LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Relicensing and rebasing LibreOffice

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Full disclosure and the banking industry: Burden of proof must be on bank

Full disclosure and the banking industry: Burden of proof must be on bank

Posted Feb 27, 2003 14:30 UTC (Thu) by dwheeler (guest, #1216)
Parent article: Full disclosure and the banking industry

This is a case where the basic laws have critical consequences. In particular, in this case the U.S. system is sensible, and the U.K. system is completely broken.

The fundamental problem is that in the U.K. the burden of proof is in the wrong place. In the U.S., if there is a "phantom withdrawal", the bank has the burden of proving that it was the customer. This is reasonable, because the bank controls its facilities and can arrange its processes to acquire that evidence. Thus, for example, bank automated telemarketers (ATMs) have video cameras installed in them, so that the bank can show who was at a given ATM at any time. Banks can also arrange for all sorts of internal checks and balances, reviews, and evidence collection so that they can provide evidence to law enforcement.

In the U.K., the burden of proof is on the customer. But the customer has no way to provide useful evidence; they cannot spend their lives honing evidence collection techniques! Since the banks have little financial risk from fraud, they have no incentive to actually make their systems secure.

Thus, if you want banks to be secure, you need to make them financially at risk to be secure. U.S. banks aren't perfect, but I think the U.S. banks are far more secure than the U.K. banks... because the burden of proof is in the right place.

(Log in to post comments)

Full disclosure and the banking industry: Burden of proof must be on bank

Posted Feb 27, 2003 16:59 UTC (Thu) by Baylink (guest, #755) [Link]

A very well taken observation. I had a related problem many years ago with a videotape rental house and a collection agency: when I pointed out to the credit people that the rental house had no procedure for checking tapes *in* reliably... they stood down on their own.

Note: the common derivation of ATM (at least amongst us USAdians) is "Automat{ed,ic} Teller Machine".

Full disclosure and the banking industry: Burden of proof must be on bank

Posted Feb 28, 2003 10:26 UTC (Fri) by beejaybee (guest, #1581) [Link]

Sorry but the problem is that the PIN system is _technically_ broken. It simply doesn't matter what administrative safeguards are in place (though I accept that it is probably easier to get a bank to own up to a mistake, either honest or fradulent, in the US than it is in the UK).

In fact the situation is even worse than the decimalization table exploit that was the result of the Citibank gagging order. Jolyon Clulow, a graduate student at the University of Natal in South Africa, has published his thesis containing _no less than six_ discrete attacks which could obtain authorization information which could then be used to fraudulently obtain cash. The decimalization table exploit is but one of these. The paper has been replicated to help prevent overload or closure of the student's web site. There are probably enough other copies around already to make it quite certain that stuffing the cat back into the bag isn't going to be possible.

Whole paper: http://home.icon.co.za/~clulow/dissertation.pdf
http://www.cl.cam.ac.uk/~mkb23/research/Clulow-Dissertation.pdf

Chapter 3 only (this is the strictly relevant stuff)
http://www.cl.cam.ac.uk/_mkb23/research/Clulow-Chap3.pdf

With acknowledgements to the ukcrypto list, from where I obtained this information.

Failure of bank's proof

Posted Feb 28, 2003 17:18 UTC (Fri) by Max.Hyre (subscriber, #1054) [Link]

Even when the bank has the burden of proof, things are not so rosy for the victim^U customer.

Some years ago (a decade and a half, more or less?) a bank had a thief dead to rights---including the photo from the surveillance camera. Problem? The guy in the photo was innocent. It seems whoever set the timestamp on the camera blew it, and even though the fraud occurred at (say) 9:27, the frame stamped `9:27' had been taken at an entirely different time. I'll leave it to the reader to envision what the poor guy went through to disprove the `proof'.

I almost certainly saw this in the Forum On Risks To The Public In Computers And Related Systems mailing list (a sobering read if ever there was one), but I just as certainly can't find the combination of search words which will extract it from their archives.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds