New Zealand Banks Demand a Peek at User PCs

Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"

LiveCD

[kungfoofairy]

So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?

Gee Wally ...

[WrongSizeGlass]

a computer or device that does not have appropriate protective software and operating system installed and up to date

Who determines what an appropriate protective operating system is? Does that rule out XP SP1? (or Win2K. Win ME, Win 98, etc) Does lack of AV software on my Mac or Linux box define my computer as 'unprotected'? And does 'up to date' refer to the AV definitions, the OS patches or just the latest & greatest releases (such as Vista and/or IE 7)?

Re:The feeling is mutual.

[DoofusOfDeath]

So, if they're allowed to inspect my client, may I inspect their server? No?

That was my first thought too, but if NZ is like the US in this regard, they have government banking regulators auditing the heck out of their systems. So it's probably reasonable to more strongly assume the banks' systems have a known level of security.

OTOH, if the banks' security audit results aren't made public, then your instinctive reaction is probably pretty fair.

If I was subject to this...

[JesseL]

I'd probably just set up a sandbox in VMware or something similar, to do all my online banking.

Reverse the argument.

[fishthegeek]

Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.

A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.

http://www.finextra.com/fullstory.asp?id=15177

When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.

End of e-commerce?

[Anonymous Coward]

This is interesting position for several reasons:

1) It is the most clear admission that even banks can not defend completely their own infrastructure, even on their own network, infrastructure, application environment.

It really puts a huge question mark on the viability of e-commerce in the future, especially at a time, when banks are pushing even to banking over cellphones.

2) The natural reaction from a user point of view is that if banks, with huge financial, technical, human resources are unable to provide 100% protection, how are individual computer users, customers supposed to be able to do it in a much less controlled home environment? How realistic is the expectation for home users to match up with banks?

3) Even if a home user is using firewall, applies updates, etc. it's well documented, that all the security products have security flaws from time to time. Even giants, like Microsoft can't patch security holes immediately, it's common knowledge, how security flaws were not fix for a long time, even when Microsoft knew about them.
This bags the question: will Microsoft - and all other companies, who's products are in any way withing the chain of e-commerce - be legislated to provide fixes within a limited, short time frame, or else... ?

4) If banks have the right to pass their liability on to their clients, there is no reason why users should not be able to pass it further down to ISPs, networking devices, PC hardware, software manufacturers.

5) What if the transaction was done using a corporate PC? It will be interesting to see, how all those players will try to push the liability on each other.

6) Are we going to see a new breed of products: the "e-commerce certified" PC?
Will all "non-certified" PCs eventually barred from online banking and e-commerce?

Is this going to be the end of e-commerce? Will banks be the driving force to bankrupt Microsoft and other tech companies?

My bank is incompetent

[cdn-programmer]

The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.

Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:

One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.

But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.

So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.

So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.

Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?

This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.

Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.

So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.

Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.

This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.

Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.

The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.

Re:Rediculous to require a subpoena ...

[cHiphead]

No, its not ridiculous, its perfectly-goddamn-acceptable that if the bank wants to shift culpability form themselves to end users in terms of fraud and security, which is the purpose of this, they should ABSOLUTELY be required to get a subpoena from a judge to access your personal computer. There is a basic right to privacy, and the onus of security is on the bank, not the end user. If they choose to connect their financial systems to the internet, thats THEIR choice, especially if the access allows more than just read only information of accounts (eg. bank's online ability to transfer funds to other bank customers and outside accounts, automatic bill pay, etc.). I don't think you have a healthy understanding of just how bad this is. They will have the ability to access everything on your computer, it only takes one unscrupulous bank IT employee to start copying/logging/etc personal data.

Cheers.

Hi, I'm Joe

[desertfoxmb]

And I'm here to check your computer's security for the bank.

What a wonderful opportunity for social engineering granny's password. Idiots. The only way they can realistically do this is if they force install of their own application to handle all bank transactions with strong encryption of everything going on and some sort of built in way to break keyloggers. As is it is completely unrealistic and creates more security holes than it closes. The whole "we will never ask you for your password" idea will be gone as you will be expected to report pins, passwords, etc. to make sure you picked a good one.