Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Privacy Your Rights Online

New Zealand Banks Demand a Peek at User PCs 268

Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"
This discussion has been archived. No new comments can be posted.

New Zealand Banks Demand a Peek at User PCs

Comments Filter:
  • Nothing for you to see here. Please move along.
    • This attempt by the banking industry to shift transactional liability away from their servers and onto the backs of the consumers is what I'd expect from the ruthless rat bastards. Don't think something like this would fly in the U.S. Notwithstanding the fact that our government is spending a king's ransom getting all up in our computers already (NSA-FBI), our citizenry would be OUTRAGED and OFFENDED if they thought their bank was all up in their hard drives! Pity the bank that tried to pull that chicane
  • Interesting (Score:5, Insightful)

    by MightyYar ( 622222 ) on Friday June 29, 2007 @01:28PM (#19691037)
    I was wondering what the end of internet banking would look like, and this is it.

    I'll go right back to using the branch if they start holding me liable for using their cost-saving website.
    • You already are liable. Either way the bank has better lawyers.

      If I steal your identity and buy alot of products the only thing the bank will do is call the FBI. They will still ask for you to phony up. Refuse? Then they will put it on your credit report. Now try getting a job or apartment or home?

      Its been ruled in court if someone sells your home you have to leave and the bank is not liable for the loan and you have to pay them. I do not know how but somehow they convinced a jury??

      Its quite bad and there n
      • by init100 ( 915886 )

        Refuse? Then they will put it on your credit report. Now try getting a job or apartment or home?

        I can understand that it may be hard to get things that consts money, like an apartment or a loan. But a job? Do employers check the credit report of would-be employees in the US? Why?

    • by citog ( 206365 )
      So you're saying a customer doesn't have any liability when it comes to securing their accounts held at a bank? As an internet banking customer you're usually told in the terms and conditions that you have a responsibility to secure access to your account within reasonable boundaries. Explain to me what's wrong with the bank verifying that you've complied when you're disputing a transaction.
    • Well, that's always your choice, of course.

      I personally think that holding the user responsible is the most natural thing in the world. Why would the bank have to take the blame if the user's machine is compromised? As long as security is not breached on their side, their only responsibility is to process the requests given to them correctly. If these requests happen to be fraudulent, I don't see how that's the bank's fault.

      Of course, if the perpetrator is caught, and it can be proven that he accessed an

      • Here's why I object. I am not a security expert, and yet I possess much more knowledge about computer security than the average bank customer. I, much less the average customer, cannot be expected to lock down my home computer to bank-network standards. The bank - who is an expert in security - has chosen to open their financial network to the internet at-large, and they should assume the costs and responsibility associated with that step.

        I don't know what the solution is - perhaps they should have an autom
        • by pegr ( 46683 )
          Where your argument falls apart: The bank - who is an expert in security...
          The bank is an expert in risk management, not security. I believe this article just supports that fine distinction...
          • Heh, as risk managers it's obviously up to them how much they want to pay attention to security. But that's what I'm getting at - they shouldn't be allowed to just shovel their risk over to consumers. The whole reason I use a bank is so that I don't have to worry about my money. I could keep it all in a shoebox and mail it out in thick wads to pay my bills, but that would be foolish because it's not as secure as a bank. They advertise their online banking and push it heavily because it saves them a lot of m
  • by Anonymous Coward on Friday June 29, 2007 @01:28PM (#19691039)
    So, if they're allowed to inspect my client, may I inspect their server? No?
    • Re: (Score:3, Interesting)

      So, if they're allowed to inspect my client, may I inspect their server? No?

      That was my first thought too, but if NZ is like the US in this regard, they have government banking regulators auditing the heck out of their systems. So it's probably reasonable to more strongly assume the banks' systems have a known level of security.

      OTOH, if the banks' security audit results aren't made public, then your instinctive reaction is probably pretty fair.

      • Re: (Score:3, Insightful)

        Yeah ... right.

        The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.

        When she went in to tell them about it, they were having another problem --- the ATM was spitting out paper and money all over the place.

