Lawyers agree: the activity is legally questionable – albeit tough to prosecute.
Cybersecurity researcher Paul Moore wants to sue High Street bank the Halifax for scanning ports on the computers of those visiting its website.
He claims this is being done without their permission or knowledge prior to login – and is the sort of activity that could potentially land even a benign, or “white hat”, hacker in trouble with the court under the Computer Misuse Act (CMA).
He is fundraising to launch legal action against the bank.
One legal expert told Computer Business Review that technically, he may correct: such activity is arguably in breach of the CMA. But prosecuting the bank for the activity, conducted by its anti-fraud software, may be a fruitless task.
What’s Happening, Exactly?
Paul Moore first noticed the scan in 2015 when encountering some errors on the Halifax’s page. After opening his browser console – the part of your web browser that allows you to see security errors and network requests – he noticed that the bank was actively scanning the ports on his computer to see if any of them were open; an activity that hackers also perform to test for vulnerabilities.
The ports being scanned (5939, 63333, 5903, 5950, 3389, 5900, 5901, 5902, 5931, 5279) can be used to secure remote access to a computer.
Paul Moore said: “They are scanning to see if you have a VNC or remote desktop connection enabled, which can be perfectly harmless, but could be a sign that your machine is compromised – presumably they weigh this against a range of other risks.”
He told Computer Business Review: “It is the first time I’d come across an organisation doing that just when you land on their page; pre-login.”
“It’s clearly part of a weighted threat metric and seems to be conducted by part of their ThreatMetrix anti-fraud software. I’m not suggesting they are trying to hack their customers or anyone’s money is at risk. But what if we, as customers, scanned a bank’s infrastructure to ensure our safety? This would clearly breach the CMA and we’d almost certainly end up in court. The rules should be applied fairly, to both parties.”
Halifax Port Scans: No Malicious Intent , but…
The issue, in his eyes, is that lack of malicious intent has never been much a defence under the CMA and that ‘what’s sauce for the goose is sauce for the gander’.
As he puts it on his fundraising page: “As security researchers, we operate mindful of the CMA. Sometimes, our actions are questionable, other times we clearly overstep the mark if the risk to the public justifies it. However, the question of ‘intent’ arises time & time again.” (And in the past, benign intent has been no defence for security researchers).
Section 1.1a/b/c) of the CMA reads: “A person is guilty of an offence if – (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorized; and (c) he knows at the time when he causes the computer to perform that function that that is the case.”
“Probing a Port… Likely to Amount to Securing Accessing to the User’s Computer, for the Purposes of the Computer Misuse Act.”
“If that’s correct, the question is whether this is authorised, or if it requires each user’s consent. Since this seemingly happens on a user’s computer, and takes place automatically on page load, without notification to the user, I’m sceptical that the site has authorisation for this access, or else has the user’s consent.”
He added: “Similarly, I’d expect a site such as a bank to argue that there is a clear imperative to secure its systems such that, even if the activity did amount to computer misuse and was without authority, there is no public interest in prosecuting.”
“Robust processes in place”
The Halifax, declining to comment on the legality or otherwise of its approach, told Computer Business Review: “Keeping our customers safe is of paramount importance to the Group and we have a range of robust processes in place to protect online banking customers.”
The script was not being served when Computer Business Review checked its web console for the page. Mr Moore has yet to convince the infosec community the case is worth pursuing; at the time of publishing, he had raised £50 of a £15,000 target.