New Zealand Banks Demand a Peek at User PCs

Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"

Just what I'd tell the bank

[Albanach (527650)]

Nothing for you to see here. Please move along.

The Death of Online Banking

[Timtimes (730036)]

This attempt by the banking industry to shift transactional liability away from their servers and onto the backs of the consumers is what I'd expect from the ruthless rat bastards. Don't think something like this would fly in the U.S. Notwithstanding the fact that our government is spending a king's ransom getting all up in our computers already (NSA-FBI), our citizenry would be OUTRAGED and OFFENDED if they thought their bank was all up in their hard drives! Pity the bank that tried to pull that chicane

Re:

[R2.0 (532027)]

User: "My bank account is empty!"

Bank: "Yes, at 0325 yesterday your account was logged into and the money transferred"

User: "But I didn't do it!"

Bank: "Well, sir, the proper login and password were used, and our logs indicate it came from the same IP address your previous transactions came from. If you did not personally do it, did soeone else in your household do it?"

User: "I live alone, and I work night shift. No one was at the house last night"

Bank: "We're sorry sir, but it sounds like you have been a

Re:"Rooting around" is probably paranoid ...

[AK Marc (707885)]

Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall, ... all while you watch.

Well, even that seems objectionable. The only reason they would need to do that is if there has been a loss and they want to pin it on someone other than themselves. So, they aren't even "looking" at the computer, they are there for one and only one reason, document security holes. Whether one of those holes were used doesn't matter. If they document enough, then they will shift the blame to the customer. Why should I go out of my way to help the bank deny me the money I deposited into it?

Rediculous to require a subpoena ...

[AHumbleOpinion (546848)]

"What is a bank supposed to do in this situation?"

Go to a judge, and ask for a subpoena?

That is rediculous, that is equivalent to saying a customer should have to sue the bank to get their money back rather than have some prearranged agreed upon process. If you want to bring the courts in on such transactions consider how the judge is likely to rule when it is discovered that the customer didn't have current anti-virus, etc. There is nothing wrong with having some prearranged agreement, and nothing w

Re:Rediculous to require a subpoena ...

[cHiphead (17854)]

No, its not ridiculous, its perfectly-goddamn-acceptable that if the bank wants to shift culpability form themselves to end users in terms of fraud and security, which is the purpose of this, they should ABSOLUTELY be required to get a subpoena from a judge to access your personal computer. There is a basic right to privacy, and the onus of security is on the bank, not the end user. If they choose to connect their financial systems to the internet, thats THEIR choice, especially if the access allows more than just read only information of accounts (eg. bank's online ability to transfer funds to other bank customers and outside accounts, automatic bill pay, etc.). I don't think you have a healthy understanding of just how bad this is. They will have the ability to access everything on your computer, it only takes one unscrupulous bank IT employee to start copying/logging/etc personal data.

Cheers.

Re:

[rtb61 (674572)]

I think you miss the point. It is the bank's responsibility to ensure the authorised person and only the authorised person access the account. What this is, is the equivalent of saying that some how that is now the customers responsibility. It is just so wrong, if the bank chooses to offer a service, than it is the banks responsibility to ensure that the service can be offered securely, not the customers.

For example how many banks were only accessible via IE even when there were warnings about using IE an

Interesting

[MightyYar (622222)]

I was wondering what the end of internet banking would look like, and this is it.

I'll go right back to using the branch if they start holding me liable for using their cost-saving website.

Re:Interesting

[MightyYar (622222)]

Let me reverse that - will they let me audit THEIR systems to make sure that the security breach isn't from THEIR end?

The feeling is mutual.

[by Anonymous Coward]

So, if they're allowed to inspect my client, may I inspect their server? No?

Re:

[DoofusOfDeath (636671)]

So, if they're allowed to inspect my client, may I inspect their server? No?

That was my first thought too, but if NZ is like the US in this regard, they have government banking regulators auditing the heck out of their systems. So it's probably reasonable to more strongly assume the banks' systems have a known level of security.

