APACS welcomes this opportunity to provide evidence to the Science and Technology Committee on the subject of personal Internet security. APACS is the UK trade association for payments and for those institutions that deliver payment services to customers. It provides the forum for its members to come together on non-competitive issues relating to the payments industry. We currently have 31 members whose payment traffic volumes account for approximately 97 per cent of the total UK payments market.

  APACS co-ordinates a range of banking industry activities aimed at tackling payment-related fraud. One of the most visible recent initiatives has been the introduction of Chip and PIN. APACS also co-ordinates the banking industry's efforts to combat online banking, payment and identity fraud. APACS and its members have many years of experience in gaining an understanding of the threats faced by individuals using online services, and in developing effective strategies to mitigate those threats.

SUMMARY

  The level of threat to personal security on the Internet is increasing. It is driven by a combination of factors, each of which is contributing to a rapidly escalating problem which, if not effectively tackled, threatens long-term damage to the increasingly important online economy. These factors include, but are not limited to:

—  the increasing sophistication of social engineering and technical threats which are mostly aimed at private individuals;

—  the commoditisation of these skills and technologies;

—  the increasing involvement of cross-border organised crime gangs in operating fraud and money laundering operations, and in funding the development of skills and technologies used to attack individuals;

—  the challenge of providing effective information and advice to the most vulnerable; and

—  the challenge of mounting an effective cross-border law enforcement response.

  Our response describes the range and severity of threats to personal online security, and suggests a number of areas where the banking industry feels that valuable improvements could be made.

DEFINING THE PROBLEM

The nature of the threat to private individuals

  Online banking and payments are hugely popular activities in the UK. APACS research estimates that nearly 16 million people use online banking services in the UK, and nearly 27 million now shop online. The Internet has therefore rapidly become an extremely important and attractive channel for payments and access to sensitive financial information. These are services that consumers value highly, and financial institutions are keen to meet this demand in a secure manner.

  The security of internet-based services is paramount to the banking industry, and banks have invested heavily in protecting their IT infrastructure. These measures have been highly successful in protecting banks' customer data from direct attack. However the very strength of protection around banking systems has led criminals to target the weak link in the chain—the customers themselves.

  Criminals have also seen the success of the Internet, and have begun to exploit its weaknesses for their own ends. They are interested in obtaining security credentials and other information that enables them to obtain value. Such information includes usernames, passwords, card numbers, addresses, telephone numbers and memorable data such as mothers' maiden names. Criminals generally try to steal these credentials in one of two ways:

—  By asking for it: Phishing emails are a very visible example of so-called "social engineering". They are unsolicited—sent out at random by criminals, usually hundreds of thousands or millions at a time—that often pretend to be from a recognised financial institution. The emails ask the recipient to click on a link that takes them to a web site that may look identical to a genuine bank site, but whose sole purpose is to fool visitors into handing over their security credentials. Having obtained the information, criminals are then able to impersonate a customer and log into their bank account to withdraw funds, or use the information to carry out other types of identity theft.

  APACS has monitored the growth of phishing since it first hit the UK banking industry in September 2003. The sophistication of the emails has evolved considerably over time, including the emergence of personalised phishing, where name and address details of the recipient are included in the email. Attackers typically obtain these personal details through identity theft, for example by stealing online merchants' customer databases. To date we have not seen any evidence to suggest that bank customer databases have been compromised, and apart from the personal details they contain, such phishing emails are still essentially sent out at random.

  APACS has also monitored the rapid growth in phishing incidents (measured as the number of spoof bank sites set up by criminals—not by spam run volume) aimed at UK banks over the past few years. In January 2005 we recorded 18 such incidents, compared to 1,513 in September 2006—an increase of over 8,000 per cent in less than two years.

  Phishing is not the only form of social engineering used to steal personal information.APACS expects telephone-based scams to expand, driven by the rapid takeup of Voice-over-IP (VOIP) services that allow fraudsters cheap and largely anonymous access to any UK phone number. APACS has monitored a number of cases of so-called "Vishing" over the past few months.

—  By spying on the consumer: There is strong evidence that criminal gangs involved in phishing scams are increasingly using highly sophisticated software to steal data, commonly referred to as trojans, malicious software or "malware". Organised gangs have created underground markets to obtain information from corrupt researchers on computer security holes, which their own software coders can then turn into effective malware. The objective of malware is the same as phishing—to obtain personal and security information. The difference is that the victim may remain completely unaware that anything is wrong until a fraud has occurred. Modern malware is capable of infecting even well protected computers, and of spying on user activities such as keypresses, mouse movements and Internet browser sessions.

