New Zealand Banks Demand a Peek at User PCs

Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"

Just what I'd tell the bank

[Albanach]

Nothing for you to see here. Please move along.

The Death of Online Banking

[Timtimes]

This attempt by the banking industry to shift transactional liability away from their servers and onto the backs of the consumers is what I'd expect from the ruthless rat bastards. Don't think something like this would fly in the U.S. Notwithstanding the fact that our government is spending a king's ransom getting all up in our computers already (NSA-FBI), our citizenry would be OUTRAGED and OFFENDED if they thought their bank was all up in their hard drives! Pity the bank that tried to pull that chicane

Re:

[Belacgod]

When it comes to rights, we're increasingly a nation of cowards. When it comes to money, we're bulldog/velociraptor crosses. This will not fly, for the same reason we can't balance our budget.

Re:

[cayenne8]

"Me thinks you doth put too much faith in the sensibilities of Americans..."

There, I fixed that for you.

:-)

Re:

[R2.0]

User: "My bank account is empty!"

Bank: "Yes, at 0325 yesterday your account was logged into and the money transferred"

User: "But I didn't do it!"

Bank: "Well, sir, the proper login and password were used, and our logs indicate it came from the same IP address your previous transactions came from. If you did not personally do it, did soeone else in your household do it?"

User: "I live alone, and I work night shift. No one was at the house last night"

Bank: "We're sorry sir, but it sounds like you have been a

"Rooting around" is probably paranoid ...

[AHumbleOpinion]

But I'd rather be responsible for my own computer security than the bank be allowed to root around in my computer.

That is probably a gross exaggeration. Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall, ... all while you watch. To do otherwise would drive customers from banks that arbitrarily root around to banks that do an appropriately focused search.

Your "eat my own losses" argument has

Re:"Rooting around" is probably paranoid ...

[AK Marc]

Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall, ... all while you watch.

Well, even that seems objectionable. The only reason they would need to do that is if there has been a loss and they want to pin it on someone other than themselves. So, they aren't even "looking" at the computer, they are there for one and only one reason, document security holes. Whether one of those holes were used doesn't matter. If they document enough, then they will shift the blame to the customer. Why should I go out of my way to help the bank deny me the money I deposited into it?

Re:

[CKW]

Ah crud, I figured it out.

You have an old computer right? Every techie has one. The PIII-700 in the corner.

Yeah - boot only knoppix and only to do your banking on it, and only when your primary PC is disconnected from the network. Make sure it's got it's software firewall on and you're also behind a broadband NAT router.

Now the only question is how to prove to your bank that you used this "banking only" PC instead of your main "possibly infected" PC to do your banking!

Yeah, not so much..

[mpapet]

they want to pin it on someone other than themselves.

In the US this is already how it's done. But I digress...

Three probable Executive-level scenarios.

The Executive-level jokers don't have competent security professionals
The Executive-level jokers aren't listening to their own competent staff.
Hired an outside big-wig consultant who smokes the Microsoft security weed and blows some of the smoke up their skirts.
They are ignoring the very secure EMV standard because it's too expensive.

I'm inclined to believ

Re:

[CKW]

> OS version and patches,

What? No Vista with SP9? You're running what? Leenooks? Too bad for you!

> anti-virus version and updates,

Yeah because anti-virus companies are ALWAYS ahead of viruses and keyloggers and browser exploits.

> firewall

Yeah software firewalls are so useful against malware that originates INSIDE your own computer.

I run an unpatched old version of Windows 2000 at home (before that Win98). No AV, no "software firewall". I'm behind a broadband router that doesn't let anything i

Rediculous to require a subpoena ...

[AHumbleOpinion]

"What is a bank supposed to do in this situation?"

Go to a judge, and ask for a subpoena?

That is rediculous, that is equivalent to saying a customer should have to sue the bank to get their money back rather than have some prearranged agreed upon process. If you want to bring the courts in on such transactions consider how the judge is likely to rule when it is discovered that the customer didn't have current anti-virus, etc. There is nothing wrong with having some prearranged agreement, and nothing w

Re:Rediculous to require a subpoena ...

