Old lags and new tricks
I imagine you are all familiar with the story of the Hatton Garden robbery in London.
A group of elderly criminals with long police records (“old lags” in the English vernacular) staged the biggest burglary in British history by tunnelling through concrete into the vaults of a safe deposit company in London’s Hatton Garden district. They got caught and sent to jail. I don’t doubt the film rights have already been snapped up, because at the trial it was revealed that the pensioner perps included a look out who fell asleep, a deaf point-man and a gang that travelled using OAP Oyster cards. These guys must feel so out of place in the modern world, all Snapchat and no Sweeney, that given the demographic trends around cinema viewing, a comedy heist vehicle featuring Helen Mirren, Bill Nighy and Robert de Niro is frankly inevitable and I’m surprised that the idea hasn’t already cropped up in an episode of “New Tricks” (or, as my children call it, CSI:OAP) yet.
Meanwhile, if you want to see how proper bank robbers (i.e., the ones who don’t work for banks) are adjusting to the times, you need to check out what’s been going on in Bangladesh, where the governor of the central bank has just resigned in disgrace following the theft of an enormous sum of money from their reserves.
“Bangladesh’s central bank chief resigned on Tuesday, the finance minister said, after hackers stole $81 million from the nation’s foreign reserves in an audacious cyber-heist that has hugely embarrassed the government.”
Basically, crooks got into the central bank system (which according to Reuters had no firewall and was using $10 routers) and had access to the SWIFT gateway, so they sent messages instructing the Federal Reserve Bank of New York to transfers funds from the Bank of Bangladesh account to some accounts in the Philippines.
“The problem is that the counterparty on the other side of the SWIFT order was not who the Fed thought, and what should have set off red lights is that the recipients was not the government of the Philippines but three casinos!”
As it turned out, the cybercriminals would have got away with a billion dollars had they not mis-spelled the name of one of the payees, a mistake that caused one of the banks in the chain to send a query. Otherwise, with the Bank of Bangladesh shut until the following Monday, they would have been home scot free. The money that was wired to the Philippines was then converted into bitcoins and spirited away NOT. Of course it wasn’t. Crooks don’t want bitcoin, crooks want flippin’ great wodges of cash. Some $30m was withdrawn in cash by an unidentified person and the rest, as I understand, was turned into casino chips!
Now on to the point (I promise you there is one). Is it a really a bank’s job to police where you send your money to? The reason I was thinking about the Bangladesh heist (I think Hatton Garden will make for a better movie, to be honest) is because of a discussion that broke out during the Biometrics Institute Financial Services Seminar in London. Nick Middleton from Nationwide put forward an interesting concept: he said we shouldn’t be working toward friction-free payments but “friction-right” payments.
Friction-free payments have risks. Contactless is fine for a cup of coffee but for a fancy meal you would ask for a PIN. Matching the friction to payment makes complete sense. If I tell Barclays to send $10 somewhere then they should just do it. If I tell Barclays to send $10 million somewhere then should they still just do it? Does it make any difference whether it’s a retail bank or the central bank? After all, the Fed had received a perfectly legitimate request from the Bank of Bangladesh and I shouldn’t think the Fed see it as part of their job to tell the Bank of Bangladesh where they may or may not send their money to.
“The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate.”
So: the back received a perfectly legitimate request on a secure channel. The problem lays with the security of the originator, not the receiver.
“If no second factor of authentication was required for the Central Bank of Bangladesh’s transactions, then the hackers could meet Swift’s requirements by using the information they stole from the Bangladesh bank.”
This seems cut-and-dried to me. If a bank gets an instruction to transfer, and that instruction has the appropriate digital signature, then the bank should execute the instruction. Clear. End of story. Me telling my bank to send money to somewhere, even if that somewhere is the Dunkin’ Donuts at the main railway station in Minsk, is that same as me sending my bitcoins from my wallet. The bank should just do it and if I’m sending it to crooks, that’s my problem. Right? Well, there was some controversy about this recently when a senior British policeman said that we may need to reconsider the distribution of responsibilities and liabilities around online financial services to help society tackle the tidal wave of fraud.
“Metropolitan Police chief Sir Bernard Hogan-Howe said that the system “rewards” the public for being lax about internet security.”
Alan Woodward from the Department of Computer Science at our neighbours the University of Surrey responded to this on his blog.
I might have put the point slightly differently (something more like “One is not necessarily incentivised to protect oneself at present”) but essentially I think he had a point.
I said something similar on the BBC’s “World Tonight” [here at 18:50], pointing out that Sir Bernard was commenting on the well-known economic principle of “moral hazard”. If I write my PIN number on the back of my debit card and then lose the card, I have surely contributed to the subsequent looting of my account. It doesn’t seem right that people who carefully guard their PIN numbers should have to contribute to my retribution.
So does that get the banks off the hook? Does it mean they don’t need to spend money on cyber security? No, it doesn’t. The essence of the argument is that customers should be refunded unless they are negligent. But what constitutes “negligent”? Sir Bernard said that people who don’t choose a good password are negligent, but I think he’s wrong about this. What’s negligent is pretending that passwords are any form of security. Whether you chose a long password or not makes essentially no difference. The pie chart of typical bank fraud losses would, I’m sure, show that social engineering and malware are the dominant sources of loss and choosing longer password, passwords with a number in or passwords with a chemical symbol at the beginning and a sign of the Zodiac at the end won’t help one way or the other.
Under the principle of Strong Customer Authentication (SCA) banks are supposed to implement two-factor authentication (2FA) so if banks allows you to access your bank account using only a password then it’s the bank that is being negligent, not you. As I said in that interview, if we want to make progress on this we have to move away from passwords. If a fraudster tricks me in to sending them money and I do all the proper authentication with the bank, then they will send the money to the fraudster because I told them to. In this case, the bank isn’t being negligent – it’s my fault. Tough luck. Hard cheese.
Is that what we really want? Doesn’t that make it too easy for the fraudsters? Do we want Grandma to be able to lose the house by pressing the wrong button after a dodgy e-mail? Nick is right: when you think about it, the public don’t really want “frictionless payments” at all, do they? So what is the appropriate level of friction? I’m genuinely curious to hear what you think about this.