OTOH, if the banks' security audit results aren't made public, then your instinctive reaction is probably pretty fair.

Re:

[trolltalk.com (1108067)]

Yeah ... right.

The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.

When she went in to tell them about it, they were having another problem --- the ATM was spitting out paper and money all over the place.

Audited doesn't mean perfect any more than ISO9001 means low level of defects.

Re:The feeling is mutual.

[woodlander (737137)]

Could I ask the name of the bank? I need to move my account.

Mod Parent Wrong

[Hal The Computer (674045)]

Sigh, this is why we need an "incorrect" moderation.

That is possibly the worst explanation of the money multiplier effect [investopedia.com] that i have ever heard.

Therefore.....

[Lumpy (12016)]

All of you damned users not running Microsoft OS will be liable.

Just because anti-spyware software does not exist for your software platform is no excuse!

you BeOs users! how dare you not run a Virus scanner app!

gotta love Bank executives asking for things they dont even have the slightest clue about.

Re:

[ktappe (747125)]

All of you damned users not running Microsoft OS will be liable. Just because anti-spyware software does not exist for your software platform is no excuse!

This exact thing happened at my workplace recently (the 3rd largest bank in the U.S...look it up.) Our new "WebConnect" VPN system will not work with Linux and Mac OS X because their first step upon connecting to it is for it to check for viruses and spyware. As this checker ("WholeSecurity", owned by Symantec) does not work on anything but Microsoft

Great idea

[voice_of_all_reason (926702)]

The police should immediately adopt this.

Want to file a criminal report? Let us search your home first, citizen. As long as it's not mandatory, things are perfectly legal since you're consenting to it. You're free to stop using our services at any time.

Re:

[rossz (67331)]

Am I free to stop paying for the service if I stop using it? Damn, I didn't think so.

Banks having a fraud problem?

[blahplusplus (757119)]

I really have to wonder if this is a kneejerk reaction to Banks having fraud problems?

I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.

LiveCD

[kungfoofairy (992473)]

So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?

Re:LiveCD

[WrongSizeGlass (838941)]

So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?

No ... who do you think they are, NetFlix? ;-)

Gee Wally ...

[WrongSizeGlass (838941)]

a computer or device that does not have appropriate protective software and operating system installed and up to date

Who determines what an appropriate protective operating system is? Does that rule out XP SP1? (or Win2K. Win ME, Win 98, etc) Does lack of AV software on my Mac or Linux box define my computer as 'unprotected'? And does 'up to date' refer to the AV definitions, the OS patches or just the latest & greatest releases (such as Vista and/or IE 7)?

All about Trust.

[Shambly (1075137)]

I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.

banks find secure connection

[192939495969798999 (58312)]

the bank just wants to install a little program and ask for your various identification numbers, biometrics, etc. What could be dangerous about trafficking that information plus the apparent security info about your computer over the internet?

Why not...;

[packetmon (977047)]

Here is my hard drive-less Dull unInspiron running Knoppix

About damn time.

[wiredog (43288)]

If more companies that consumers interact with begin to insist that the consumers use good security practices then the consumers will either do so, or get offline. Or pay through the nose, and then do so or get offline. Any one of which will, eventually, reduce the numbers of people susceptible to bots, trojans, and other malware.

sure thing

[hurfy (735314)]

Just show me what security YOU run before i give you my money to take care of ;P

Catch-22...

[GradiusCVK (1017360)]

Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?

If I was subject to this...

[JesseL (107722)]

I'd probably just set up a sandbox in VMware or something similar, to do all my online banking.

Re:If I was subject to this...

[CastrTroy (595695)]

I was just thinking about something similar. If the bank is so worried about the user's system being comprimised, then they should send out CDs with a VMWare image that the user can run so that it's known to be safe. There's probably still some attack vectors, because the Host OS could be majorly compromised, but it would make the process a whole lot more secure. But the VM Image could be signed, so that it could be verified to be unchanged upon each boot, and the memory contents could even be kept encrypted. It would also make sense for the access point of the bank not to be an actual web page you could visit with any browser, preventing people clicking on links in their email, or even being used to visiting the site in the browser. It would be plenty fast for online banking, and would take a lot of the risk out. But then again, they're probable going to just keep on adding layer after layer of stupid "security" functions like asking you your mother's maiden name (because nobody knows that information).

