 |
 |
 |
|
 |
 |
|
||
       
|
 |
 |
 |
||
|
Newsletter 6 July 2005 
|
|
|
||
User Centred Design (UCD) of Financial Services Project News is a fortnightly e-newsletter that keeps you in touch with what is happening in the Banking and E-Commerce streams of the Smart Internet Technology CRC project on Security, Trust, Identity and Privacy. The aim is to stimulate interaction with our wider project team, industry partners and researchers involved with the use and design of financial services. <><><><><><><><><><><><><><><><><><><><>< In this issue: 1. Who goes there? Security and Internet banking <><><><><><><><><><><><><><><><><><><><>< *************************************************** After a full day discussing security (or the lack of it) at the
Research Network for a Secure Australia in Brisbane, I found myself
banking at the ATM and the branch rather than the Internet. The
bad news kept coming in. Dr Bob Blakley, Chief Scientist for Security
and Privacy at IBM told us a general purpose computer cannot be
made secure. Secure transactions with a special purpose computer
are however possible. Earlier in the day Professor Yvo Desmedt from University College London said the lower levels of the communications network were not secure. It was like putting all the security at the highest level, leaving the foundation vulnerable. Prof Bill Caelli from Queensland University of Technology could only agree, for the day before, he and Adrian McCullagh also from QUT had argued that banks needed to pay more attention to making the customer PC more secure. This was the weakest link in Internet banking. They also argued for a smart device that does not rely on the keyboard. This would prevent the “surreptitious lodgment of trojan horse key logger technology”. Current approaches by some banks to move to two factor authentication do not address this danger. Banks have a delicate task ahead of them. They do not want to diminish people’s trust in them and in Internet banking. But they also do not want to become liable for customers’ losses because of security breaches. The ambiguously worded bank contracts have not been tested in Australian courts as yet. In the United States though, a Florida corporation has brought a case against the Bank of America. This is being closely watched to see what precedent it sets about customers’ responsibilities for security and banks’ liabilities relating to fraud in Internet banking. Supriya Assoc Prof Supriya Singh, *************************************************** Ben is an academic in his early 30’s. He can be classed as a heavy user of P2P file sharing networks. He is a gamer and previously owned a local company that developed online gambling systems for casinos. He is an avid music listener. Ben generally listens to music either via MP3 on his computer or on his top of the line stand alone stereo system. He also has his TV connected to his stereo for listening to music shows on TV such as Rage. To listen to MP3s on his PC, he uses iTunes. Ben shares music electronically with a group of friends. When sharing music with friends, they use iTunes to play and distribute the music. They generally transfer files through messenger programs - the most popular are ICQ, MIRC and Bit Torrent. Ben talked about how he uses MIRC, and how his group of friends end up collecting a ridiculously huge numbers of songs. However they actually listen to a small number. Ben purchases the CDs of artists he likes. He has a collection of about 200 CDs, worth about $4000. He also actively spends money on bands touring Brisbane. Through the Internet, Ben has been exposed to thousands of new artists who are new to him. He doesn’t think he would have seen them in a music store. He used to spend a lot of time in music stores when he was younger. He would go in and listen to a lot of different tracks. But now in a lot of music stores it is not as easy for the people are very busy. Stores also have limited stock so that you cannot always buy what you want. When asking for a song you have heard on the radio, often the response is “Sorry that is an import. We would have to get that in.” However you want to listen to it in the store before making a decision. So Ben goes to the Internet to explore new music. ************************************************** *Jupitermedia's DRM Strategies Conference This will be the most comprehensive event on digital rights management business and technology issues ever held. The conference will feature keynotes from leading industry figures.
Analysts are predicting enormous growth in the market for mobile information and entertainment. Forecasts as high as $40 billion for worldwide market value by 2008 are convincing operators and content owners to look closely at their mobile content strategies. Mobile DRM 2005 is aimed at operators and content owners, content distributors, device manufacturers, ISPs, DRM system developers, lawyers, software developers, systems integrators, music companies, games developers, broadcasters and consultants. ----------------------------------------------------------------------- *McCullagh, Adrian and Caelli, William (2005) Who goes there? Internet banking: A matter of risk and reward. In C. Boyd and J. M. Gonzalez Nieto (eds) ACISP 2005, LNCS 3574, pp. 336-357. The paper highlights the conflict between insecure computers and
networks on the other hand and banks’ portrayal of Internet
banking as safe. The authors argue that more action needs to be
taken to make the retail customer’s PC safe at home. ------------------------------ ------------------------------ The report briefly describes the case brought by a Florida corporation against the Bank of America. The corporation alleges: “- breach of contract and implied covenant of good faith and fair dealing for allegedly violating the terms of the "Treasury Services Terms and Conditions" agreement between the parties; - breach of fiduciary duty in selling the corporation the online account when it allegedly knew its customer’s accounts were vulnerable; - negligence in allegedly failing to have in place adequate security systems and training for bank personnel, failing to verify and authenticate the transfer, failing to take prompt action to recall the unauthorized transfer; and - fraud and deceit--intentional misrepresentation in opening AHLO's online account and transferring the money, even though the bank's "security procedures were below commercially reasonable bank security procedures." (p. 110) <><><><><><><><><><><><><><><><><><><><><
|