Slashdot Mirror
New Zealand Banks Demand a Peek at User PCs
Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"
Nothing for you to see here. Please move along.
I was wondering what the end of internet banking would look like, and this is it.
I'll go right back to using the branch if they start holding me liable for using their cost-saving website.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
So, if they're allowed to inspect my client, may I inspect their server? No?
All of you damned users not running Microsoft OS will be liable.
Just because anti-spyware software does not exist for your software platform is no excuse!
you BeOs users! how dare you not run a Virus scanner app!
gotta love Bank executives asking for things they dont even have the slightest clue about.
Do not look at laser with remaining good eye.
The police should immediately adopt this.
Want to file a criminal report? Let us search your home first, citizen. As long as it's not mandatory, things are perfectly legal since you're consenting to it. You're free to stop using our services at any time.
I really have to wonder if this is a kneejerk reaction to Banks having fraud problems?
I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.
...if your bank can take a peek?
Load New Commander (Y/N)?
IMO it's about time ppl had to take responsibility for their system. Why on earth should a bank take a loss when it was your fault? I don't get to go to the bank and expect them to replace the cash I withdrew yesterday that got stolen from my pocket.....This might be the push ppl need to get them to pay attention.....computers are here to stay....the "I don't understand computers very well excuse is really old.....just because you don't understand the way a locking mechanism in your door works doesn't mean you shouldn't fix it if it is broken.....
So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?
I hope the average computer user in NZ is smarter with computers than the average user in the US. Most of the (non-tech) people I know are mystified even by automatic OS updates.
All the "protective software/systems" in the world won't protect users from their own stupidity. Yes, trust that e-mail from your bank asking for your SSN and password! You're running Windows Defender, so you're perfectly safe!
I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.
the bank just wants to install a little program and ask for your various identification numbers, biometrics, etc. What could be dangerous about trafficking that information plus the apparent security info about your computer over the internet?
stuff |
Here is my hard drive-less Dull unInspiron running Knoppix
Infiltrated dot Net
If more companies that consumers interact with begin to insist that the consumers use good security practices then the consumers will either do so, or get offline. Or pay through the nose, and then do so or get offline. Any one of which will, eventually, reduce the numbers of people susceptible to bots, trojans, and other malware.
Best Slashdot Co
Just show me what security YOU run before i give you my money to take care of ;P
Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?
I'd probably just set up a sandbox in VMware or something similar, to do all my online banking.
"Prefiero morir de pie que vivir siempre arrodillado!"
...if they can access it, it ain't secure. 'nuff said.
This space intentionally left (almost) blank.
Hey if world of warcraft can get away with it, it was just a matter of time before everyone starts using the approach.
When did 'uptodate' become a word?
Oh that's right. It's not. Try 'up-to-date'.
On topic, most of the banks here are Australian owned, so I don't think many people cared if they lost a little bit of money. In any case, I'm all for some small advantage if I can show that I keep uptodate antivirus software on my computer.
My bank has just released a systemwhere I can add an extra authentication using my mobile phone, so I can make online transactions of up to $10,000.
...how often will they do the check? will they visit me at home unheralded? or how do they actually want to determine that i just use THAT special computer? honestly, besides any privacy matters, it's just leaving me with a stupid ghrin on my face. this i more like a sort of PR-stunt gone miserably wrong.
What about those users that have a transient vmware instance of an OS that only does one banking session at a time and get "shred -v -n 25 -z -u" 'ed?
Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed.
What is and is not appropriate and who decides that? If it is the banks then you can bet that Linux and FOSS will probably not be on the pre-approved list and will require substantial hassles to be approved by the bank. Perhaps they intend to run Active-X controls on their sites to run and enforce these checks? How long until we see a "Banking Designed for Windows" or "Certified Banking for Windows" logo campaign complete with FUD marketing issuing warnings and alerts concerning "risky" open source or free products?
I am frum the National Bank of Nijeria, after providing your name, social security number, bank acount number, and routin information, pleaze instal the attached file so that we may check your securitee settings. Pleaze disreagard all mispelings an gramer mistakes in this email, we were forced to outsource securty email to another countries to save you money and provide the best service that you are familar with us.