[cHiphead]

No, its not ridiculous, its perfectly-goddamn-acceptable that if the bank wants to shift culpability form themselves to end users in terms of fraud and security, which is the purpose of this, they should ABSOLUTELY be required to get a subpoena from a judge to access your personal computer. There is a basic right to privacy, and the onus of security is on the bank, not the end user. If they choose to connect their financial systems to the internet, thats THEIR choice, especially if the access allows more than just read only information of accounts (eg. bank's online ability to transfer funds to other bank customers and outside accounts, automatic bill pay, etc.). I don't think you have a healthy understanding of just how bad this is. They will have the ability to access everything on your computer, it only takes one unscrupulous bank IT employee to start copying/logging/etc personal data.

Cheers.

Re:

[Jaseoldboss]

in order to get the money, they have to present the PC.

Call me a sceptic but I would be worried that they could point to one patch that wasn't downloaded and then say refuse the refund! I'd hate to think what they'd say if they were presented with a Linux PC.

Anyway, what's wrong with RSA's SecurID system like most of the banks in the UK are bringing in?

Re:

[rtb61]

I think you miss the point. It is the bank's responsibility to ensure the authorised person and only the authorised person access the account. What this is, is the equivalent of saying that some how that is now the customers responsibility. It is just so wrong, if the bank chooses to offer a service, than it is the banks responsibility to ensure that the service can be offered securely, not the customers.

For example how many banks were only accessible via IE even when there were warnings about using IE an

Interesting

[MightyYar]

I was wondering what the end of internet banking would look like, and this is it.

I'll go right back to using the branch if they start holding me liable for using their cost-saving website.

Re:

[Billly Gates]

You already are liable. Either way the bank has better lawyers.

If I steal your identity and buy alot of products the only thing the bank will do is call the FBI. They will still ask for you to phony up. Refuse? Then they will put it on your credit report. Now try getting a job or apartment or home?

Its been ruled in court if someone sells your home you have to leave and the bank is not liable for the loan and you have to pay them. I do not know how but somehow they convinced a jury??

Its quite bad and there n

Re:

[init100]

Refuse? Then they will put it on your credit report. Now try getting a job or apartment or home?

I can understand that it may be hard to get things that consts money, like an apartment or a loan. But a job? Do employers check the credit report of would-be employees in the US? Why?

Re:

[citog]

So you're saying a customer doesn't have any liability when it comes to securing their accounts held at a bank? As an internet banking customer you're usually told in the terms and conditions that you have a responsibility to secure access to your account within reasonable boundaries. Explain to me what's wrong with the bank verifying that you've complied when you're disputing a transaction.

Re:Interesting

[MightyYar]

Let me reverse that - will they let me audit THEIR systems to make sure that the security breach isn't from THEIR end?

Re:

[spellraiser]

Well, that's always your choice, of course.

I personally think that holding the user responsible is the most natural thing in the world. Why would the bank have to take the blame if the user's machine is compromised? As long as security is not breached on their side, their only responsibility is to process the requests given to them correctly. If these requests happen to be fraudulent, I don't see how that's the bank's fault.

Of course, if the perpetrator is caught, and it can be proven that he accessed an

Re:

[MightyYar]

Here's why I object. I am not a security expert, and yet I possess much more knowledge about computer security than the average bank customer. I, much less the average customer, cannot be expected to lock down my home computer to bank-network standards. The bank - who is an expert in security - has chosen to open their financial network to the internet at-large, and they should assume the costs and responsibility associated with that step.

I don't know what the solution is - perhaps they should have an autom

Re:

[pegr]

Where your argument falls apart: The bank - who is an expert in security...
 
The bank is an expert in risk management, not security. I believe this article just supports that fine distinction...

Re:

[MightyYar]

Heh, as risk managers it's obviously up to them how much they want to pay attention to security. But that's what I'm getting at - they shouldn't be allowed to just shovel their risk over to consumers. The whole reason I use a bank is so that I don't have to worry about my money. I could keep it all in a shoebox and mail it out in thick wads to pay my bills, but that would be foolish because it's not as secure as a bank. They advertise their online banking and push it heavily because it saves them a lot of m

Re:

[cayenne8]

"Fantastic, they charge $3/transaction at the window, $5/month for a statement, $1/check image, and $10/smile from the underpaid, angry teller."

Man, you need to change banks. MANY banks offer free checking...no charges for any of the listed above, and free ATM as long as you use theirs.

