Photo of Terence Eden. He has a beard and is smiling.

Authorisation vs Consent

· 5 comments · 600 words

I recently read this interesting, and distressing, story of a man who was drugged and robbed. A form of crime which has been going on for centuries. But the 21st Century twist is that the thieves forced him to transfer large sums of money via his phone's banking apps.

While under the influence, the victim used his usernames, passwords, PINs, and biometrics to send money to the criminal's accounts.

Is there a "technological" way to stop this? His banks initially refused to refund the stolen money. Only once the press stepped in did they relent. One bank, Revolut, said:

This was an unusual case where the payments were authorised by the customer but, as is now clear, without his consent. [Emphasis added]

From the bank's point of view, the victim presented the classic trifecta:

  • Something you have - the logged in banking app and, possibly, bank cards
  • Something you know - the passwords, PINs, and memorable phrases
  • Something you are - the biometric authentication via fingerprint or face unlock

The bank is correct - the user did authorise these transactions. They had the authority to tell the bank to transfer the money, they presented the right credentials, and responded correctly to the challenges. The bank was satisfied that the user was who they claimed to be. This transaction would not have looked any different from other legitimate transactions.

But, of course, you cannot be forced into meaningful consent. If someone is threatening you, then you are not consenting; you are being coerced. But how can a bank - or anyone - know whether you legitimately want to proceed with a transaction?

Perhaps the bank could have detected that this was "unusual" activity. Does this user normally transfer thousands of pounds late at night? But how many of us have got annoyed at a bank suddenly thinking that our £3.50 lunch is a precursor to serious financial crime and denied the transaction? We get grumpy at banks who stop us doing what we want with our cash. So there's an incentive for banks not to go overboard with fraud detection.

And, in this case, what could they do? Call the user and see if they really wanted to make the transaction? Can a bank reasonably tell if someone is drunk or drugged? Do they have the right to prevent incapacitated people making dangerous decisions?

Perhaps, to detect coercion, the bank could video call you, and check there was no one in the room with you? Or they could use voice stress analysis and heart-rate monitoring to check that you weren't being pressured into something.

That all seems a bit overboard and annoying if you're legitimately trying to make a large transaction. Would users put up with that if they knew it was being done to keep them safe?

Ultimately, this is why we have banks, regulators and insurance. The banks can pause and reverse transactions to help recover stolen money. Regulators can tell banks how they have to treat vulnerable or victimised customers. Insurance can cover the losses and provide incentives to improve security.

This is, as I said, an upsetting episode. But it stands in stark contrast to the terrifying and unregulated world of cryptocurrency-powered decentralised finance. Under DeFi, a user being coerced can never hope to recover their money. Smart Contracts cannot distinguish between authorisation and consent. And that is its fatal flaw for consumers.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

5 thoughts on “Authorisation vs Consent”

  1. says:

    Would a person who was forced at knifepoint to withdraw cash from an ATM be eligible for a refund from their bank? What about someone who was mugged as they walked away from the cashpoint? What about someone who was mugged half an hour after they used the cashpoint?
    Reply

  2. Stefan says:

    The first of Andy's examples is analogous to the main story, the other two are not. Once somebody has voluntarily and deliberately taken cash from the bank, what happens to them and it can't reasonably be held to be the bank's responsibility. The interesting question is about the first example. Banks definitely care about authorisation. But it's not obvious why they should care - or be made to care - about consent. The individual is clearly the victim of a crime. But why should it be the bank's responsibility to provide restitution? Does that feel right just because banks have money? Or is there a reason why victims of this crime should get compensation when victims of so many other crimes don't?
    Reply

    1. says:

      I think it’s a bit less nuanced? If someone holds a knife to my throat and says “give me your pin” then they use it, I think that that is (in the Uk regulator’s view) the banks’ responsibility because they defined the security standard that was used - I can’t tell my bank that I only want payments to be made when my mum is there or when I have called up the day before to pre-authorise the transaction - I just have to use whatever they offer. Ultimately leaving the bank on the hook aligns incentives to improve security with the organisation who actually can. Banks in the US are much slower to deal with this sort of stuff at least in part because they don’t carry the cost of inaction. This is a similar case - giving your pin or biometrics under duress pushes the responsibility to the bank as the people who define that standard. The question I think is whether or not to to redraw the line. Today, we see biometrics as “super duper strong”, and we all know of ways to discover pins - but that’s just because the pin has been around for longer?
      Reply

  3. Matt Copperwaite says:

    Some secure systems have an "under duress" code. This can sometimes be an button or maybe a slightly different version of your pin that alerts someone responsible that the actions that you subsequently perform are to be taken with a high level of suspicion. The interesting thing is that you don't even have to know that feature exists or know how to use it. The fact that it's there can be enough for an attacker to look for other options.
    Reply

  4. says:

    Stefan says, "But why should it be the bank's responsibility to provide restitution? Does that feel right just because banks have money? Or is there a reason why victims of this crime should get compensation when victims of so many other crimes don't?" I think this is mostly because there should be some means of restitution, if possible, for crimes, and there is a handy way to do this. Banks are granted permission to manage and handle money on behalf of customers and charge a premium for doing it; the reasonable trade-off for this is that the bank has to make a customer good again in some situations even if the fault is not actually the bank's. This is the sort of argument that enabled the creation of credit cards: the agreement looks something like, ok, we the people give you permission to loan us money and charge interest for doing so, and the counterbalance for that is that you can't be TOO egregious with interest rates, and if the card is stolen or misused then you have to recompense the owner even though it will cost you money to do so. Some people might not recognise that being permitted to run a bank is a privilege and not a right, mind you.
    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">