Victim blaming when it comes to fraud

I was quoted today in a Guardian article after the Metropolitan Police Commissioner, Sir Bernard Hogan-Howe suggested that fraud victims should not be compensated by banks in cyber crime situations.

Image of what people are being conditioned to think a cyber criminal looks like! (Or perhaps I should have gone with hacker in hoodie?!)

His point is that people use weak passwords and don’t upgrade their systems so end up as easy pickings for online criminals. Whilst of course users need to take responsibility for their own actions (or inaction) it is nowhere near as simple as that, especially when it comes to things like deliberate social engineering of people and website insecurity.

My full quote was as follows: “I think the Met Chief’s comments are short-sighted. There are many reasons consumers are defrauded and a lot of those are not really things that they can control. To trivialise these to all being about user concerns misses the point. How does a consumer control the theft of their data from a website for example? We all have a role to play and a lot of work is underway in bodies like the worldwide web consortium (W3C) to reduce the use of passwords and to increase the use of hardware-backed security. The banks are doing a good job in a difficult environment but they are ultimately responsible for identifying and preventing fraud issues when they occur.”

The W3C’s work on web authentication is underway, which will standardise the work of the FIDO Alliance for the web in order to help eliminate the password. This of course will take a while and we won’t fully eliminate passwords from the web for many years. To further protect consumers, there is another effort to bring hardware security backing to important elements of the web, this will also hopefully be chartered to do that in W3C. In the software updates world, Microsoft have led the way on desktops and Apple in mobile for ensuring people are patched quickly and effectively. We still have a long way to go and I’m leading some work in the mobile industry, through the GSMA to try and make things better.

The Met and the wider police have a key role in investigating cyber crime, something they’ve not done well at all over the past few years, so they have failed consumers repeatedly. Blaming users is something akin to throwing stones in glasshouses.

Cyber Security at Mobile World Congress

Here is a re-post of the blog I did for the Smart UK site (@smartukproject) in preparation for Mobile World Congress. I’m doing quite a few things out there, but I’m looking forward to this on the Tuesday morning (28th), it is going to be a great event,. There are still places available and I encourage anyone interested in mobile security and fraud related topics to sign-up.


The UK government recently published the Cyber Security Strategy. What implications does this have for the mobile industry and society at large? With the mobile device at the centre of nearly everyone’s life, the integrity of mobility is paramount. The mobile industry has weathered a variety of security incidents over the years but has been relatively successful in comparison to other industries. Can any lessons be learnt from the past successes of mobile that will help for the future? Is the industry living on borrowed time?

This year’s UKTI and ICT KTN Mobile World Congress seminar: Cyber Security in the Mobile World; will look at the vast array of subjects which now come under mobile security – including cyber bullying between children, fraud against telephony systems through to emerging technologies such as machine-to-machine and LTE infrastructure. Crossing all of these varied topics are industry needs such as the lack of security-aware software engineers and the need to prosecute criminals who defraud or attack electronic systems.

While the mobile industry has made great efforts to learn the past mistakes of the PC world in terms of security, the anti-virus industry has reached saturation in its traditional space. Do mobile devices really need anti-virus or can newer operating systems and technologies negate the need for this type of end point security? Can these companies transform their business models to the changing mobile security landscape and continue to provide a useful service to consumers? How can application stores and developer programmes be improved?

We are pleased to have some of the world’s leading mobile security experts speaking at the event next week. Make sure you sign up as soon as possible in order to reserve your place.

David Rogers runs http://blog.mobilephonesecurity.org. He is also advising the UK Department for Business, Innovation & Skills on Cyber Security for mobile.