How broken is the banking system?

Alun Jones — Tue, 08 Jan 2008 05:22:01 GMT

My kid and I love watching Top Gear - me, because it's nice to see him interested in a very traditional British TV programme (in the US, you can find it on BBC America), and him, because he just loves cars - particularly high-performance ones.

So I have to admit to having a little chuckle as I find what's been going on in the life of its host, Jeremy Clarkson.

Well, in the wake of the recent loss of 25 million child benefit case records by the UK Government's HMRC (tax and customs) department... what, you didn't hear about it?

Okay, I'll admit, I didn't report on it, because I figured the world and his wife had already heard all there was to hear on the story. Cut to the chase - someone at the HMRC received a call from someone at the NAO (National Audit Office), asking for some records. Rather than asking if they were supposed to be handing those records over, or if the NAO actually had any rights to receive the records, the "junior official" involved sent a couple of disks ... in internal mail (which turned out not to be so internal, having been contracted out to a courier) to the NAO.

The NAO called back after a few days, asking where their data was.

The junior official sent another copy!

At this point, somebody told someone, and a big stink got raised that there was all this data out there - 25 million records, 7.5 million families, containing names, addresses, bank account numbers, national insurance numbers (NI numbers - that's our equivalent of Social Security Numbers or SSNs).

Okay, so in the wake of all this, lad Jeremy decides he's fed up of all the press coverage of the waste of time investigation into the whole loss of two miserable little CDs.

He declares, in one of the UK national newspapers (the one with semi-naked women on one of its inside pages), that it's all a load of fuss over nothing - even goes so far as to call it a "palaver" (which is not, apparently, a knitted garment - that would be either a pullover, or a balaclava).

Mr C even goes so far as to publish his own bank account number. With sort code (aka bank routing number, to those of us in the USA).

"All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing,"

See - I told you he called it a palaver.

Sadly, as the BBC (don't they broadcast Top Gear, or something?) reports, "Clarkson stung after bank prank". I guess we couldn't predict that.

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account,"

After explaining to some disbelieving friends how this could have happened, I realised that not everyone has had the chance to run their own business, and see what a mess the banking system is. We all assume that the banks have our best interests at heart, and operate securely in ways that ensure we can't lose a penny.

Not really, no. They work (mostly) on the basis that it's cheaper to refund your money if you notice a problem and complain, than it would be to fix the problem in the first place.

Here's a simple explanation of how "direct debit" (in the US, "automated payment") works:

Most commonly you would complete a written Direct Debit Instruction, obtained from the organisation you wish to pay and return it to them for onward transmission to your bank. Some direct debits may be set up over the phone or via the Internet. In these cases the organisation must subsequently write to you confirming what has been agreed.

So, the receiving organisation claims to the bank that someone claiming to be the account holder requested them to withdraw money from the account.

Note "claims", because there's no proof at that stage.

It's not even as workable as "you write to the bank requesting they allow a direct debit from your account" - the bank has no opportunity to interact with the customer except by sending them their next bank statement!

That's broken - but then again, I've written before about how broken the credit card system for web purchases is. Again, the actual issuing bank, the one with whom you have a relationship, and who could validate your identity, is kept out of the transaction until it's already finished.

What would be super is if a celerity like Jerembly Clarkson would start a campaign to have the banks be required to all team up and do a properly secure set of protocols for credit card and payment authorisations. Then merchants like me wouldn't whine about repeated charge-backs that we can't actually refute, and people like him, ignorant about the truth of the banking industry's inability to secure the very money they are entrusted with, wouldn't go handing out money willy-nilly to random charities just to prove that his trust is woefully misplaced.

I just don't think it'll happen.

I hope there was only £500 in the account, and that Mr Clarkson has already closed that account, and opened one whose number he will keep secret, sharing only with the bank, the company that prints his cheques, everyone he ever pays by cheque... now there's another broken system.

Finally, credit cards done right... maybe

Alun Jones — Fri, 29 Dec 2006 16:19:00 GMT

For the longest time, I've been mystified at the way in which we as an information-based society conduct online transactions.

Here's how it goes right now:

Customer sends secret information (card number and maybe CVV2) to vendor.
Vendor promises not to disclose information to anyone but the bank.
Vendor accidentally or deliberately discloses secret information to thieves.
Thieves run up huge credit card bills with other vendors (call them "suckers").
Customer reports unapproved use of credit card.
Bank takes money out of sucker vendors' accounts in the amount of the theft plus a fine. Oh, and charges a percentage of the transaction cost in both directions.
Rinse, lather, repeat.

Obviously, those vendors that are accepting credit cards are complete suckers, because they get fined for accepting credit card numbers from the thieves, when of course the bank has provided them with no means of confirming the identity of the person placing the order.

It's really obvious that the way this should proceed in an Internet-connected society is as follows:

Customer identifies herself to the bank (through secret information or public key infrastructure, doesn't much matter, because there are only two parties concerned - bank and customer)
Customer tells bank what vendor they want to pay, and how much.
Bank provides customer with a difficult-to-forge, non-repeatable, time-sensitive code tied to this one purchase.
Customer sends code to vendor.
Vendor can post code on billboards, for all anyone cares, because that code is only usable by that vendor, for this transaction, for this amount, over the next couple of days (hey, vendors are slow to cash credit card transactions).
Vendor sends code to bank.
Bank pays vendor from customer's account.
Vendor can post code on billboards, for all anyone cares, because that code is now not usable by any vendor, for any transaction.

Obviously, there's still opportunity for fraud - if the customer or the bank share their shared secret with someone else. But then, that's two parties who have engaged in a contract to trust one another for monetary exchange, and who have adequate reason to keep that information secret - plus, if the secret is exposed, there's already an approved method to re-assign new secrets.

Sadly, there's no incentive for the system to change this way - neither the customer nor the banks have any incentive to change, because they don't lost money when credit cards are used fraudulently - it's only the sucker vendor who loses money, and the sucker vendor has to accept credit cards, because there's no other way to take money over the Internet.

All that is about to change, I hope.

PayPal, a division of eBay, is one of the biggest sucker vendors there can be. Clearly, they've gotten tired of having to pay the fees, fines, and cost of lost goods, when credit cards are fraudulently used. Because they've finally come up with the right way to do things!

Okay, so it's not quite as I outlined, because of course PayPal decided to do it in such a way that a vendor doesn't even have to know that they're dealing with PayPal's new scheme - the secret code is exactly a MasterCard number.

Apart from this significant problem - that vendors still have no way to ensure that they are dealing with a more secure payment means, and therefore can't offer faster service, less chance of fraud checking triggering an alert, etc - this is a good scheme, and I want to see it proceed to fruition.

It'll be even better if someone at PayPal wises up to the idea of providing a simple means to check that the MasterCard number provided is from the secured payment program (PayPal calls it "Virtual Debit Card" or "VDC" for the present).

This scheme, or something similar, has been operated previously by other banks and in other countries, but the fact that PayPal, a large provider, is going to adopt it means that we should be on the road to a more secure future, where vendors aren't dunned by banks and thieves alike for credit card fraud that is beyond the vendors' control.

Tales from the Crypto : Credit Cards

How broken is the banking system?

Finally, credit cards done right... maybe