Community
The online banking systems offered by the Lloyds Banking Group (including Bank of Scotland & Halifax) and the Royal Bank of Scotland Group (including Natwest, Royal Bank of Scotland & Ulster bank) are vulnerable to an attack which allows an adversary to commit financial fraud. More precisely, the login systems used by these banks to authenticate customers are coupled with credential recovery mechanisms which allow customers whom have forgotten their username/password to login; however, these secondary authentication mechanisms are insecure due to their complete reliance on publicly available information. It is therefore possible for organised criminals to steal funds from customer accounts. In addition, the attack compromises the financial privacy of customers (a similar vulnerability has previously been found with Barclays online banking). These failures are particularly interesting to the design of online banking systems and legal cases in which customers are found liable for fraud. In these cases banks may refuse refunds by asserting negligence or blaming the customer for fraud. Indeed, Which? magazine has reported that twenty percent of customers are not refunded after claiming to be fraud victims. In some of these cases the banks may attribute blame on the basis of audit trails which suggest a customer authenticated using online banking systems. These attacks demonstrate that audit trails associated with such authentication mechanisms are insufficient to attribute blame and may help explain cases in which customers have been charged for fraudulent transactions, even when customers are adamant that they did not authorise such payments. These attacks are being published to ensure fair judgement of fraud cases, push for public policy changes which hold banks accountable for the systems which they have designed and ultimately help bring an end to unfair banking practices. The full details are available: http://www.bensmyth.com/publications/10-forgotten-your-responsibilities/
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Tachat Igityan Founder and CFO at destream
03 December
Luigi Wewege President at Caye International Bank
02 December
Victor Irechukwu Head, Engineering at OnePipe Services Limited
29 November
Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.