        Audited doesn't mean perfect any more than ISO9001 means low level of defects.

        • by woodlander ( 737137 ) on Friday June 29, 2007 @02:25PM (#19691877)
          Could I ask the name of the bank? I need to move my account.
        • Re: (Score:2, Informative)

          by alexgieg ( 948359 )

          The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.

          The funny thing is that many banks (the huge ones mainly) are in fact allowed, by their respective central banks, to "invent" money out of nowhere. This of course causes inflation, but so long as they don't do it so much that it would cause the upper yearly inflation limit set by the central bank to be surpassed, it's perfectly okay.

          This world we live in

          • I have a feeling the truth is more nuanced than what you said. Got a reputable cite?
            • I Copied this from an old post ::

              I think the Grand parent is refereing to "fractional reserve banking"
     [] serve+banking []

              He got it a little bit wrong.
              All banks (not just big ones) in Canada and America (most of europe) are allowed to create, and destroy money.

              In most countries there is some form of control on much money and how they can create
              * Reserve Ratio
              * Over Night Lending Rate
              But for the last several hundred years
          • I'm pretty sure it is the central bank (eg. Federal Reserve) that actually invents the cash. Otherwise you you would have different banks printing like madmen before the other guy did, and it would end up as profit for the bank. But yeah money gets created out of thin air. At least with currencies not backed by gold or something.
          • When you define "money" as including deposits at banks then sure, if someone makes a deposit at a bank then the amount of "money" increases. If you define "money" as deposits with the central bank plus currency then ordinary banks don't "create" money quite so easily (there are in fact a wide range of definitions of "money" which are usually abbreviated M1, M2, M3 and so on). So what? There is nothing magical about money. ...Because you are completely wrong about the influence of this on inflation. The cent
          • Sigh, this is why we need an "incorrect" moderation.

            That is possibly the worst explanation of the money multiplier effect [] that i have ever heard.
        • As long as they (the banks) make sure their branches are understaffed during the day and close the instant everyone gets out of work they are content with the way things are.

          They seem to be good and flooding upper class town centers with branches though. One nearby town's center is half banks. So instead of an appealing shopping/dining area it is mostly dead in the evenings.
        • That's nothing. A few years ago, Charles Schwab once "gave" me $63,000,000 and change. I hit F5, and there was another transaction removing the funds. Made for an interesting 20 seconds.
    • So, if they're allowed to inspect my client, may I inspect their server? No?

      There is no need. If your system is clean they are not holding you liable and you are getting your money back.
  • Therefore..... (Score:5, Insightful)

    by Lumpy ( 12016 ) on Friday June 29, 2007 @01:28PM (#19691045) Homepage
    All of you damned users not running Microsoft OS will be liable.

    Just because anti-spyware software does not exist for your software platform is no excuse!

    you BeOs users! how dare you not run a Virus scanner app!

    gotta love Bank executives asking for things they dont even have the slightest clue about.
    • More than likely you will be banned from online banking because their software wont know what anything but Windows is.

      So the least secure OS gets the approval because its what everyone uses.
    • Re: (Score:3, Informative)

      by ktappe ( 747125 )

      All of you damned users not running Microsoft OS will be liable. Just because anti-spyware software does not exist for your software platform is no excuse!

      This exact thing happened at my workplace recently (the 3rd largest bank in the U.S...look it up.) Our new "WebConnect" VPN system will not work with Linux and Mac OS X because their first step upon connecting to it is for it to check for viruses and spyware. As this checker ("WholeSecurity", owned by Symantec) does not work on anything but Microsoft

  • The police should immediately adopt this.

    Want to file a criminal report? Let us search your home first, citizen. As long as it's not mandatory, things are perfectly legal since you're consenting to it. You're free to stop using our services at any time.
    • by rossz ( 67331 )
      Am I free to stop paying for the service if I stop using it? Damn, I didn't think so.
  • by blahplusplus ( 757119 ) on Friday June 29, 2007 @01:29PM (#19691061)
    I really have to wonder if this is a kneejerk reaction to Banks having fraud problems?

