Monday, October 20, 2008

E-banking, online security and ID databases: getting the picture right

It has been widely reported that fraudsters have hacked the online account of French President Nicholas Sarkozy and there were also mentions to the hacking of Sarah Palin’s personal email account, which all has been linked to the raise in online banking fraud, but, were they really hacked? There are probably too many meanings of hacking and they all refer back to hacker as that who “uses his skill with computers to try to gain unauthorized access to computer files or networks” (English Oxford Dictionary), so the question is whether we are confronting an army of skilled computer geeks trying to make millions (which deserves a particular policy and legal response) or if we are actually dealing with a large (very large) group of inept users being conned by common thiefs using common techniques (which would imply a completely different policy and legal answer).
The press and some public officials have jumped to the bandwagon of tougher measures and more control over the activities people carry out online but it seems that we need more information to be able to engage seriously with the topic and devise a propery policy and legal answer. The information provided in the Sarkozy’s case is more than insufficient, but does not seem to lead to what people commonly understand as hacking: it seems that the criminal got their hands on the President’s password in the same way the they were able to guess Governor Palin’s secret question, which does not suggest any use of a particular computing skill or breach of any netwrok’s security measure (if you loose the key to your house and somebody uses it to enter and steal things, you can claim that the person entered unlawfully but not the he/she picked yout lock). Of course somebody may point out that the news don’t specifically say that the electronic security systems were hacked, but the news are normally closely related (and linked) to the rise in online banking fraud and the need of tighter online and offline ID schemes. But they may actually prove the opposite…
A proper report on how the crime is committed can be found in an Argentine newspaper and there you see that this type of crime has nothing to do with the use of online banking but with pure and old crooks and too much data in the wrongs hands. The link takes you to an audio report, which, lossely translated, refers to the crime been committed by intercepting people’s correspondence (bank statements), having an insider in the section of the Police dealing with IDs who would make copies of passports, bugging the telephone line of the account holder to listen the conversations with the bank, disconnecting the customers’ phone line and replacing it by one of the criminal’s phone, requesting the transfer of the balance to the criminal’s bank account by phone, sending by fax proof of ID and, once having the money in the criminals' accounts, reconnecting the original customer’s phone line. So, it seems that it is a little more complicated than “hacking” a bank account and that the proposed policy and legal responses are not quite the ones needed. For example, tt can be argued that if the whole transaction was conducted online and no bank statements had been sent, no telephone conversations carried out and no central ID data base existed, the whole scam wouldn’t work. However, these are the types of news used to justify national IDs and security services rights to monitor/interfere electronic communications. One may argue that taking into account the perceived unreliability of Argentine security forces and their past behaviour they are not a good example to be used to judge developed countries’ policies, but that argument would be fatally flawed due to ignorance (the security forces are quite more efficient than many in developed countries taking into account the resources they have) and due to the fact that one of two criminal inside the organization copied national IDs cannot be compared to the many times that personal data, even sensitive personal data, has been “lost” in, for example, the UK. Furthermore, if the president of one of the powers of the world or his security services cannot keep his password safe, you can imagine how much we can rely on them keeping our data out of unfriendly eyes’ sight…So, a president and a governor’s loss may make good headlines, but it seems to be bad guideline to judge online security and the need of stricter measures to identify people…

2 comments:

SDJ said...

I agree! Hard cases make bad law.

bangin said...

E-banking will be a high risk if the system not secure. Audit trail and protection systems must be reliable. A number of banks in Indonesia was attacked through exploitation of weaknesses in the ATM. But that case was resolved quickly and encourage the Bank of Indonesia to review and implement a better security system.