  By way of example, Torpig/Haxdoor is a particularly sophisticated example of malware that is being investigated by the banking industry. Once infected by Torpig, a victim's computer waits for the victim to navigate to any one of several hundred bank web sites before inserting false login pages which invite customers to input a wide range of information. Torpig is capable of being updated automatically, and thousands of victim machines may be managed by a single criminal.

Scale of the threat

  It is important to appreciate that online identity theft scams are largely run by organised crime gangs, most of them operating on a trans-national basis. Through collaboration with law enforcement, we have been able to establish that most attacks targeting banking customers emanate from a number of gangs operated out of eastern Europe, although other organised gangs are increasingly becoming involved including ones based in Nigeria.

  Losses to the banking industry due to online banking fraud grew 90 per cent in 2005 to £23.2 million. Losses for 2006 are expected to increase by a similar percentage. All banks currently choose to refund customers whose accounts have been compromised, except in exceptional circumstances such as first-party fraud.

  The introduction of Chip & PIN to credit and debit cards, and the high level of security that it offers, has led to fraudsters migrating their card fraud efforts to channels where Chip & PIN protection is not available—in other words to Internet and phone transactions. In 2005 card-not-present fraud rose 21 per cent to £183.2 million (of which an estimated £117.1 million was Internet-based), and there is evidence that organised fraudsters are actively seeking to obtain card details online, using many of the same techniques aimed at online banking users.

  APACS estimates that the wider cost of identity theft against bank customers was around £30.5 million in 2005. This is made up of a combination of misuse of card data, fraudulent applications for accounts or funds and account takeover. Not all of the total is attributed to online activity, but industry intelligence suggests that the Internet is an increasingly popular channel for fraudsters to use both for compromising victims and for carrying out fraud.

  The harm done to the UK as a result of this activity is significant. Direct losses tend to be transferred quickly abroad using a variety of money laundering techniques, where the assessment of a number of law enforcement agencies strongly suggests that much of the cash finds its way into the hands of organised criminals who use the money to fund further activities including drug and people smuggling, prostitution and terrorism.

Consumers' understanding of the threat

  The often complex nature of the attacks being directed at consumers, coupled with a general unfamiliarity with the equally complex nature of computing and the Internet, means that many consumers are highly vulnerable. There is a misplaced belief that personal computers are consumer products in the same was as televisions or cameras. The truth is that although major strides have been made in hiding the majority of a computer's complexity from consumers, that complexity in fact still remains and can be taken advantage of by knowledgeable attackers.

  APACS research reveals that a small but significant segment of the population remains vulnerable to social engineering attacks like phishing. In August 2006 some 4 per cent of respondents stated that they would respond to a phishing email, virtually unchanged from a 2004 survey. Younger people appear disproportionately vulnerable, with around 12 per cent of 18-24 year-olds stating that they would respond in both surveys. Although the vast majority of people recognise social engineering lures for what they are, additional research undertaken by Indiana University[1] indicates that, where phishing emails are highly personalised with accurate information about the recipient (eg name, address and other personal information) then response rates can climb dramatically. The banking industry and law enforcement agencies have seen that criminal gangs are putting more effort into obtaining and using such details to improve the credibility of their lures.

  One encouraging trend that we have noted is that computer users are increasingly aware of, and are making use of, security technologies such as regularly updated anti-virus software, firewalls and operating system patches. Taken together, such measures greatly help to protect a computer against infection. However, the picture is not all good. We note that the UK remains very high on an international league table[2] for "zombie computers"—computers that have been infected with malware for purposes such as identity theft, phishing and spamming. At one point last year it was estimated that nearly a third of the world's "zombie" computers were located in the UK. Often consumers express concerns about the additional costs of securing their computers, particularly with regard to anti-virus software although many free packages are available. Using security measures is increasingly essential, and users should be encouraged to think about them in much the same way that locks and alarms are now considered to be perfectly reasonable measures to have on cars and homes.

  Malware writers are using ever more sophisticated techniques, including so-called "rootkit" technologies. Rootkits enable malware to—amongst other things—hide from computer users and from security software. The problem of rootkits is rated as being so severe that a senior Microsoft security manager has been quoted that often the only solution for dealing with a computer infected with a rootkit may be to "nuke it from orbit"[3] by completely wiping the hard drive and reloading the operating system and software from scratch. To expect the average computer user to detect and respond properly to such devastating attacks presents a considerable challenge.