    I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.
    • Here in the US someone can sell your home without your consent and you would have to leave.

      Yes its a big problem and for some reason the banks have been winning in courts and not paying for things like fraudulant transactions and letting the consumer deal with it.

      Its a knee jerk reaction but they should do more things like do FBI bankground checks and fingerprinting for any major transaction over $10,000 or credit card application. I did so to work at the school district and its inconvenient to wait a month
      • by SLot ( 82781 )
        Here in the US someone can sell your home without your consent and you would have to leave.

        You keep saying this, but I'm sure there is more to the story. Care to provide a link to the case or any more details?
      • Here in the US someone can sell your home without your consent and you would have to leave.

        Uh, no. Nobody can sell YOUR home but you. Now, if the home belongs to the bank i.e., they have the loan, then they are allowed to call the loan in whenever they want. You have the option to pay, re-fi elsewhere, or move. But these are your choices.

  • LiveCD (Score:2, Interesting)

    So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?
    • Re:LiveCD (Score:5, Funny)

      by WrongSizeGlass ( 838941 ) on Friday June 29, 2007 @01:39PM (#19691193)

      So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?
      No ... who do you think they are, NetFlix? ;-)
  • Gee Wally ... (Score:5, Interesting)

    by WrongSizeGlass ( 838941 ) on Friday June 29, 2007 @01:37PM (#19691163)

    a computer or device that does not have appropriate protective software and operating system installed and up to date
    Who determines what an appropriate protective operating system is? Does that rule out XP SP1? (or Win2K. Win ME, Win 98, etc) Does lack of AV software on my Mac or Linux box define my computer as 'unprotected'? And does 'up to date' refer to the AV definitions, the OS patches or just the latest & greatest releases (such as Vista and/or IE 7)?
  • All about Trust. (Score:4, Insightful)

    by Shambly ( 1075137 ) on Friday June 29, 2007 @01:37PM (#19691165)
    I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.
  • the bank just wants to install a little program and ask for your various identification numbers, biometrics, etc. What could be dangerous about trafficking that information plus the apparent security info about your computer over the internet?
  • Here is my hard drive-less Dull unInspiron running Knoppix
  • If more companies that consumers interact with begin to insist that the consumers use good security practices then the consumers will either do so, or get offline. Or pay through the nose, and then do so or get offline. Any one of which will, eventually, reduce the numbers of people susceptible to bots, trojans, and other malware.
  • Just show me what security YOU run before i give you my money to take care of ;P
    • Just show me what security YOU run before i give you my money to take care of ;P

      Seems to me it's a reasonable request.

      If they're dumping responsibility for security breaches on their customers, I'd be they're having trouble on their end of the comm line, too. This sort of thing would not make me confident in their operation.

      Alternatively, they may be having a LOT of fraud costs from software targeting their particular customers. If they were reduced to announcing that the users with infected computers are
  • Catch-22... (Score:2, Insightful)

    by GradiusCVK ( 1017360 )
    Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?
    • Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?

      In which case -- says the article -- they may refuse your claim.
  • by JesseL ( 107722 ) on Friday June 29, 2007 @01:44PM (#19691257) Homepage Journal
    I'd probably just set up a sandbox in VMware or something similar, to do all my online banking.
    • How can you make the case that your guest OS is secure if the host is found to be insecure?
      • by JesseL ( 107722 )
        Who's gonna find anything about the host? That's the whole point. Let them see what I want them to see, satisfy them them that everything is A-OK, and keep the rest of the box fee from their snooping.
    • by CastrTroy ( 595695 ) on Friday June 29, 2007 @03:11PM (#19692615) Homepage
      I was just thinking about something similar. If the bank is so worried about the user's system being comprimised, then they should send out CDs with a VMWare image that the user can run so that it's known to be safe. There's probably still some attack vectors, because the Host OS could be majorly compromised, but it would make the process a whole lot more secure. But the VM Image could be signed, so that it could be verified to be unchanged upon each boot, and the memory contents could even be kept encrypted. It would also make sense for the access point of the bank not to be an actual web page you could visit with any browser, preventing people clicking on links in their email, or even being used to visiting the site in the browser. It would be plenty fast for online banking, and would take a lot of the risk out. But then again, they're probable going to just keep on adding layer after layer of stupid "security" functions like asking you your mother's maiden name (because nobody knows that information).
  • by The_REAL_DZA ( 731082 ) on Friday June 29, 2007 @01:45PM (#19691261)
    ...if they can access it, it ain't secure. 'nuff said.
  • When did 'uptodate' become a word?

