I was relaxing watching the marvellous BBC programme “Rip Off Britain” the other day. It was a live episode [online here] featuring the noted and venerable British television celebrity Gloria Hunniford. The subject of the programme was bank security and it featured Gloria herself investigating how she was ripped off by bank fraudsters. Basically, a woman who looked nothing like her used a fake driving licence to withdraw more than a hundred grand from her Santander account.
‘It was easier for four strangers to access my money than it is for me!’ Rip Off Britain’s Gloria Hunniford slams bank security after frauds stole £120,000 from her account
The bank teller involved was initially suspected of being part of the fraud and was prosecuted but acquitted on the grounds that she hadn’t the slightest idea who Gloria Hunniford was. Fair enough. It would be like prosecuting me for being unable to pick Kim Kardashian out of a police line up.
It’s easy to make fun of bank security (as I have) but there is a real problem behind this story. A bank doesn’t want to annoy good customers but it has to have security in place to at least mildly inconvenience fraudsters if nothing more. And the bank security has to cope with all sorts of circumstances. What if you drop your smartphone down the toilet? I’ve done that. And here’s another good example.I once ran out of petrol in my car. So I called the AA (I’m a Gold Member of that, too) and
they told me that they couldn’t bring petrol because it’s against health and safety regulations, so they towed me to a garage. I filled up the car, wandered in to pay and… discovered I’d left my wallet at home. (Not the first time I’ve done this.). Having thought about it, and left the car keys with the clerk at the filling station, I phoned my bank. It turned out that there was a branch a few minutes walk away, so I set off to find it. On the phone, I answered some security questions, and when I got to the branch there was (if memory serves) £30 waiting for me. Hats off to Barclays.
Now, I don’t remember what those security questions were, but I’m pretty sure that a determined fraudster would know the answers or know how to talk themselves round them. But I do want to live in a world where when I forget my wallet I can till get some cash out the bank!
One problem, in the Gloria Hunniford case, is that asking a customer to present a driving licence as proof of identity is the kind of “security theatre” that I was talking about in Sydney this week as a guest of the lovely people at Australia Post.
— Rick Wingfield (@rick_wingfield)
The bank clerk has no way to know whether the driving licence is real or not, so asking for it and looking at it is like taking part in a play about security where everyone is an actor who knows their lines but there is no actually security involved at any point. Surely this is one of the crucial differences between old identity and new identity, between dumb identity and smart identity, between analog identity and digital identity.
Had the bank digital identity interacted with the customer digital identity rather than the clerk interacting with the bogus Gloria, then there would have been mutual verification and real security. Imagine what the conversation at the counter could be…
Bogus Gloria Hunniford (BGH): “Hello, I’m Gloria Hunniford and I’d like to withdraw £150,000 from my account”.
Santander Bank Clerk of the Future (SCF): “Certainly Madam, let me check your Financial Services Passport.”
At this point, she pulls up the details of Gloria Hunniford’s account on her screen and the system sends a message encrypted using Gloria Hunnford’s public key. This is sent to the Santander app on Gloria Hunniford’s mobile phone.
BGH: “Sorry my phone was carried away be a seagull on the way to the bank so I don’t have my Financial Services Passport”.
SCF: “No problem Madam, we have a spare phone here.”
The bank clerk picks up the branches’ spare Samsung S7 and runs the Santander app. She puts in the Gloria Hunnford’s sort code and account number and when the app asks for verification, she holds it up and asks “Gloria” to log in using face verification (or voice or iris or whatever).
BGH: “Ah, unfortunately, I tripped over a paving stone yesterday and smashed my face into a Ford Focus. Due to my emergency plastic surgery, I’m afraid I will fail the face verification process”.
SCF: “That’s no problem Madam, we can re-enroll you. Please come back with your fingerprints, your voice and a barely legible photocopy of a gas bill from six months ago”.
Now, there is some actual security, because the real Gloria Hunniford will see a message pop up on her phone about authorising a withdrawal at the Santander branch and she will either hit the “no” button or the “no, and please connect me to the whitehall1212.police.org.uk emergency fraud chatbot so that I can alert the plod to a crime in progress”.
Look, the banks in Europe have to implement Strong Consumer Authentication (SCA) anyway, so why not implement properly so that you can authenticate yourself the same way whether on the phone, in the branch, browsing the web or mucking about with your phone? I imagine this is the sort of thing that my colleague Gary Munro will be talking about on 9th November 2016 as he is one of the experts taking part in the techUK seminar on strong authentication in PSD2. You’d be mad to miss it.
“Knowing Me Knowing You, Ah–Ha !” – Strong Authentication in PSD2
The fact is that if we really want to replace security theatre with some actual security, we have the technology.