TACKLING THE PROBLEM

Information security support to private individuals

  A number of UK banks offer their customers subsidised or free security software. Banks also provide customers with advice on how to protect themselves on their sites both directly and via collective initiatives such as www.getsafeonline.org, www.identitytheft.org.uk and www.banksafeonline.org.uk.

  An important central consideration is that criminals are targeting consumers because consumers are able to give away their credentials to the criminal, either by stealth or by way of a confidence trick. One way of mitigating this problem would be to provide consumers with a security system in which they themselves would not form the weakest link.

  Many banks are seeking to do this via the introduction of so-called "strong authentication" systems. These can take many forms and include the use of a piece of equipment (commonly known as a "token") to generate a unique passcode that could only be used once, and which would change every time it was required. In this way, a criminal would not be able to re-use any captured information. In all cases banks complement their specific customer authentication controls with additional risk management and fraud detection controls within their on-line banking service. These controls, which form a layered security approach, are sometimes visible to the customer and sometimes operate in the background, and are harder for criminals to overcome. These measures are broadly consistent with the recommendations made to US banks by the Federal Financial Institutions Examination Council in 2005.

Increasing awareness and improving education

Based on the evidence gathered by APACS, whilst the majority of computer users are generally aware of computer security threats and do take sensible steps to reduce their exposure, a minority continues to remain vulnerable. As stated previously, this is despite many high-profile media stories and educational efforts over the past few years, and indicates that future awareness-raising efforts will need to focus particularly on that group of users who remain most at risk.

  These trends are despite numerous high profile initiatives put in place over the past couple of years by the banking industry, government and others to inform and educate members of the public of the threats and to provide advice on how to protect themselves. We believe that much more needs to be done in order to bring about a significant shift in cultural perceptions, and that this will require concerted and joined-up action from government, in the form of public information efforts and improvements to training and education in areas such as life skills and computer skills.

  A number of factors can prevent private individuals from following appropriate security practices, including:

—  Lack of computer literacy skills.

—  Prevalence of inappropriate risk judgements borne out of arrogance or naivety, eg "it can't happen to me" or "I'm too clever to be taken in by such things" or even "This email must be from my bank because it's got their logo on it".

—  Complexity of applying technical countermeasures, and of configuring them correctly.

—  Price of countermeasures.

Stakeholders' roles in ensuring effective protection

  Effectively protecting individuals online is a complex task that requires action from a wide range of stakeholders, all of whom have roles to play:

—  Operating system vendors: The security and stability of the computer's operating system is the foundation upon which effective protection for all Internet based activity must be built. Fortunately there has been significant improvement in this area over recent years with the introduction of more secure operating systems which are less open to abuse, and where necessary easier to patch. It is a fundamental requirement that all operating system vendors continue to maintain this effort, and make them ever more stable requiring ever fewer critical patches to maintain their security.

—  Internet browser vendors: The Internet browser is the primary way in which consumers interact with internet services, and therefore there is a need to ensure that browsers are fundamentally more secure and less open to abuse. A key improvement from a consumer perspective would be to examine how information warnings and messages are presented to the users to ensure that they are obvious and unambiguous. Far too many current messages are susceptible to being ignored or misunderstood by users and this allows them to be deceived into accepting malware that would infect their PCs.

—  Computer security vendors: This includes the wide range of anti-virus software, antispyware software and firewall vendors. Here we feel that more can be done to focus more on the specific threat of malware that has been specifically written with the objective of ID theft. Often such malware is targeted at relatively small numbers of victims, and the fear is that many security vendors may not appropriately prioritise these risks.

—  Internet Service Providers: The ISP community provides users with the primary means to personal access to the Internet. As such they are vital stakeholders to engage with. There is a view that more can be accomplished by ISPs in this area, which we will set out later in this submission.

—  Law Enforcement: The likelihood is that the global nature of cyber-criminality will limit the ability of Law Enforcement to secure prosecutions. It is with this in mind that the concept of reducing harm to consumers is vital to promote, and law enforcement under the banner of crime prevention has a key role to play.

—  Government: The Government has a wide range of responsibilities to protect consumers, most notably through the creation of effective laws and regulation that will help to prevent offences. As important, however, is providing the means to ensure that individuals are less vulnerable to attack through sound and effective education and awareness, recognising that this will be a long term enduring problem. An additional aspect of this is the dissemination of coherent and effective advice and warnings to consumers of new vulnerabilities. Here the Government could go much further than it has currently and emulate the better practice found in other nations through the establishment of a national Computer Emergency Response Team (CERT) that could exercise this function.

—  E-commerce community: All those who provide e-commerce services to users should work to educate their user communities, and should take stronger action to protect the information that they hold on their customers from the possibility of being obtained and misused by criminals.

—  Banking industry: In addition to their status as part of the wider e-commerce community, banks are well placed to drive forward stronger authentication measures that could provide wider benefits in the longer term. Moreover there are effective benefits in sharing knowledge of the consequences of the threat to end users, as it allows the industry to shape its messages to consumers on what they can do to protect themselves. Additionally it has allowed us to build a broader consensus on why and how personal Internet users must be protected.

—  Individuals: All the security systems and advice in the world are useless if individual users fail to use them. So long as criminals continue to regard individuals as a weak link in the security chain then they will continue to be targeted. The great majority of individuals do behave sensibly and securely, but the remainder should continue to be challenged to alter their behaviour if only for their own good.

UK research into Personal Internet Security

The UK Payments Industry conducts, through APACS, a number of regular surveys on how UK consumers use the Internet for e-banking and making purchases. These surveys often include more general questions in relation to personal Internet security; some of the results of one of the most recent were set out earlier in this response.

  It is important to recognise that any research into user attitudes to Internet security is challenging and ripe with paradoxes that must be confronted in the design of any future research. In simple terms this is characterised by users expressing generalised and abstract fears from a perceived lack of security on the Internet, whilst at the same time willingly using it regularly to conduct their lives. We have as a consequence seen no definitive evidence or conclusive research that security fears are driving users away from Internet services.

  Overall, however, UK research in this area could be best characterised as patchy; there seems, for example, to be no large-scale academic research experiments into the threat of phishing and user reaction to it of the style we have seen in US academic institutions. There is therefore much more that could be achieved in trying to co-ordinate and promulgate the results of research into Personal Internet Security across all those conducting it.

GOVERNANCE AND REGULATION

  IT governance does not have a direct impact on mitigating threats, and is not a direct influence on consumers and personal internet safety. There are, however, implied benefits in that organisations that adopt sound methods of IT governance and which have adopted the best principles of information security management are more likely to deliver systems that are robust and resistant to attack. This will ensure that where these organisations offer Internet based services, such as e-banking services offered by APACS members to consumers, there is much greater confidence that they will do so securely and provide the necessary protection for the personal information they receive from the consumer.

Information security standardisation

The UK payments industry has been at the forefront of applying the best principles of sound information security management over a number of years, and has contributed with others to ensuring that this best practice is enshrined in international standards that others can follow; ISO 17799 The Code of Practice for Information Security Management. There is increasing evidence that certification against this code of practice is increasing globally, and that it is highly relevant to enterprises offering Internet-based services. This standard and other international industry-specific standards, such as the Payment Card Industry Data Security Standard (PCI DSS), are contributing to increasing awareness of the need to implement security in order to mitigate risk. Moreover it is argued that there are business benefits in applying these standards. Demonstrating conformance to sound security management practices and ensuring that personal information is given adequate protection is now being seen as a method to promote consumer confidence, and hence win repeat business.

  A range of technical information security standards being developed in the international standards bodies complements these information security management standards. This is healthy and desirable and over time these will contribute to building security technologies suitable for the consumer market and thereby enhance personal Internet security. These standards may take some time to mature into viable secure and saleable products for the consumer market because in many cases they are predicated on having a secure PC host platform with no vulnerabilities. Our evidence continues to show that this is not likely to be achieved soon. One important technology that is often quoted in the context of enhancing personal Internet security is the use of digital signature technology. On a stable and secure host PC this would have benefit, but if the digital signature was generated on a host PC for which the provenance of the security is not known it is likely to have questionable value. This is compounded in Europe by differing national interpretations on digital signature legislation enacted as a result of the EU e-signature directive. In some countries any digital signature meeting certain criteria has a degree of the weight of evidence in its favour that would make it difficult to question its provenance, which is not the case in the UK. The important consideration here is that it is often difficult to generate common consistent legal interpretations of information security technologies, despite common international understanding and agreements.

