New Zealand Banks Demand a Peek at User PCs 268
Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"
Interesting (Score:5, Insightful)
I'll go right back to using the branch if they start holding me liable for using their cost-saving website.
The feeling is mutual. (Score:5, Insightful)
Therefore..... (Score:5, Insightful)
Just because anti-spyware software does not exist for your software platform is no excuse!
you BeOs users! how dare you not run a Virus scanner app!
gotta love Bank executives asking for things they dont even have the slightest clue about.
Banks having a fraud problem? (Score:4, Insightful)
I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.
It's about time (Score:1, Insightful)
All about Trust. (Score:4, Insightful)
Comment removed (Score:2, Insightful)
They want to "know if it's secure", huh? Well... (Score:5, Insightful)
Re:Just what I'd tell the bank (Score:3, Insightful)
Bank: "Yes, at 0325 yesterday your account was logged into and the money transferred"
User: "But I didn't do it!"
Bank: "Well, sir, the proper login and password were used, and our logs indicate it came from the same IP address your previous transactions came from. If you did not personally do it, did soeone else in your household do it?"
User: "I live alone, and I work night shift. No one was at the house last night"
Bank: "We're sorry sir, but it sounds like you have been a victim of computer fraud. That's when someone else has stolen your money, just like if you lost your checkbook. We would be more than happy to cooperate with the authorities to provide any data we have. Let us know who to send the data to. Thanks, buh-bye"
Cold? Yes. But I'd rather be responsible for my own computer security than the bank be allowed to root around in my computer.
(Please note this does not apply to data leaks from teh banks or other businesses - they are guilty of negligence, on top of whatever fraud drains the account)
Re:The feeling is mutual. (Score:3, Insightful)
Yeah ... right.
The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.
When she went in to tell them about it, they were having another problem --- the ATM was spitting out paper and money all over the place.
Audited doesn't mean perfect any more than ISO9001 means low level of defects.
"Rooting around" is probably paranoid ... (Score:2, Insightful)
That is probably a gross exaggeration. Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall,
Your "eat my own losses" argument has two primary flaws.
(1) You assume the mistake was the customers, not the banks. Those who are sure the error was on the banks side will be more likely to cooperate in ruling out their home computers.
(2) Privacy has a price, and often a limit. If the account emptied was a savings account with a lot of money rather than a checking account with a small amount of money then the customer will become increasingly cooperative.
suggestions to banks (Score:4, Insightful)
1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.
2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.
3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.
4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.
5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.
6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.
7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.
Just my thoughts.
Banks don't give a f**k about security (Score:3, Insightful)
My reply: certainly, but they must prove who they are first.
Oh, no - that is not the way that they do things, I must prove who I am first -- by answering exactly the same security questions that someone phishing would want to know. Needless to say: I refused.
I then took this as a complaint to the bank chairman - and have received platitudes as to how they take security seriously, burble, burble, ...
I'm not going to let this go: I shall chase them. I should be OK since I won't give the information out, but many people will do so.
Banks are crap.
Re:Interesting (Score:4, Insightful)
Re:If I was subject to this... (Score:4, Insightful)
Re:"Rooting around" is probably paranoid ... (Score:5, Insightful)
Well, even that seems objectionable. The only reason they would need to do that is if there has been a loss and they want to pin it on someone other than themselves. So, they aren't even "looking" at the computer, they are there for one and only one reason, document security holes. Whether one of those holes were used doesn't matter. If they document enough, then they will shift the blame to the customer. Why should I go out of my way to help the bank deny me the money I deposited into it?
Oh wonderful. I can imagine the phone call now. (Score:3, Insightful)
[Rings up to complain of fraud]
Bank: Hello, this is ${BANK}, how can I help you?
Customer: Yes, I appear to have a transaction for £3000 leaving my account which I don't know anything about.
Bank: OK, I see you use our Internet banking service. Do you have antispyware software on your computer?
Customer: No, I use a....
Bank: Do you have antivirus software on your computer?
Customer: No, I use a Mac....
Bank: No antispyware, no antivirus. Not our problem. Goodbye.
Banks != technically competent (Score:3, Insightful)
I emailed then to let them know. Their response? "Clear your cache and cookies".
I thanked them and explained that the problem wasn't on my end, that Verisign actually documented their problem and provided them with the URL. Their response? "Maybe the date on your computer is wrong, our certificates expire in 2011".
I again explained that it wasn't a certificate expiration issue, and in fact the certificate in question expired in 2009. Their response? "No one else is reporting the problem". I stopped reporting the issue, and we started moving money elsewhere.
The problem isn't so much that they didn't have a properly configured certificate, the problem was their response to a security issue. The ticket went back and forth several times (to multiple representatives), and there was no automatic escalation or intercept. The ticket was reporting a security matter, but again, there was no intercept. I can understand not having tier 1 customer support be security experts, but the exchange exposed a complete lack of proper security practices and procedures.
I am not now, nor have I ever been impressed with the security practices at any bank. Some are just not as bad as at others. They will never be permitted to lay hands on a computer of mine.
Re:Ill conceived (Score:2, Insightful)
Because that means the bank would be responsible if something went wrong. And the banks don't want that responsibility, hence this whole deal.
bootable puppy linux (Score:1, Insightful)
Re:"Rooting around" is probably paranoid ... (Score:2, Insightful)
In fact, he'll probably be outfitted with a CD that has programs on it that root around inside your machine and sends the information back home via the Internet. In a perfect storm of stupidity, the programs would have to be run as Administrator.