The feeling is mutual.

[Anonymous Coward]

So, if they're allowed to inspect my client, may I inspect their server? No?

Re:

[DoofusOfDeath]

So, if they're allowed to inspect my client, may I inspect their server? No?

That was my first thought too, but if NZ is like the US in this regard, they have government banking regulators auditing the heck out of their systems. So it's probably reasonable to more strongly assume the banks' systems have a known level of security.

OTOH, if the banks' security audit results aren't made public, then your instinctive reaction is probably pretty fair.

Re:

[trolltalk.com]

Yeah ... right.

The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.

When she went in to tell them about it, they were having another problem --- the ATM was spitting out paper and money all over the place.

Audited doesn't mean perfect any more than ISO9001 means low level of defects.

Re:The feeling is mutual.

[woodlander]

Could I ask the name of the bank? I need to move my account.

Re:

[alexgieg]

The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.

The funny thing is that many banks (the huge ones mainly) are in fact allowed, by their respective central banks, to "invent" money out of nowhere. This of course causes inflation, but so long as they don't do it so much that it would cause the upper yearly inflation limit set by the central bank to be surpassed, it's perfectly okay.

This world we live in

Re:

[timeOday]

I have a feeling the truth is more nuanced than what you said. Got a reputable cite?

Re:

[hswerdfe]

I Copied this from an old post ::

I think the Grand parent is refereing to "fractional reserve banking"
http://video.google.ca/videosearch?q=fractional+re [google.ca] serve+banking [google.ca]

He got it a little bit wrong.
All banks (not just big ones) in Canada and America (most of europe) are allowed to create, and destroy money.

In most countries there is some form of control on much money and how they can create
* Reserve Ratio
* Over Night Lending Rate
But for the last several hundred years

Re:

[Frostalicious]

I'm pretty sure it is the central bank (eg. Federal Reserve) that actually invents the cash. Otherwise you you would have different banks printing like madmen before the other guy did, and it would end up as profit for the bank. But yeah money gets created out of thin air. At least with currencies not backed by gold or something.

Re:

[Skippy_kangaroo]

When you define "money" as including deposits at banks then sure, if someone makes a deposit at a bank then the amount of "money" increases. If you define "money" as deposits with the central bank plus currency then ordinary banks don't "create" money quite so easily (there are in fact a wide range of definitions of "money" which are usually abbreviated M1, M2, M3 and so on). So what? There is nothing magical about money. ...Because you are completely wrong about the influence of this on inflation. The cent

Mod Parent Wrong

[Hal The Computer]

Sigh, this is why we need an "incorrect" moderation.

That is possibly the worst explanation of the money multiplier effect [investopedia.com] that i have ever heard.

Re:

[Hatta]

It's not really new money. See what happens is I deposit $1000, the bank turns around and loans you $900 of it. I still have $1000 in my account and you have $900 in my account. So the bank magically turned my $1000 into $1900. Of course it's not real money, and if you try to spend all $1900 of it the banks will shit themselves.

Re:

[hswerdfe]

This isn't exactly how it works.
Look up "the money masters" on google video.
its a little bit old now but still a very good watch
or you can watch "money as debt" from moneyasdebt.net

Re:

[Hatta]

Well I can't watch videos at works so care to tell me what I got wrong? I'm just going from what I remember from economics class in college.

Re:

[Hatta]

And when I borrow $900 from the bank, yes, I have $900 in cash, but I owe $900. My net worth is unchanged by the transaction.

That's why it's not real money.

Re:

[hswerdfe]

I think the Grand parent is refereing to "fractional reserve banking"
http://video.google.ca/videosearch?q=fractional+re serve+banking [google.ca]

He got it a little bit wrong.
All banks (not just big ones) in Canada and America (most of europe) are allowed to create, and destroy money.

In most countries there is some form of control on much money and how they can create
* Reserve Ratio
* Over Night Lending Rate
But for the last several hundred years these controls have been degrading in most of the world.
To t

Re:

[Hoi Polloi]

As long as they (the banks) make sure their branches are understaffed during the day and close the instant everyone gets out of work they are content with the way things are.

They seem to be good and flooding upper class town centers with branches though. One nearby town's center is half banks. So instead of an appealing shopping/dining area it is mostly dead in the evenings.

Re:

[John Miles]

That's nothing. A few years ago, Charles Schwab once "gave" me $63,000,000 and change. I hit F5, and there was another transaction removing the funds. Made for an interesting 20 seconds.

The need is not mutual ...

[AHumbleOpinion]

So, if they're allowed to inspect my client, may I inspect their server? No?

There is no need. If your system is clean they are not holding you liable and you are getting your money back.

Therefore.....

[Lumpy]

All of you damned users not running Microsoft OS will be liable.

Just because anti-spyware software does not exist for your software platform is no excuse!

you BeOs users! how dare you not run a Virus scanner app!

gotta love Bank executives asking for things they dont even have the slightest clue about.

Re:

[Billly Gates]

More than likely you will be banned from online banking because their software wont know what anything but Windows is.

So the least secure OS gets the approval because its what everyone uses.

Re:

[ktappe]

All of you damned users not running Microsoft OS will be liable. Just because anti-spyware software does not exist for your software platform is no excuse!

This exact thing happened at my workplace recently (the 3rd largest bank in the U.S...look it up.) Our new "WebConnect" VPN system will not work with Linux and Mac OS X because their first step upon connecting to it is for it to check for viruses and spyware. As this checker ("WholeSecurity", owned by Symantec) does not work on anything but Microsoft

Great idea

[voice_of_all_reason]

The police should immediately adopt this.

Want to file a criminal report? Let us search your home first, citizen. As long as it's not mandatory, things are perfectly legal since you're consenting to it. You're free to stop using our services at any time.

Re:

[rossz]

Am I free to stop paying for the service if I stop using it? Damn, I didn't think so.

Banks having a fraud problem?

[blahplusplus]

I really have to wonder if this is a kneejerk reaction to Banks having fraud problems?

I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.

Re:

[Billly Gates]

Here in the US someone can sell your home without your consent and you would have to leave.

Yes its a big problem and for some reason the banks have been winning in courts and not paying for things like fraudulant transactions and letting the consumer deal with it.

Its a knee jerk reaction but they should do more things like do FBI bankground checks and fingerprinting for any major transaction over $10,000 or credit card application. I did so to work at the school district and its inconvenient to wait a month

Re:

[SLot]

Here in the US someone can sell your home without your consent and you would have to leave.

You keep saying this, but I'm sure there is more to the story. Care to provide a link to the case or any more details?

that is not accurate

[WindBourne]

Here in the US someone can sell your home without your consent and you would have to leave.

Uh, no. Nobody can sell YOUR home but you. Now, if the home belongs to the bank i.e., they have the loan, then they are allowed to call the loan in whenever they want. You have the option to pay, re-fi elsewhere, or move. But these are your choices.

LiveCD

[kungfoofairy]

So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?

Re:LiveCD

[WrongSizeGlass]

So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?

No ... who do you think they are, NetFlix? ;-)

Re:

[Jaseoldboss]

That's a brilliant idea. Unfortunately it's spoiled by the hundreds of USB cable modems out there which wouldn't be able to connect as you'd either have no drivers or you'd have to enter all your connection details every boot.

For customers with routers it'd work though.

Gee Wally ...

[WrongSizeGlass]

a computer or device that does not have appropriate protective software and operating system installed and up to date

Who determines what an appropriate protective operating system is? Does that rule out XP SP1? (or Win2K. Win ME, Win 98, etc) Does lack of AV software on my Mac or Linux box define my computer as 'unprotected'? And does 'up to date' refer to the AV definitions, the OS patches or just the latest & greatest releases (such as Vista and/or IE 7)?

All about Trust.

[Shambly]

I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.

banks find secure connection

[192939495969798999]

the bank just wants to install a little program and ask for your various identification numbers, biometrics, etc. What could be dangerous about trafficking that information plus the apparent security info about your computer over the internet?

Re:

[Ungrounded Lightning]

It was sarcasm. Laugh.

Why not...;

[packetmon]

Here is my hard drive-less Dull unInspiron running Knoppix

About damn time.

[wiredog]

If more companies that consumers interact with begin to insist that the consumers use good security practices then the consumers will either do so, or get offline. Or pay through the nose, and then do so or get offline. Any one of which will, eventually, reduce the numbers of people susceptible to bots, trojans, and other malware.

Because the payment

[wiredog]

encourages them to become less ignorant. It's not that difficult to learn how to keep your security updated. If it is, pay someone else to do it for you.

sure thing

[hurfy]

Just show me what security YOU run before i give you my money to take care of ;P

Sounds right to me.

[Ungrounded Lightning]

Just show me what security YOU run before i give you my money to take care of ;P

Seems to me it's a reasonable request.

If they're dumping responsibility for security breaches on their customers, I'd be they're having trouble on their end of the comm line, too. This sort of thing would not make me confident in their operation.

Alternatively, they may be having a LOT of fraud costs from software targeting their particular customers. If they were reduced to announcing that the users with infected computers are

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[kiwimate]

Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?

In which case -- says the article -- they may refuse your claim.

If I was subject to this...

[JesseL]

I'd probably just set up a sandbox in VMware or something similar, to do all my online banking.

Re:

[graphicartist82]

How can you make the case that your guest OS is secure if the host is found to be insecure?

Re:

[JesseL]

Who's gonna find anything about the host? That's the whole point. Let them see what I want them to see, satisfy them them that everything is A-OK, and keep the rest of the box fee from their snooping.

Re:If I was subject to this...

[CastrTroy]

I was just thinking about something similar. If the bank is so worried about the user's system being comprimised, then they should send out CDs with a VMWare image that the user can run so that it's known to be safe. There's probably still some attack vectors, because the Host OS could be majorly compromised, but it would make the process a whole lot more secure. But the VM Image could be signed, so that it could be verified to be unchanged upon each boot, and the memory contents could even be kept encrypted. It would also make sense for the access point of the bank not to be an actual web page you could visit with any browser, preventing people clicking on links in their email, or even being used to visiting the site in the browser. It would be plenty fast for online banking, and would take a lot of the risk out. But then again, they're probable going to just keep on adding layer after layer of stupid "security" functions like asking you your mother's maiden name (because nobody knows that information).

They want to "know if it's secure", huh? Well...

[The_REAL_DZA]

...if they can access it, it ain't secure. 'nuff said.

uptodate is perfectly cromulent

[XaXXon]

When did 'uptodate' become a word?

Oh that's right. It's not. Try 'up-to-date'.

Who Decides what is 'Appropriate Software'?

[CodeBuster]

Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed.

What is and is not appropriate and who decides that? If it is the banks then you can bet that Linux and FOSS will probably not be on the pre-approved list and will require substantial hassles to be approved by the bank. Perhaps they intend to run Active-X controls on their sites t

The phishing scam

[mh1997]

Helo,

I am frum the National Bank of Nijeria, after providing your name, social security number, bank acount number, and routin information, pleaze instal the attached file so that we may check your securitee settings. Pleaze disreagard all mispelings an gramer mistakes in this email, we were forced to outsource securty email to another countries to save you money and provide the best service that you are familar with us.

In Soviet Russia ...

[SplatMan_DK]

In Soviet Russia, internet banking systems intrude on YOUR privacy.

Oh ... wait a minute ...

Burden of proof?

[gregor-e]

To be safe, the bank would have to require that you be able to prove that you have all the latest security add-ons and proper configuration, and that you have maintained these without a break, on every computer you've used to access their website (including, presumably, computers at work, school, your public library, etc). If their user agreement places that burden of proof on the user, then the bank will probably end up washing their hands of every fraud case. Of course, most consumers just skip the fine

Reverse the argument.

[fishthegeek]

Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.

A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.

http://www.finextra.com/fullstory.asp?id=15177

When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.

Use Quicken, no protection

[russotto]

Looks like if you use the Quicken PIN-vault feature, or Apple's Keychain, or any other method (including paper) for retaining the PIN and password, the bank can tell you it's your fault. Nice. So you've got to remember all those secure passwords yourself. (if you use an insecure password, you're liable).

Under the rules they're setting up, the only reasonable thing to do is go back to using tellers.

Re:

[doctormetal]

There is one simple solution: don't store your bank information on your computer.
My bank uses a device [vasco.com] which, combined with the bank card, generates 8 digit codes to use for authentication and verification.
This device is not connected to a computer.

