A Year Ago: Public pays for banks' insecurity

First published: Fri, 23 Jul 1999 14:05:49 GMT
Written by Will Knight, Contributor

Computer security within many UK banks is perilously insecure and the public is being made to pay to hide this fact, according to leading computer security risk assessment consultant, Ian Johnston-Bryden.

Johnston-Bryden is the managing director of security firm Oceanus. His company carries out "penetration tests" on companies' computer security and claims most banks are not exactly invulnerable.

"I have done a variety of tests on banks," he said. "In one case a bank had a security system supplied by a top computer firm, and so thought it was fine, but it took us about 10 minutes before we were transferring money between accounts."

According to Johnston-Bryden, this sort of test is designed to provoke a response from a computer network's security measures, so it is not exactly subtle.

"When you're going around on someone's system effectively with hob-nail boots on and no-one notices, it doesn't say much for what they'll do when they're under real attack. A real hacker will take enormous trouble to conceal themselves."

Even more frustrating than this insecurity, however, is the suggestion that banks actually prefer to leave their computers open to attack and charge customers extra for the damage that may be caused rather than address security faults and risk a crisis in public confidence.

This is a situation business experts also seem to be well aware of. Although the champions of e-commerce have often complained about public paranoia concerning online transactions, it seems they in denial over their own internal security.

Lance Close, a senior analyst with Mintel Research, agrees that big businesses are turning their backs on this problem. "I wouldn't say they're not addressing the problem, but you could say that by not concentrating on it they're not addressing it enough however," he said.

At the same time, he believes banks are right to be concerned about reassuring the public. "If they come out, given the attention the press give to this sort of thing, they could re-ignite the myth that it's dangerous to bank or even use you credit card online, and that could even put e-commerce back by a year in this country."

Johnston-Bryden, however, points out that it is the public who will ultimately suffer the most as a result of this. "A bank's situation is very much based on confidence," he says.

"If you think about it, a bank's job is basically selling security. They have always been terrified that once they admit their system is not completely infallible, that confidence will disappear. We've gone back to banks and shown them security problems and they'll say 'Oh dear,' but once they've considered the cost of damaging public confidence, they won't bother doing anything. They'd rather charge people for the resulting damage. It doesn't really worry them because it's not their money."

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards