PAYMENT

Payment system security

Steven Murdoch, Aydin Abadi – University College London

While violent crime and theft has been decreasing since the mid-90’s, fraud has now become the most common type of crime in the UK at 3.7 million incidents per year. The majority of fraud is now entirely online or at least has an online component, and the results on the public can be devastating, with life-changing losses commonly falling on its victims (e.g. average of almost £10,000 in cases where the criminal impersonates a bank or the police).

The primary way to mitigate this harm is through dispute resolution (including the court system and the Financial Ombudsman Service) – firstly by reimbursing victims, but also through engineering incentives for more secure behaviour. Dispute resolution systems are designed to fairly allocate fraud losses to the party best in the position to mitigate the fraud. The approach currently taken is to set levels of care both for financial institutions and customers, and that losses of fraud are allocated to the party which failed in meeting the level of care – thereby encouraging greater care.

However, implementing such liability engineering has proved difficult. Firstly, the financial industry has not disclosed the level of care they must meet, due to concerns that this might assist criminals. Secondly, the level of care that customers are expected to exceed – “gross negligence” is defined relative to other customer behaviour: that no reasonable person would act in such a way, but relevant customer behaviour is not measured for privacy reasons. As a result, disputes regarding fraud liability regularly fail to be resolved, compromising the integrity of the liability engineering process. In this project we propose to apply PETs to address these challenges: transparency around financial institutions compliance with their level of care, without disclosing sensitive details about the institutions or rules; and profiling typical customer behaviour so as to quantify the definition of “gross negligence” without violating customer privacy.