A nice distinction

I see from this article on Pinsent Masons’ excellent “Out-Law” site that UK online banking fraud was up by 55% to £39m for the first six months of this year (relative to the same period last year). The payment card figures are down – which the acquirers will doubtless attribute to chip and PIN, and suggest that that is ‘squeezing’ fraudsters towards more lucrative attack vectors. Though, to put that in perspective, fraudulent ‘card not present’ transactions still accounted for £134m of reported loss.

According to the article, the vehicles of choice are phishing (up 26% on last year) and malware attacks on users’ computers.

The Financial Fraud Action group of the UK Payments Association had this to say:

“The increase is largely due to criminals employing more sophisticated methods to target online banking customers through malware scams – which target vulnerabilities in customers’ PCs – rather than the banks’ own systems which have proved more difficult for the fraudsters to attack.”

And there’s where I have a nit to pick. After all, if a bank extends its service, online, so that the point of delivery is the customer’s PC, the distinction between “attacking the user’s PC” and “attacking the online banking system” becomes a pretty fine one.

Up to a point, I see exactly where they’re coming from: after all, if someone manages to get a keystroke logger onto my PC, the damage is done to a component which is not under my bank’s control. On the other hand, if that is going to be used to justify transferring liability from the bank to me (as happened with chip and PIN) for transactions undertaken through my PC, then I would not be happy at all.

Online banking is convenient for me, yes – but it also saves the bank an enormous amount of cost, effort, staff, premises and so on and so forth. Most banks’ retail branch networks are now so skeletal that if everyone switched back from online banking to branch-based transactions, the banks would simply collapse under the workload. Don’t get me wrong – I’m not suggesting that bank clients either want to or should do that: just that the online banking benefit flows both ways, and the banks need to acknowledge that when they consider how to mitigate the risk of PC-mediated fraud.

What a croc

There’s a characteristically entertaining and acerbic piece from Maureen Dowd on the NY Times site at the moment. As usual, it’s spiked with barbs of insider-ish gossip, but this time they are quoted, rather than culled directly by her.

One of her sources is Matt Latimer’s “Speech-less” – an account of his time as part of George W Bush’s speechwriting team (also reviewed, as it happens, on yesterday evening’s edition of Radio 4’s Front Row – podcast available here). One vignette Dowd picks out is of W ‘padding around the White House in Crocs’ – an image which, as she says, is hard to get out of your mind once it’s in there.

It reminded me of the last time I arrived at Narita airport: at the top of the first escalator we encountered after getting off the plane, there was a warning (in English) to wearers of “vinyl shoes” that they should take care not to get snagged in the escalator and mangled to death. Well, it didn’t actually spell out that last bit, but there was a helpful picture of a Croc-clad foot.

Now, I have no wish to be gratuitously insulting to Croc-wearers, but I couldn’t help thinking that those of us with other footwear (even shoes with laces, forsooth) have mostly worked that out for ourselves by the time we’re old enough to walk on and off a plane.

Then again, W’s mental edifice was always dogged by accusations of being somewhat sparsely tenanted. After all, it bodes ill when an adult human is bested by a small pretzel, for instance. I did love the irony that “Bonesman” Bush should have been laid low by the closest thing the biscuit world has to a miniature skull-and-crossbones.

Those publication deadlines…

Thankfully, I completed my writing assignments in the time I ended up being able to devote to them – one article was actually in by the requested deadline (!) and the other one was late, but not so late that the editor gave up on me. Phew.

This is what comes of promising people an article/chapter/white paper when there’s no fee-paying work in the pipeline… and then having to deliver after said fee-paying work has turned up with its own little set of imperatives. Still, such is life; no-one said it would be easy, and – as the archetypal British infantryman puts it – “if you can’t take a joke, you shouldn’t have joined up…”.

I’ll let you know when the articles in question are in the public domain – though, of course, the other thing I’m learning is that they end up hedged about with copyright clauses limiting what I – the author – am entitled to do with my output. What’s that all about, in the age of personal internet publishing?

One is about “What’s happened to PETs?” (Privacy Enhancing Technologies) and the other is a more general look at Identity Management: where is it, how did it get here, and where might it be going next.

The last thing I’m finding is that the whole process of doing the research (literature review, collecting references and citable material) – and then reviewing your own thoughts in the light of other people’s – is a sure-fire way of generating yet more thoughts which just add to the backlog of papers to be written. Sigh. That said, the next paper should be a cracker. As to its subject – well, given what I’ve just said about the bizarreness of having to cede copyright just to have someone else transfer my work to sheets of compressed vegetable matter, you’ll just have to wait and see. I may just crack and publish it here first.