    Oh that's right. It's not. Try 'up-to-date'.
  • Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed.

    What is and is not appropriate and who decides that? If it is the banks then you can bet that Linux and FOSS will probably not be on the pre-approved list and will require substantial hassles to be approved by the bank. Perhaps they intend to run Active-X controls on their sites t
  • by mh1997 ( 1065630 ) on Friday June 29, 2007 @01:51PM (#19691355)

    I am frum the National Bank of Nijeria, after providing your name, social security number, bank acount number, and routin information, pleaze instal the attached file so that we may check your securitee settings. Pleaze disreagard all mispelings an gramer mistakes in this email, we were forced to outsource securty email to another countries to save you money and provide the best service that you are familar with us.

  • To be safe, the bank would have to require that you be able to prove that you have all the latest security add-ons and proper configuration, and that you have maintained these without a break, on every computer you've used to access their website (including, presumably, computers at work, school, your public library, etc). If their user agreement places that burden of proof on the user, then the bank will probably end up washing their hands of every fraud case. Of course, most consumers just skip the fine
  • by fishthegeek ( 943099 ) on Friday June 29, 2007 @01:59PM (#19691473) Journal
    Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.

    A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.

    When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.
  • Looks like if you use the Quicken PIN-vault feature, or Apple's Keychain, or any other method (including paper) for retaining the PIN and password, the bank can tell you it's your fault. Nice. So you've got to remember all those secure passwords yourself. (if you use an insecure password, you're liable).

    Under the rules they're setting up, the only reasonable thing to do is go back to using tellers.
    • There is one simple solution: don't store your bank information on your computer.
      My bank uses a device [] which, combined with the bank card, generates 8 digit codes to use for authentication and verification.
      This device is not connected to a computer.

      For confirmation of any transaction you need to enter the confirmation code from the website on the device.
      The device generates a signing code which must be entered on the website for confirmation.

      it might be more manual actions, but it is also more secure.
      My com
  • But this is surely the wrong approach.

    I can imagine:

    - The IT guys at the banks are probably going to define some thin definition of security (as another /.er said it probably will also center around being Windows only). Which will be to the joy of one security company and result in legal action from a bunch of others.

    - The bank will still have breaches as they find that the security measures for that circumstance may work, but when connected wirelessly or at a hotel room, not to mention advances in virtuli
  • by Timesprout ( 579035 ) on Friday June 29, 2007 @02:05PM (#19691535)
    We are glad to see such wide coverage of our new security measures. We are Central Bank are totally focussed on giving our users the most secure online banking experience possible. To that rnd and to help speed up the implementation of our new security measures could all Slashdot readers resident in New Zealand please respond to this post citing

    (i) Full name, DOB and Address
    (ii) Account number
    (iii) Internet banking login name and password
    (iv) Credit card number, expiry date and security code
    (v) IP address and machine user name and password

    Thank you for you assistance in this matter and we will report the security status of your machine to you as quickly as possible. If you feel uncomfortable entering this information you can always download our helper program (RapeMyAccountLikeItsaSheep.exe) from our website [].

    Central Bank
    New Zealand
  • This is just an attempt to deflect blame from themselves to the user. When your account gets defrauded, they *will* find something on your computer that does not add-up and indicate that they are not liable. Then what do you do? Sue?

    The only real security alternative to this is to distribute hardware security devices that generate a password every 60 seconds or so. Then to sign in, you'd have to provide your username, password and the hardware security device generated number. Then even if your box is 0wned
  • by fred fleenblat ( 463628 ) on Friday June 29, 2007 @02:18PM (#19691727) Homepage
    I'd like to see some additional on-line banking security in these areas:

    1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.

