University of New South Wales Faculty of Law Research Series
Last Updated: 18 March 2009
The Feasibility of Consumer Device Security
Roger Clarke, Xamax Consultancy Pty Ltd
Alana Maurushat, University of New South Wales
This paper will shortly be available for download.
This paper prepared as a submission to the Australian Securities and Investments Commission (ASIC) in relation to its Review of the Electronic Funds Transfer Code of Conduct.
Consumers have available to them a wide array of Internet-connected devices. A great many of the uses that consumers are putting these devices to involve transactions with organisations and other individuals. Many of these transactions are financially risky, particularly those that involve payment.
The Australian Electronic Funds Transfer Code of Conduct (EFT Code) provides consumer protection in relation to most electronic funds transfers. This includes payment transactions conducted on ATMs, at EFT/POS devices, through Internet banking, and using credit-card details over the Internet.
The EFTS Code is currently under review. As part of that process, corporations are seeking to significantly reduce the consumer protections that the Code currently affords. In particular, corporations want to shift liability for financial loss from the corporation to the consumer where devices are insufficiently secure. The proposal uses vague terms, and is not accompanied by an adequate analysis of its practical and legal implications.
The corporations' argument is predicated on the assumption that consumers are capable of taking responsibility for the security of the devices that they use. This paper surveys the security threats, and the vulnerabilities of consumer devices. It assesses the effectiveness of available safeguards and the practicability of imposing responsibilities on consumers to understand the risks involved, to install relevant software, to configure it appropriately, and to manage it on an ongoing basis.
The nature of consumer devices is such that it is entirely infeasible to impose responsibility on consumers in the manner that corporations desire. Indeed, many eCommerce and even eBanking services only work because they exploit vulnerabilities on consumer devices. More practicable approaches are identified, to enable the increasing risk of error and fraud to be addressed.