Columns

Trust, loyalty and codes of honour are essential features of human behaviour. Whether the unwritten etiquette of the professional bike rider, who inhibits his competitors from exploiting a quick pee break, or the ageless honour of the samurai, without trust life becomes unliveably clumsy. This is hard to mirror in electronic communications. Although many respect the conventions of netiquette and behave responsibly and honourably, there are still those who are downright criminal. In the absence of the nuances of face-to-face contact, you really can't trust anyone.

When you have to place trust over the Internet, there are some established procedures that you can follow. Provided there is some form of contractual (or similar) bond between the parties, an exchange of 'shared secrets' can be used to authenticate a transaction. This is the basis for passwords, and even more commonly, the identification questions that have become standard in telephone banking. Unfortunately, whoever implemented them in the latter skipped too much security theory to understand what is actually required - an exchange.

So the last time my bank phoned me without warning, we reached an impasse. They launched into their stock questions of my mother's maiden name and the like, but I asked them to prove their identity first. As they wanted me to reveal my secrets, but were unwilling to share any of theirs, the call was quickly terminated.

This failure to comprehend the basic requirements of security transactions has

ADVERTISEMENT

troubled several readers, too. Typical is the Mac user who received unsolicited emails from WorldPay, a subsidiary of the Royal Bank of Scotland and an organisation that we might have expected to know the difference between security and scam-fodder. Yet these emails contained HTML enclosures that triggered Mac OS X's watchful eye. When the user tried to open them, she was greeted by the following message: 'transactionsummary.html is an application. Are you sure you want to open the application transactionsummary.html?'

Given the nasty phishing and scams that can be perpetrated through HTML email enclosures, the recipient wisely contacted WorldPay - which boasts that it provides 'free fraud detection' - to check whether these emails and their enclosures were genuine. I'm not sure whether I would even have bothered to do that, assuming that my spam filter did not cast those emails into its bit bucket. Even the government's security advice at getsafeonline.org cautions: 'Fraudsters send out emails that look like they come from banks (or other trusted organisations) and which contain links to fake websites which also resemble the real thing.'

WorldPay's extraordinary security blindness could reflect a similar attitude to that of my bank's cold caller - the bank only appears to be interested in protecting its own security and seems happy to leave its customers to fend for themselves. What if my cold caller had been a thief posing as my bank? What if those WorldPay emails had been forgeries that whisked the innocent off to a malicious website and stole their account and other information?

Thankfully, I don't use electronic cash dispensers, telephone or Internet banking, but still draw my money from the real hands of a human cashier, whose job depends on distrustful Luddites like me. For many that may not be practical, but when you next decide who to use to process your electronic payments, you might like to ask them how they will protect you, or whether they will only be worried about covering their own losses and asses.