    2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.

    3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.

    4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.

    5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.

    6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.

    7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.

    Just my thoughts.
    • by cdrguru ( 88047 )
      It would be nice if banks agressively prosecuted credit card and other banking fraud.

      But it doesn't work for them. It is extremely expensive to do this and the evidence may be very questionable for criminal prosecution. With any online activity it is next to impossible to prove who was behind the keyboard so without a huge pattern of receiving goods and services from credit card fraud there isn't going to be a conviction.

      There is also the question of deterrent value. Right now, the security people will s
  • by cdn-programmer ( 468978 ) < minus author> on Friday June 29, 2007 @02:20PM (#19691779)
    The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.

    Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:

    One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.

    But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.

    So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.

    So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.

    Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?

    This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.

    Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.

    So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.

    Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.

    This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.

    Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.

    The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.

  • Neither the Internet (Peter G. Neumann, Practical Architectures for Survivable Systems and Networks, 63- 66 (2000), at []) nor the PC were designed to provide trustworthy critical services. The Internet model was designed to be robust against significant physical destruction of communications links and nodes. The PC started as a personal hobbiest device and migrated to more general usages. The UNIX systems started from timesharing and migrated both up and down. No sy
  • by Alain Williams ( 2972 ) <> on Friday June 29, 2007 @02:55PM (#19692381) Homepage
    At least twice this year I have had someone from the bank 'phone me up out of the blue, say that they are from Nat West Bank and that the need to talk to me about something ... but first would I prove who I was by answering some questions.

    My reply: certainly, but they must prove who they are first.

    Oh, no - that is not the way that they do things, I must prove who I am first -- by answering exactly the same security questions that someone phishing would want to know. Needless to say: I refused.

    I then took this as a complaint to the bank chairman - and have received platitudes as to how they take security seriously, burble, burble, ... I'm not going to let this go: I shall chase them. I should be OK since I won't give the information out, but many people will do so.

    Banks are crap.

  • So they decide if your OS is approved, or your antivirus vendor?

    10 bucks its their 'partners' that are the only ones you get to use.
  • by jimicus ( 737525 ) on Friday June 29, 2007 @03:43PM (#19693101)
    Anyone who's ever dealt with the kind of call centres you get with banks knows what's going to happen.

    [Rings up to complain of fraud]

    Bank: Hello, this is ${BANK}, how can I help you?
    Customer: Yes, I appear to have a transaction for £3000 leaving my account which I don't know anything about.
    Bank: OK, I see you use our Internet banking service. Do you have antispyware software on your computer?
    Customer: No, I use a....
    Bank: Do you have antivirus software on your computer?
    Customer: No, I use a Mac....
    Bank: No antispyware, no antivirus. Not our problem. Goodbye.

  • by macemoneta ( 154740 ) on Friday June 29, 2007 @04:16PM (#19693521) Homepage
    One of my banks has a bad SSL certificate configuration.

    I emailed then to let them know. Their response? "Clear your cache and cookies".

    I thanked them and explained that the problem wasn't on my end, that Verisign actually documented their problem and provided them with the URL. Their response? "Maybe the date on your computer is wrong, our certificates expire in 2011".

    I again explained that it wasn't a certificate expiration issue, and in fact the certificate in question expired in 2009. Their response? "No one else is reporting the problem". I stopped reporting the issue, and we started moving money elsewhere.

    The problem isn't so much that they didn't have a properly configured certificate, the problem was their response to a security issue. The ticket went back and forth several times (to multiple representatives), and there was no automatic escalation or intercept. The ticket was reporting a security matter, but again, there was no intercept. I can understand not having tier 1 customer support be security experts, but the exchange exposed a complete lack of proper security practices and procedures.

    I am not now, nor have I ever been impressed with the security practices at any bank. Some are just not as bad as at others. They will never be permitted to lay hands on a computer of mine.

"What the scientists have in their briefcases is terrifying." -- Nikita Khrushchev