Banking industry body Apacs has rejected calls to publish details of which banks have poor online security.
Members of the House of Lords Science and Technology Committee raised the issue as part of an investigation begun last week into personal internet security.
Banks are not all equally rigorous in the way that they protect themselves, says Lord O’Neill of Clackmannan.
‘There is an unevenness about the security considerations. Some measures seem to be over-complicated, other seem to be unduly simplistic,’ he said.
‘Apacs may not have the authority to impose things, but it can surely expose the inadequacies of some of the people who bring discredit on the rest of the members?’ said O’Neill.
Apacs told the committee that from January 2005 to September 2006 the number of phishing incidents rose by 8,000 per cent, costing banks £23.2m in 2005.
But it says naming and shaming those with poor security records is missing the point.
‘There is no evidence that one bank is any worse off or better than any others. The level of security they deploy is relatively equal,’ Apacs head of security Colin Whittaker told the committee.
‘Trying to draw any judgement that this bank is stronger or weaker than another does not help us describe why that bank is attacked in the first place.’
Measuring security is a good idea, but may not be as simple as publishing the number of successful attacks, says UK Information Systems Security Association president Phil Cracknell.
‘Publishing rates of phishing attacks, even successful phishing attacks, would be misrepresentative; it is too simplistic,’ he said.
‘What would be needed would be a strict and agreed framework of how security is measured.’
What do you think? Email us at: feedback@computing.co.uk
Further Reading:
reader comments