For confirmation of any transaction you need to enter the confirmation code from the website on the device.
The device generates a signing code which must be entered on the website for confirmation.

it might be more manual actions, but it is also more secure.
My com

I understand thier dillema

[JoeCommodore]

But this is surely the wrong approach.

I can imagine:

- The IT guys at the banks are probably going to define some thin definition of security (as another /.er said it probably will also center around being Windows only). Which will be to the joy of one security company and result in legal action from a bunch of others.

- The bank will still have breaches as they find that the security measures for that circumstance may work, but when connected wirelessly or at a hotel room, not to mention advances in virtuli

Central Bank of New Zealand

[Timesprout]

We are glad to see such wide coverage of our new security measures. We are Central Bank are totally focussed on giving our users the most secure online banking experience possible. To that rnd and to help speed up the implementation of our new security measures could all Slashdot readers resident in New Zealand please respond to this post citing

(i) Full name, DOB and Address
(ii) Account number
(iii) Internet banking login name and password
(iv) Credit card number, expiry date and security code
(v) IP address and machine user name and password

Thank you for you assistance in this matter and we will report the security status of your machine to you as quickly as possible. If you feel uncomfortable entering this information you can always download our helper program (RapeMyAccountLikeItsaSheep.exe) from our website [pleasetakeallmymoney.com].

Central Bank
New Zealand

SCAM WARNING Re:Central Bank of New Zealand

[zsau]

Please be aware that this is a scam! The New Zealand central bank is in fact called the "Reserve Bank of New Zealand". Don't provide the information the post asks for from him.

Retarded idea - NOT security

[gnuman99]

This is just an attempt to deflect blame from themselves to the user. When your account gets defrauded, they *will* find something on your computer that does not add-up and indicate that they are not liable. Then what do you do? Sue?

The only real security alternative to this is to distribute hardware security devices that generate a password every 60 seconds or so. Then to sign in, you'd have to provide your username, password and the hardware security device generated number. Then even if your box is 0wned

suggestions to banks

[fred fleenblat]

I'd like to see some additional on-line banking security in these areas:

1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.

2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.

3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.

4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.

5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.

6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.

7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.

Just my thoughts.

Re:

[cdrguru]

It would be nice if banks agressively prosecuted credit card and other banking fraud.

But it doesn't work for them. It is extremely expensive to do this and the evidence may be very questionable for criminal prosecution. With any online activity it is next to impossible to prove who was behind the keyboard so without a huge pattern of receiving goods and services from credit card fraud there isn't going to be a conviction.

There is also the question of deterrent value. Right now, the security people will s

My bank is incompetent

[cdn-programmer]

The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.

Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:

One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.

But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.

So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.

So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.

Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?

This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.

Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.

So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.

Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.

This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.

Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.

The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.

Security of user systems for home banking

[secPM_MS]

Neither the Internet (Peter G. Neumann, Practical Architectures for Survivable Systems and Networks, 63- 66 (2000), at http://www.csl.sri.com/~neumann/arl-one.pdf [sri.com]) nor the PC were designed to provide trustworthy critical services. The Internet model was designed to be robust against significant physical destruction of communications links and nodes. The PC started as a personal hobbiest device and migrated to more general usages. The UNIX systems started from timesharing and migrated both up and down. No sy

Banks don't give a f**k about security

[Alain Williams]

At least twice this year I have had someone from the bank 'phone me up out of the blue, say that they are from Nat West Bank and that the need to talk to me about something ... but first would I prove who I was by answering some questions.

My reply: certainly, but they must prove who they are first.

Oh, no - that is not the way that they do things, I must prove who I am first -- by answering exactly the same security questions that someone phishing would want to know. Needless to say: I refused.

I then took this as a complaint to the bank chairman - and have received platitudes as to how they take security seriously, burble, burble, ... I'm not going to let this go: I shall chase them. I should be OK since I won't give the information out, but many people will do so.

Banks are crap.

So who decides what is 'approved'?

[nurb432]

So they decide if your OS is approved, or your antivirus vendor?

10 bucks its their 'partners' that are the only ones you get to use.

Oh wonderful. I can imagine the phone call now.

[jimicus]

Anyone who's ever dealt with the kind of call centres you get with banks knows what's going to happen.