They want to "know if it's secure", huh? Well...

[The_REAL_DZA (731082)]

...if they can access it, it ain't secure. 'nuff said.

uptodate is perfectly cromulent

[XaXXon (202882)]

When did 'uptodate' become a word?

Oh that's right. It's not. Try 'up-to-date'.

Who Decides what is 'Appropriate Software'?

[CodeBuster (516420)]

Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed.

What is and is not appropriate and who decides that? If it is the banks then you can bet that Linux and FOSS will probably not be on the pre-approved list and will require substantial hassles to be approved by the bank. Perhaps they intend to run Active-X controls on their sites t

The phishing scam

[mh1997 (1065630)]

Helo,

I am frum the National Bank of Nijeria, after providing your name, social security number, bank acount number, and routin information, pleaze instal the attached file so that we may check your securitee settings. Pleaze disreagard all mispelings an gramer mistakes in this email, we were forced to outsource securty email to another countries to save you money and provide the best service that you are familar with us.

Burden of proof?

[gregor-e (136142)]

To be safe, the bank would have to require that you be able to prove that you have all the latest security add-ons and proper configuration, and that you have maintained these without a break, on every computer you've used to access their website (including, presumably, computers at work, school, your public library, etc). If their user agreement places that burden of proof on the user, then the bank will probably end up washing their hands of every fraud case. Of course, most consumers just skip the fine

Reverse the argument.

[fishthegeek (943099)]

Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.

A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.

http://www.finextra.com/fullstory.asp?id=15177

When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.

Use Quicken, no protection

[russotto (537200)]

Looks like if you use the Quicken PIN-vault feature, or Apple's Keychain, or any other method (including paper) for retaining the PIN and password, the bank can tell you it's your fault. Nice. So you've got to remember all those secure passwords yourself. (if you use an insecure password, you're liable).

Under the rules they're setting up, the only reasonable thing to do is go back to using tellers.

I understand thier dillema

[JoeCommodore (567479)]

But this is surely the wrong approach.

I can imagine:

- The IT guys at the banks are probably going to define some thin definition of security (as another /.er said it probably will also center around being Windows only). Which will be to the joy of one security company and result in legal action from a bunch of others.

- The bank will still have breaches as they find that the security measures for that circumstance may work, but when connected wirelessly or at a hotel room, not to mention advances in virtuli

Central Bank of New Zealand

[Timesprout (579035)]

We are glad to see such wide coverage of our new security measures. We are Central Bank are totally focussed on giving our users the most secure online banking experience possible. To that rnd and to help speed up the implementation of our new security measures could all Slashdot readers resident in New Zealand please respond to this post citing

(i) Full name, DOB and Address
(ii) Account number
(iii) Internet banking login name and password
(iv) Credit card number, expiry date and security code
(v) IP address and machine user name and password

Thank you for you assistance in this matter and we will report the security status of your machine to you as quickly as possible. If you feel uncomfortable entering this information you can always download our helper program (RapeMyAccountLikeItsaSheep.exe) from our website [pleasetakeallmymoney.com].

Central Bank
New Zealand

SCAM WARNING Re:Central Bank of New Zealand

[zsau (266209)]

Please be aware that this is a scam! The New Zealand central bank is in fact called the "Reserve Bank of New Zealand". Don't provide the information the post asks for from him.

suggestions to banks

[fred fleenblat (463628)]

I'd like to see some additional on-line banking security in these areas:

1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.

2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.

3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.

4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.

5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.

6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.

7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.

Just my thoughts.

My bank is incompetent

[cdn-programmer (468978)]

The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.

Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:

One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.

But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.

So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.

So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.

Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?

This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.

Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.

So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.

Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.

This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.

Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.

The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.

