It's not just bean counters. Many businesses went into the computer services side of their business with either no knowledge of the risk, went into it before the risks were known, or simply made bad decisions. Now, they have to have the computer side of their business to compete and they are finding out what dangers lie inside pandora's box, even as they try to put the lid back on.

Intrusion detection systems are how old? Who really is the enemy as far as the computer system can tell? If you don't know, or are not sure of the answer, you have something in common with the people that have to make decisions with the security of your financial information. I'm not saying that it's a total lost cause, but think about it, have you heard of CSO CIO or CISO? These are the guys that are supposed to make such decisions. Does your bank have any of those positions? Oh wait, is it really the bank that is fully to blame? Did your login get compromised by some software on the 'build-a-better-model-airplane' website?

Better yet, did the bank's EDI software get compromised because one of their partners has an IT guy that watches porn at work during the grueling month-end process?

The truth is that a secure system cannot trust anyone or anything. Getting to your money in a secure system will not be easy, and will be a deterrent to using computerized banking. That is just how it is. Ever since there were banks, people have been trying to rob them. Security issues should not be news. What is news is that the banks and financial institutions are reporting that they are having trouble with security in a time when just about the entire industry has been hurt by the sub-prime issue? I smell a kind of rat here.

And that kind of technology would invariably lead to "Works only on Windows".

I'd rather have a separate "channel" of information to verify against. If one would use internet banking, then a txt msg containing pertinent info would be sent, with a reply "$dollar amount and yes" as confirmation.

Phones can be deactivated rather fast when it comes to stolen" and such things. It would provide extra security and very little hassle.

I call BS. There's a lot they could do to increase security for banking. How about actual 2-factor authentication. Something you know, and, something you know is not 2 factor authentication. Try something you know (your password), and something you have (those little RSA tokens). If they implemented those RSA tokens that spit out a new number every 60 seconds, they could stop almost all the phishing scams. Yet they refuse to do anything to actually even offer the more secure option. I'd pay for the RSA token out of my own pocket if it meant my money would be more secure.

That doesn't do a damn thing to protect people from zero-day exploits and compromised web sites that try to take advantage of vulnerabilities in user's systems. Part of not getting infected is education and keeping systems updated, but part of it is dumb luck. You can do everything right and still get infected.

I would like to see operating systems that offer the option of only executing code that has been digitally signed. Banks should give their customers authentication devices. This can be as simple as a sheet of paper with a table of authentication codes.

Isn't ETrade just for trading? Do they have standard chequing accounts. Do any North American banks offer RSA SecurID for chequing accounts?

My own bank uses such a device, but they have been hit by bank specific trojans which simply let you authenticate a different transaction while you thought you were authenticating your own.

The only solution is a separate device less easily owned than a PC which displays all the transaction details. Mobile phones would work (would be nice if they used better cryptography, but even without it's a lot more difficult to exploit on a large scale without physical presence).

The fact that simply knowing someone's ssn (for US peoples, of course) can expose them to all sorts of credit fraud is dumb. Granted, the system was created back before any of this online stuff was even imagined, but it is well overdue for a revamp. First, expand it past the 3-2-4 digit number. With the current population, 33% *should* be in active use by live people right now. Numbers are probably already being re-issued, and will soon lead to numbers being shared if its not expanded, which will only complicate things further.

What is needed, if they want to keep the system at least a little similar, is to simply add a PIN. Keep the pin separate, never printed, just like a PIN for a bank card. The PIN must be used for opening any account or using the SSN in any manner an ID thief might. For general use only ssn is required, same as it is today. This alone would cut back on ID theft, as it would break the current method of "ssn + name = free$$" by requiring a PIN that only the original holder of the SSN should know, rather than requiring a simple to find number and some info thats publicly available.

Tm

Tm

So, when I phone them up after intercepting this email, and they say 'please can you confirm the last transaction on your account' to get them to give me a new phone banking password, I'll know the answer. Actually, my US bank asked me this as a question. I didn't know the answer (that was why I was phoning them) so the helpful person told me the answer and then transferred me to someone else who would ask the same question. I was astonished, and very glad I don't keep much money in the US.