Print
Discuss
Send to friend
RSS feeds
The news is riddled with stories of phishing scams, premium-rate diallers and exploited security holes in Windows PCs. But to what extent is this a result of users' ignorance, lack of concentration, inherently insecure technology or simply bad luck when someone falls victim to one of these attacks?
Let's take the scenario of leaving a window open in your home. It's something that's easily spotted and rectified, but if you're burgled the insurance company is unlikely to pay out. It's not quite as simple to spot an open port on a firewall or notice that your system's infected with a key-logging Trojan. So to what extent should we expect everyone to understand such technical matters?
At the risk of stretching a metaphor, we're now at a point where many people have two homes: a physical one of bricks and mortar and an electronic one in the form of home PCs and networks. And the electronic 'home' conceivably holds information of more value than the contents of your physical home. Just as it's your responsibility to close the living room windows, should it also be your responsibility to maintain a secure home network?
Unfortunately it's not quite that black and white, as not only do users have to repel brute-force attacks, but a psychological onslaught in the form of tempting offers via email and rogue websites. Firewalls, antivirus, anti-spyware, anti-everything software all provide barriers against the first type of threat, but it's the cunning psychological tricks that can catch out even the most security-aware users.
Whether it's an exploitation of an operating system security hole via a legitimate-looking website, or emails requesting personal information at 3.30pm on a Friday afternoon when people's guards are down, all are tactics of the cyber-criminals.
Part of the answer is that everyone should understand the inherent vulnerabilities of the technology they're using; everyone knows that a padlock can be picked or a phone can be tapped. Although you should keep these things in perspective, credit card fraud (often a result of rogue retail employees or the careless disposal of receipts) has reportedly affected one in three of all British cardholders.
Companies should, in theory, be responsible for the consequences of security loopholes, although trying to sue Microsoft for a bug in IE which caused someone to empty your current account might not be practical at the moment. But there could be changes on the horizon, not necessarily in favour of users.
The financial industry body Apacs suggests that around 2,000 British online account holders were taken in by scams in the past year, losing approximately £4.5m between them, and the banks are starting to feel the pinch. And while they usually refund stolen money at the moment, they're making noises about shifting some of the liability to the consumer, as they can't get insurance against certain types of online fraud.
In particular, the banks may become stricter in defining 'grossly negligent' in their terms and conditions. For example, sending your account details in response to a request that appeared to come from your bank might, quite justifiably, be regarded as negligent.
Of course knowledge and education are key to resolving many of these problems and the financial sector has been shouting about the problem for a while, setting up information sites such as www.banksafeonline.org.uk. But what is clear is that financial institutions don't want to continue to shoulder the burden of what they view as consumer ignorance.
So what of the future? Perhaps there'll be a move to make people use 'authorised' software and hardware, reminiscent of the early days of online banking. Perhaps the cost of running a PC is set to soar with subscriptions to all sorts of companies promising to keep your system safe.
Could there be a whole new division of the insurance market, allowing you to insure against electronic intrusion or fraud, with discounts for those who can pass a security awareness test?
I believe that, as broadband becomes the most popular way of accessing the web, we'll reach a crossroads. Either site logins will get so complicated that people will no longer bother using them, or every PC will require a smartcard/biometric reader, something already being trialled by some American banks.
Security is a real problem for the industry as a whole, and many of the possibilities offered by new technologies and services will be stillborn. The 'digital home' concept, pleasing as it sounds, is fraught with danger.
Imagine your internet-connected home entertainment system going berserk after being infected by a virus it picked up from your Bluetooth phone. Suddenly one night it decides to order Sony's entire back catalogue of online video content. Today's diallers would seem trivial by comparison and unfortunately there's no real solution on the horizon.
Being a victim of online fraud makes life that little bit harder as your identity becomes 'questionable' for some time after the event. Just remember that no technology is infallible and, even if you're an expert, never forget to engage your brain before acting.
del.icio.us
Digg this
reddit!