Information security and regulation of Internet services

From the perspective of the UK Payments Industry on-line Internet based financial services are regulated under the existing regulations that govern how any other financial service is offered to UK consumers. There are distinct challenges when considering the appropriate regulatory environment for other industries as they start to offer Internet services. On the one hand the relatively low cost to offer internet services with possible rich rewards makes it an attractive business channel, whilst on the other any severe regulatory burden could markedly constrain growth. This is compounded by the lack, at least early on in the lifecycle of a service, of any prevailing threat that would dictate regulation or security. However, as we have seen in recent years the speed with which criminals have been able to exploit a wide variety of disparate channels for their profit is alarming.

  An example of lighter touch regulation, which at the time was appropriate and relevant but perhaps now needs to be re-examined, is Section 17 of the Electronic Commerce (EC Directive) Regulations 2002. This section, known as "Mere Conduit", ensures that ISPs are not liable for any information that passes over their networks. Whilst this is entirely reasonable it has been used as defence by the ISPs for why they will not monitor, and then take action against, their customers' host PCs that have been compromised and are then used by criminals to send spam, distribute malware or otherwise act maliciously.

  There are other countries, such as Australia, where there is much greater debate on this issue. In these cases the argument is now being made in favour of ISPs being seen to operate responsibly and to actively monitor their networks for customers' PCs that have been compromised and then advising them on remedial action. Given the fact that UK has been recorded[4] as having one of the highest rates of compromised PCs in the world, it is possible to argue that a similar policy in UK would substantially improve personal Internet safety.

CRIME PREVENTION

  The UK Government made a major step forward a number of years ago in establishing the National High-Tech Crime Unit (NHTCU) and in resourcing regional police forces' computer crime units which provided the framework for national policing of cyber crimes. APACS was a net contributor to the development of the NHTCU and maintained a very close relationship with the unit throughout its operational life. This provided an important foundation for the joint activity in responding to, and combating since September 2006 the rise in attacks against e-banking customers in UK.

Domestic dimension

It was, therefore, with considerable interest that we have tracked the merging of the NHTCU within SOCA as the e-Crime directorate. It is commendable that in this process more resources were to be given to the unit, and at the same time a realignment of responsibilities saw the remit for child pornography passed to the Child Exploitation and Online Protection (CEOP) Centre. Both of these factors should enhance SOCA's ability to address the broader issue of cyber crime of which prevention is a major element of their strategy.

  The dilemma is that in subsuming NHTCU within SOCA their primary remits as a national centre of excellence upon which regional forces could draw as required, and as the guardians of the discipline of investigating cyber crime can no longer be applied. As such there is a gulf in this area within the UK that is reducing the effectiveness of cyber crime prevention. The recent proposals by Commander Sue Wilkinson of the Metropolitan Police, who is the ACPO lead for this topic, for a national co-ordinating body on cyber crimes is one that APACS warmly supports.

International dimension

These attacks against e-banking, and other cyber attacks such as the denial of service attacks against on-line gambling sites, are a global problem from criminals who themselves operate globally. NHTCU, and now SOCA, led the initiative that has seen marked progress in establishing the necessary framework of international co-operation amongst law enforcement agencies needed to combat these threats. We have fully supported this effort and where necessary complemented it by establishing our own peer relationships with similar communities of interests affected by e-banking attacks in other countries, most notably Australia, Brazil, Germany and the USA. The UK continues to be one of the most effective in establishing this form of international co-operation.

Computer crime criminal law

One of our major points to the All Party Internet Group on their review of the Computer Misuse Act was the proposal to make the penalties greater and to include DoS attacks explicitly within the scope of the act. The recent proposed improvements to the Computer Misuse Act included in the Police and Justice Act, are very positive indications of the Government's willingness to continue to improve existing legislation. A further example is the Fraud Bill, which will provide powers to combat deception as a means of executing fraud; this will therefore make phishing illegal and is welcomed by the industry.

  As important as these moves are, there is a need for legislation that is clear and that will provide a measure of stability as technology changes. In this light the industry was concerned about some of the proposed changes to the CMA under the Police and Justice Act that criminalise security tools, although reassurances have been given that the intent is not to prevent enterprises using these tools to ensure the security of their own systems. The important consideration, however, is that any legislation designed to combat cybercrime needs to be carefully framed if it is not to have unwarranted consequences for legitimate activity that promotes security.

11 October 2006

2   Symantec Internet Global Threat Report, January-June 2005. Back

3   Mike Danseglio, Microsoft Security Group Programme Manager, April 2006. Back

4   http://news.bbc.co.uk/1/hi/technology/4369891.stm Back