Banks don't give a f**k about security

[Alain Williams (2972)]

At least twice this year I have had someone from the bank 'phone me up out of the blue, say that they are from Nat West Bank and that the need to talk to me about something ... but first would I prove who I was by answering some questions.

My reply: certainly, but they must prove who they are first.

Oh, no - that is not the way that they do things, I must prove who I am first -- by answering exactly the same security questions that someone phishing would want to know. Needless to say: I refused.

I then took this as a complaint to the bank chairman - and have received platitudes as to how they take security seriously, burble, burble, ... I'm not going to let this go: I shall chase them. I should be OK since I won't give the information out, but many people will do so.

Banks are crap.

Oh wonderful. I can imagine the phone call now.

[jimicus (737525)]

Anyone who's ever dealt with the kind of call centres you get with banks knows what's going to happen.

[Rings up to complain of fraud]

Bank: Hello, this is ${BANK}, how can I help you?
Customer: Yes, I appear to have a transaction for £3000 leaving my account which I don't know anything about.
Bank: OK, I see you use our Internet banking service. Do you have antispyware software on your computer?
Customer: No, I use a....
Bank: Do you have antivirus software on your computer?
Customer: No, I use a Mac....
Bank: No antispyware, no antivirus. Not our problem. Goodbye.

Banks != technically competent

[macemoneta (154740)]

One of my banks has a bad SSL certificate configuration.

I emailed then to let them know. Their response? "Clear your cache and cookies".

I thanked them and explained that the problem wasn't on my end, that Verisign actually documented their problem and provided them with the URL. Their response? "Maybe the date on your computer is wrong, our certificates expire in 2011".

I again explained that it wasn't a certificate expiration issue, and in fact the certificate in question expired in 2009. Their response? "No one else is reporting the problem". I stopped reporting the issue, and we started moving money elsewhere.

The problem isn't so much that they didn't have a properly configured certificate, the problem was their response to a security issue. The ticket went back and forth several times (to multiple representatives), and there was no automatic escalation or intercept. The ticket was reporting a security matter, but again, there was no intercept. I can understand not having tier 1 customer support be security experts, but the exchange exposed a complete lack of proper security practices and procedures.

I am not now, nor have I ever been impressed with the security practices at any bank. Some are just not as bad as at others. They will never be permitted to lay hands on a computer of mine.

Re:

[Bert64 (520050)]

They should have a third party security testing company investigate the PC...
Also, since theyre claiming liability based on the security of your PC, you should have the right to investigate the security of their server.

Re:

[barzok (26681)]

Also, since theyre claiming liability based on the security of your PC, you should have the right to investigate the security of their server.

We all know that won't happen, thanks to the golden rule.

He who has the gold, makes the rules.

Re:

[vtcodger (957785)]

***Why on earth should a bank take a loss when it was your fault?***

I dunno. Maybe because they are the ones offering the damn service. If they can't provide it in a secure manner, why is that my problem? Now if I begged them to please offer the service ...

In any case, prudent users probably will not use these services. You don't have to be Nostradomus to project that even if the banks gain access to the user PCs,.they are unlikely to be able to act intelligently on what they find there. You also d

Re:

[Lumpy (12016)]

Sounds like a plan. Problem is you are being idealistic and the bank is going to execute it in a asenine fashon.

Are they going to hire a team of $100,000.00 a year plus It experts? no. they are going to hire MSCE flunkies that dont know what a Live Cd is or what any other OS is even like.

Apple users will be liable because they don't run virus scan or spy ware scan ignoring the fact that those platforms are typically unaffected by the mess that Microsoft OS's have.

are the flunkies going to have the skills t

Re:

[Zebra_X (13249)]

IMO it's about time ppl had to take responsibility for their system.

I agree - however, to mandate that an end user must be "inspected" and "certified" to transact with them is absurd. It's not like the bank comes to your house to ensure that your locks are up to their code, and they will keep people from entering and trying to steal your checks, or account information.

The bottom line is that the bank can't or won't spend the money to provide a reasonable level of security for their online bankers. It's not