments and banks are now trying to change the rules so that
with electronic transactions it will be the customer's bad luck if a
payment from his account gets forged.

It's often claimed that new technologies, such as digital signatures
generated by smartcards, are secure enough to justify this change in
the rules. They are not. 

A new report from the Foundation for Information Policy Research not
only looks at what can go wrong technically, but also analyses the
practices of some leading UK online banks. Despite advertising claims
that consumers at not at risk, the terms and conditions imposed in the
small print pass almost all of the risk to the customer.

This extensive and detailed report shows that all is not as well with
e-commmerce as some would have us believe. 

The report is at:

	http://www.fipr.org/WhoCarriesRiskOfFraud.htm


QUOTES:

The report's authors are Nicholas Bohm, a member of the Law Society's
working group on electronic commerce; Brian Gladman, recently retired
as head of strategic electronics at NATO; and Ian Brown, of the
computer science department at University College, London.

Nicholas Bohm said:

``It will do grave damage to the public confidence in electronic
commerce that is vital to its success if its advent is used as an
excuse to transfer to consumers the risks that should be carried by
those who implement new electronic systems.''

Ian Brown said:

``Could a computer virus sign away your house? Or a hacker transfer
your savings to her account? Computer insecurity means digital
signatures aren't all they're cracked up to be''

Brian Gladman said:

``I hope that this paper alerts people to the dangers of assuming that
on-line banking services will protect their interests in the same way
that conventional banking services do.''

The chairman of the Foundation for Information Policy Research, Ross
Anderson of Cambridge University Computer Laboratory, said:

``The history of the `cash machines that could never go wrong' seems
set to repeat itself. Phantom withdrawals on the Internet seem
destined to be a part of our future''


NOTES FOR EDITORS:

* The Electronic Communications Act 2000 - the first bill to have
received the Royal Assent this millennium - gives ministers the power
to make regulations which would change the rules in just this way. The
reulations are expected to be published soon. An EU directive on
electronic signatures is pushing all the countries in Europe to move
in this direction. The US E-sign bill, which Bill Clinton signed into
law last week, enables all sorts of electronic acts - not just digital
signatures, but even clicking on a web link - to have the same legal
force as signatures.

These laws can't just be ignored by British businesses and consumers. 
Clicking by accident on a link on the world-wide web can give rise to
contractual obligations which can result in a judgment in a foreign
court and be enforced against you here in the UK under international
treaty. 

* It is vitally important that ministers take care when writing the
regulations. The Act can be found online at:

	http://www.hmso.gov.uk/acts/acts2000/20000007.htm

* The Foundation for Information Policy Research is an independent body
that studies the interaction between information technology and
society. Our goal is to identify technical developments with
significant social impact, commission research into public policy
alternatives, and promote public understanding and dialogue between
technologists and policy-makers in the UK and Europe.

Contact: Brian Gladman 01905 748990
         Ross Anderson 01223 334733