Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)
Q28 – Should account holders be exposed to any additional liability under cl 5 for unauthorised transaction losses resulting from malicious software attacks on their electronic equipment if their equipment does not meet minimum security requirements? Do the benefits and costs of extending account holder liability justify such an extension of cl 5? What implementation issues would have to be addressed?
This is a vital issue to be addressed in the Review. Consumers will be seriously disadvantaged if they are required to accept any additional liability resulting from malicious software attacks and/or failure to adequately secure their computer.
Some financial institutions appear to support (either through submissions to the Review or in terms and conditions) an increase in consumer liability where there is malicious software on their computer. In the absence of clear direction from the EFT Code, terms and conditions are likely to be extremely harsh for consumers. For example, one bank (Westpac) has already included a Spyware Clause in their terms and conditions:
If you knowingly use a computer that contains software, such as Spyware, that has the ability to compromise access codes and/or customer information, you will be infringing our rules for access code security referred to above and we will not be liable for any losses that you may suffer as a result [emphasis added].
Enforcing such a Clause would be difficult, but its presence may be a deterrent to a consumer with a legitimate EFT complaint, if for example they believe their complaint may result in an intrusive investigation into the contents of their personal computer.
It is also difficult to envisage circumstances in which account holders have displayed such a degree of carelessness in ensuring their computer meets minimum security requirements that liability should be imposed upon them for any resultant financial loss from a malicious software attack.
In addition, the task of defining acceptable ‘minimum security requirements’ is problematic due to a number of practical issues:
- Internet malware is a moving target. Security risks and technical attack vectors change. It is unreasonable to expect that end-users are aware of these risks and attacks, or that they are capable of monitoring and responding to changes. Financial institutions on the other hand have specialised security resources and processes that are dedicated to addressing these risks.
- Consumers access online financial services from a wide variety of computing platforms. These range from mobile devices and the latest desktop operating systems through to legacy systems such as Windows 98. Legacy platforms typically do not support many of the security software tools that provide some protection against the current generation of malware. It may be unreasonable to exclude customers with legacy platforms from access to online financial services. The cost of software and hardware upgrades to an acceptable platform will be prohibitive to some end-users.
- The number and variety of end-user security tools is constantly changing. These tools include browser chrome security enhancements, email filtering software, software-based firewalls, virus scanners and spyware detectors. Software vendors are required to release new versions to address new security threats and to meet their business objectives. It is unrealistic to expect that all end-users will be able to identify the correct combination of tools and versions that must be installed. Moreover, software tools that attempt to combat malware are usually unable to detect the very latest forms since the updates to such software typically lag behind the development of new forms of malware.
- The cost of installing, configuring and maintaining an effective security defence will be prohibitive for some consumers.
- The effectiveness and reliability of end-user security tools is highly variable. Many of these end-user technologies rely on heuristic methods to (either directly or indirectly) detect or avoid malicious software and phishing attacks rather than more dependable techniques.[25] The effectiveness of particular software against malicious software attacks may also be affected by other variables including the operating system used and the specifications of the user’s machine. It is unreasonable to expect that, in these circumstances, end-users will be able to evaluate the effectiveness of these tools. These consumer-grade tools are generally inferior to the levels of protection offered by technologies installed at the financial institution end to prevent these attacks affecting an account-holder in the first place. For example, the State of Spyware (Q2 2006) Report stated:[26]
Overall spyware infection rates continue to rise for the third straight quarter. The second quarter of 2006 saw an increase in the share of consumer PCs infected with spyware: from 87 percent in Q1 2006 to 89 percent. This increase in spyware infections suggests that although home computer users are adopting anti-spyware programs, they are choosing inadequate programs to protect their computers or not keeping their programs up-to-date. Before installing an anti-spyware program, home computer users should evaluate the program’s ability to detect and remove all types of spyware, especially malicious programs.
- Account holders, even if they have some computer experience, will often have difficulty interpreting messages that the software may display to them regarding the probability they are being subjected to a malicious software attack.
- Microsoft Windows is the predominant end-user platform. Windows is the target of the overwhelming majority of malware released in the wild. This malware continues to exploit critical security flaws. In some cases security fixes are released weeks or months after the vulnerability is found. End-users may conscientiously patch their operating system, but they are dependent on Microsoft to release timely patches.
- The effectiveness of software that needs to be installed by account holders on their own machines is dependent on their computing knowledge and motivation to ensure that the software is successfully installed and continually updated. Clearly computing knowledge and motivation would vary amongst account holders. For example, users who only access online banking services on a monthly basis may be less inclined to ensure relevant software is updated regularly than users who access their accounts online on a daily basis.
- Installing software at the user-end would prove particularly impractical in situations where users need to access Internet banking services from public machines or networks (for example, in Internet cafes). It is naive to expect that these machines and networks are protected against malicious software attacks. Financial institutions have promoted the flexibility of Internet banking and the entire system relies on consumers being able to access their accounts from public Internet facilities such as libraries and Internet cafes.
- It is unreasonable to expect that security tools will be installed correctly and optimised to meet the specific threats that affect the financial services industry.
- It may be prohibitively expensive for the financial services industry to maintain an agreed list of technologies, configurations and threats that comprise the ‘minimum security requirement’. It will also be very difficult to effectively communicate that list to consumers, especially if it changes regularly.
Given these considerations, the task of defining what constitutes ‘minimum security requirements’ for the purpose of determining when account holders are liable for financial loss flowing from malicious software attacks is particularly difficult.
It would appear more practical and economically efficient for measures to be implemented at the financial institution end since the protection afforded would then diffuse from a central point to the entire base of consumers utilising Internet banking services. Moreover, many of the developments in security in recent years would not have occurred if the security effort was more diffuse – i.e. in the hands of consumers rather than financial institutions.
[25] This is discussed further in the response to Question 30, General weaknesses of client-end website authentication solutions at page 32.
[26] Webroot Software, Inc, State of Spyware Q2 2006, A Review and Analysis of the Impact of Spyware on Consumers and Corporations, 2006.