[Rings up to complain of fraud]

Bank: Hello, this is ${BANK}, how can I help you?
Customer: Yes, I appear to have a transaction for £3000 leaving my account which I don't know anything about.
Bank: OK, I see you use our Internet banking service. Do you have antispyware software on your computer?
Customer: No, I use a....
Bank: Do you have antivirus software on your computer?
Customer: No, I use a Mac....
Bank: No antispyware, no antivirus. Not our problem. Goodbye.

Banks != technically competent

[macemoneta]

One of my banks has a bad SSL certificate configuration.

I emailed then to let them know. Their response? "Clear your cache and cookies".

I thanked them and explained that the problem wasn't on my end, that Verisign actually documented their problem and provided them with the URL. Their response? "Maybe the date on your computer is wrong, our certificates expire in 2011".

I again explained that it wasn't a certificate expiration issue, and in fact the certificate in question expired in 2009. Their response? "No one else is reporting the problem". I stopped reporting the issue, and we started moving money elsewhere.

The problem isn't so much that they didn't have a properly configured certificate, the problem was their response to a security issue. The ticket went back and forth several times (to multiple representatives), and there was no automatic escalation or intercept. The ticket was reporting a security matter, but again, there was no intercept. I can understand not having tier 1 customer support be security experts, but the exchange exposed a complete lack of proper security practices and procedures.

I am not now, nor have I ever been impressed with the security practices at any bank. Some are just not as bad as at others. They will never be permitted to lay hands on a computer of mine.

Re:

[Bert64]

They should have a third party security testing company investigate the PC...
Also, since theyre claiming liability based on the security of your PC, you should have the right to investigate the security of their server.

Re:

[barzok]

Also, since theyre claiming liability based on the security of your PC, you should have the right to investigate the security of their server.

We all know that won't happen, thanks to the golden rule.

He who has the gold, makes the rules.

Re:

[vtcodger]

***Why on earth should a bank take a loss when it was your fault?***

I dunno. Maybe because they are the ones offering the damn service. If they can't provide it in a secure manner, why is that my problem? Now if I begged them to please offer the service ...

In any case, prudent users probably will not use these services. You don't have to be Nostradomus to project that even if the banks gain access to the user PCs,.they are unlikely to be able to act intelligently on what they find there. You also d

Re:

[Twanfox]

but if you have nine key-loggers installed from torrent trojans they can't do shit about it and it is YOUR fault your money was stolen.

So what happens if say a few of those keyloggers were installed via a mechanism that is, as of the time, unpatched by the OS developers? Is that your fault or the fault of the OS developer? What about if it was buried so deeply in your system and affected things so little that, unless you were some Guru, did not know it was even there? How about we go one step further. Is

Re:

[Lumpy]

Sounds like a plan. Problem is you are being idealistic and the bank is going to execute it in a asenine fashon.

Are they going to hire a team of $100,000.00 a year plus It experts? no. they are going to hire MSCE flunkies that dont know what a Live Cd is or what any other OS is even like.

Apple users will be liable because they don't run virus scan or spy ware scan ignoring the fact that those platforms are typically unaffected by the mess that Microsoft OS's have.

are the flunkies going to have the skills t

Re:

[Zebra_X]

IMO it's about time ppl had to take responsibility for their system.

I agree - however, to mandate that an end user must be "inspected" and "certified" to transact with them is absurd. It's not like the bank comes to your house to ensure that your locks are up to their code, and they will keep people from entering and trying to steal your checks, or account information.

The bottom line is that the bank can't or won't spend the money to provide a reasonable level of security for their online bankers. It's not

Re:

[PitaBred]

I am "save"? Jesus, is that you Lord? Just learning English since Hebrew has gone outta style?
 
;) Sorry, I just had to... and I don't even believe in jeebus

Re:

[CastrTroy]

You should probably add in "sleep 600" to make it look likes it's actually scanning for something.

Re:

[SplatMan_DK]

What? I get a Troll mod for that post?

*LOL* ... you gotta be kiddin ... :-D

Re:

[robo_mojo]

"Why not provide customer with an anti virus/malware/spyware of bank's choosing before letting customers make transactions ?"

Because that means the bank would be responsible if something went wrong. And the banks don't want that responsibility, hence this whole deal.