Mark Alan Richards

Who doesn't have remote access to your bank account?

security privacy data-protection

Remote access was a notable concern raised in the Post Office.

The claim:

Fujitsu had access to act as the Subpostmaster on their tills.

Is this unique to Fujitsu?

Who has remote access to act as you?

It is likely a lot of companies can at some point act as you.

Websites have remote access as you on their site

This is the boring scenario: it's obvious, but weird if you think about.

When you use online banking, shopping, health or government services you hope that only you can perform the acts as you.

However, you often don't have any control of how your acts are attributed to you: it's not like it has your handwriting or signature against it.

Instead, acts you perform on a website are recorded by their web application, by their code, as being yours, in their black box database.

Were a site to claim you donated £7000 instead of £70, could you fight it? After watching Mr Bates vs The Post Office, I hope most of us are now curious of how well that black box has recorded what we've been doing and how we'd get access to it and challenge its contents.

Other companies have remote access as you on many sites

This is where it gets more interesting

When you use online banking, shopping, health or government services you hope that only you and the service you use can act as you.

However, most websites today are not actually running on their own servers.

Instead most organisations rent hosting from Google, Amazon, Microsoft, Alibaba, Oracle or many more (unaffiliated comparison list) and they host the website code that can act as you too.

Not too surprising if you think about it, but now there are often at least 2 organisations that can act as you on a site.

Other website have remote access as you on many sites

This is where it gets silly

When you use online banking, shopping, health or government services you hope that only you, the service and their hosting provider can act as you (this list is far too long already).

However, much of the websites we use today download "third party" apps within their pages.

You might have noticed those sections in cookie banners for "analytics", "advertising", "essential features" and more.

Often alongside those is another companies' name, one that can store or access data (cookies and similar) on your device.

You might recognise some of those names (unaffiliated) here

It's not just cookies

If you think: "so what, it's just cookies", sadly it's typically not.

And, if you think: "my browser blocks cookies", that doesn't mean it will block the integration from running, perhaps only that it has limited capability to track you.

Usually, these are features that require functionality running in your browser, perhaps for behavioural analytics, personalised advertising, click and key press journey tracking, maps, social media feeds, live chat and much more to work.

That functionality requires web code and instead of a service bundling it in their own app and having the chance to add security tests and controls before it reaches you; most sites instead ask your browser to download one or more of these straight from the third party's site... that download into web page you are on is code!

That code that can typically update at the choice of the third party, vary per user, do whatever it likes on the page as you, click buttons as you, change form fields values as you, capture you enter your password and send it back to their server and anything else possible in a page... as you.

And if you think this is rubbish, then have a read into user session replay tools... this is an area of tooling designed to capture everything you do on a site so it can be "replayed", perhaps as a video, for the site to work out if the site is acting as they hoped.

Also, look into a/b testing tooling that support code push from third parties so sites to easily test new features on individuals or groups of the population, people who may get a completely different experience of the site to everyone else.

So who doesn't have remote access to your bank account?

Which online banking site do you use and which third party apps is it downloading into the page, direct from other sites that can act as you?

I looked into this and discovered there are UK banks including third party apps that can act as their users, not necessarily all banks and some may be using web security features (lookup sub resoure integrity and iframes) to reduce risk.

One of the worst examples I saw is a bank I use, so I have raised a complaint with that bank and the ICO and awaiting to see what they'll do to clean it up.

You might think any third party site that abuses their position would fail pretty quickly, so there's no incentive here for a third party to misbehave, but there's an unhappy history here of various third parties whose systems have done things that should not have and some have been hacked at which point the hackers seem unlikely to care about their reputation.

In the wake of Horizon, the UK needs to wake up and realise how bad modern IT has become and how vulnerable we all are now to "the computer said you did it".

What should happen?

There are a lot of technical solutions that can help here and hopefully some should be standardised and integrated in web standards to provide users with audit trails they can present as evidence.

However, the most important is that UK laws are updated to reflect better chain of custody requirements for digital evidence of a users action. So that when used against them they can challenge it, not just in courts, but for situations where someone may be at risk: such as digital evidence for employment disciplinaries, healthcare, consumer disputes and business to business disputes.

If the motivation is there to require the evidence, then the technolgy can evolve to fill in the gaps of where its currently too insecure. If regulation is needed to speed this up, then that may be better.

There actually already is regulation in some form with eletronic privacy and data protection laws in the UK, but these are being weakened by the DPDI bill currently in the Lords and broadly these laws have failed to offer accessible legal avenues for most complaints anyway.

Using a work device? Assume your employer can act as you

Fujitsu's remote access should be no surprise.

There are a wealth of surveillance and remote access technologies employers can use and many are used by reputable companies and for good reason.

Always be friendly with your IT department, but maybe not too friendly: you might not want to risk "loveint".