Joe’s view: of cyber security
- 15 June 2016
I have in the past been less than charitable about ‘The One Show’. In fact, I have blamed it for frightening my 84-year old mother into rejecting the internet.
This, in turn, has rendered my attempts to use technology to keep an eye on her somewhat convoluted, involving kettles and SIM cards and, latterly, bespoke plugs.
Helpful banking
My mother’s mantra, after hearing horror stories on The One Show is that: “If I don’t have the internet, then I won’t get internet scammed.” Well, my mother has had the last laugh.
Last Friday, I finally got around to downloading the NatWest banking app, which allows me to check my balance and move money from my account into my children’s accounts in response to text messages explaining how their student loan is exhausted and they are living on what my eldest son has dubbed “The Soup of Champions” – an OXO cube with boiling water.
(I suspect other amber liquids of a much colder temperature may also have played a part in the development of “End of Term Starvation Syndrome”).
Naturally ,having downloaded the app, I decided to check my balance. To my surprise, I had acquired a large overdraft. My natural instinct at this point is to blame my wife; so I opened a statement of recent transactions.
Immediately, I see all sorts of weird transactions. A training shoe shop in Gateshead is putting £400 into my account; and then taking it out again a day later.
I am buying T shirts in Amsterdam and Texas on the same day. I am subscribing to lots of online pornography sites. My account is being drained in small steps and I am reminded of the diminishing pile of coins graphic which is at the heart of the appeal of the TV panel show ‘Pointless’.
I have to admire the work of these thieves. They have carefully made many small transactions instead of launching a vulgar land-grab for a sum big enough to bring them to the attention of the bank’s anti-fraud algorithms.
I have been embarrassed by having my card declined in some very fine places, notably the Ciragan Palace Hotel in Istanbul, thanks to the reassuringly strict algorithms deployed by NatWest when unusual bills come in.
A phone call from the fraud team resolves these problems quite regularly. However, on this occasion nothing has been declined and I have had no call from the fraud team.
When I added up the dodgy looking transactions, I was over £3,500 out of pocket over the course of ten days. Ouch.
Hooked
When I rang NatWest, I spoke to a young man who spoke with airline-pilot-calmness in the face of my financial disaster. He explained how one of my bank cards had likely been cloned and how it would now be blocked.
He instructed me to destroy the offending card. He went through my statement and together we identified the unauthorised transactions and he explained that all the money would be back in my account by the following morning. It was.
So how had this happened? The young man on the phone explained that it was possibly done by someone in a shop or a restaurant who had held onto my card long enough to copy it.
Or, more likely, I had been phished; in other words, I had given my card details to a criminal myself by logging-in to what I thought was a legitimate website but what was, in fact, a fake.
My mother laughed like a drain.
The usability/security sweetspot
Now, I regard myself as reasonably IT savvy and I have definitely done all my IG training; and yet I appear to have been unable to manage my own bank account in the face of a clever attack.
The attitude of the bank was the most fascinating aspect of being hacked. This was clearly routine for the staff. They put the money back in my account, no questions asked, without blinking.
I had expected it to be more of a struggle and that I might be considered to blame. It crossed my mind that I could go on a binge of Texan T shirts, training shoes and porn to the value of £3,500 and get away with it. Why was the bank so helpful?
My guess is that there is a sweet spot on the cyber security vs usability curve where the bank has settled. Online banking saves the bank so much money on staff and real estate that it can take the financial hit of occasional fraudster success.
I guess it is constantly trying to move that sweet spot to greater security without making its banking product unattractively difficult to use.
In healthcare, I think we have a similar struggle between security and usability, but are perhaps hamstrung by the fact that you can’t replace health data into an account in the way that a bank can replace money. And because of this we have tended to err on the side of security and paid the price in usability.
Added to this tendency, we have added an atmosphere in which large fines are imposed on organisations that have had data breaches that have largely been down to human errors than failure to find the usability/cyber security sweet spot.
Time to shift the curve?
Given that usability and security seem to be to some degree inversely proportional, maybe we have something to learn from banking’s approach.
All systems are vulnerable because humans have to interface with them, so maybe we could be a little less hysterical about breaches and ensure that any financial penalties are paid to the victims; rather than into government coffers.
|
Joe McDonald
|