This attempt by the banking industry to shift transactional liability away from their servers and onto the backs of the consumers is what I'd expect from the ruthless rat bastards. Don't think something like this would fly in the U.S. Notwithstanding the fact that our government is spending a king's ransom getting all up in our computers already (NSA-FBI), our citizenry would be OUTRAGED and OFFENDED if they thought their bank was all up in their hard drives! Pity the bank that tried to pull that chicanery over here in our independent, democracy minded, privacy loving people. We, (as normal lucid citizens) don't seem to have the ability to do anything about all the government spying and abuse because, among other things, corporate interests are aiding and abetting in this effort (who's to say the New Zealand pc 'scanning' doesn't have the ability for abuse/misuse by some corporate spy or government fascist?). Here in America, we have the ability on the personal level to avoid those corporation who facilitate and profit by working with the government in mass producing the technical equalivent of Zyclon B. We'd avoid any online banking that required our PC's be probed. Just like we're avoiding AT&T right now for helping our government spy on us while no doubt contracting for the service (private mercenary telecom army). Enough on my rant against AT&T, and the many evil corporate minions who are enabling the commander in thief. I've got other things to do. My Iphone awaits. Enjoy.
This ain't no upwardly mobile freeway This is the road to hell
"What is a bank supposed to do in this situation?"
Go to a judge, and ask for a subpoena?
That is rediculous, that is equivalent to saying a customer should have to sue the bank to get their money back rather than have some prearranged agreed upon process. If you want to bring the courts in on such transactions consider how the judge is likely to rule when it is discovered that the customer didn't have current anti-virus, etc. There is nothing wrong with having some prearranged agreement, and nothing wrong with *both* parties having to give up something, for the bank the stolen funds and for the customer having their anti-virus and firewall settings inspected. I do not think you have thought this through, getting the courts involved will probably not help the consumers.
To be safe, the bank would have to require that you be able to prove that you have all the latest security add-ons and proper configuration, and that you have maintained these without a break, on every computer you've used to access their website (including, presumably, computers at work, school, your public library, etc). If their user agreement places that burden of proof on the user, then the bank will probably end up washing their hands of every fraud case. Of course, most consumers just skip the fine print and will only become aware of this requirement once they have no recourse for having been defrauded.
Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.
A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.
http://www.finextra.com/fullstory.asp?id=15177
When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.
load "$",8,1
Looks like if you use the Quicken PIN-vault feature, or Apple's Keychain, or any other method (including paper) for retaining the PIN and password, the bank can tell you it's your fault. Nice. So you've got to remember all those secure passwords yourself. (if you use an insecure password, you're liable).
Under the rules they're setting up, the only reasonable thing to do is go back to using tellers.
...they want to put spyware on our computer... so they can see.. if we have spyware on our computers.
Anyone else see something funny here?
it sounds reasonable to me.
But this is surely the wrong approach.
/.er said it probably will also center around being Windows only). Which will be to the joy of one security company and result in legal action from a bunch of others.
I can imagine:
- The IT guys at the banks are probably going to define some thin definition of security (as another
- The bank will still have breaches as they find that the security measures for that circumstance may work, but when connected wirelessly or at a hotel room, not to mention advances in virtulization, etc. it then becomes a completely different matter, and then they have to add more rules and regs. etc.
Can I offer a near perfect solution, yes, no on-line banking from anything not owned and maintained 100% from the bank (which includes the wires connecting the system, and where the remote units are housed).
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
In A.D. 2007, internet fraud was beginning.
....
(or: a quiet evening at the Petersons)
Mom: What happen ?
Dad: Someone set up us the malware.
Son: We get signal.
Mom: What !
Son: Main screen turn on.
Mom: It's you !!
BANK: How are you gentlemen !!
BANK: All your PC clients are belong to us.
BANK: You are on the way to destruction.
Mom: What you say !!
BANK: You have no chance to survive make your time.
BANK: Ha Ha Ha Ha
Son: Mom !!
Mom: Take off every 'Internet banking app.' !!
Mom: You know what you doing.
Mom: Remove 'Internet banking app.'.
Mom: For great justice.
My security clearance is so high I have to kill myself if I remember I have it...
We are glad to see such wide coverage of our new security measures. We are Central Bank are totally focussed on giving our users the most secure online banking experience possible. To that rnd and to help speed up the implementation of our new security measures could all Slashdot readers resident in New Zealand please respond to this post citing
(i) Full name, DOB and Address
(ii) Account number
(iii) Internet banking login name and password
(iv) Credit card number, expiry date and security code
(v) IP address and machine user name and password
Thank you for you assistance in this matter and we will report the security status of your machine to you as quickly as possible. If you feel uncomfortable entering this information you can always download our helper program (RapeMyAccountLikeItsaSheep.exe) from our website.
Central Bank
New Zealand
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
You agree to pay the poster the sum of U.S. $100,000,000,000.00. Please call 41. I'm too busy getting ready for my Paraguay flight.
I need some quick cash to explain the Iraq deficiencies although most of the U.S. population is brain-dead about the vast sums we've kickbacked to ourselves.
Insincerely as usual,
W.
I think you're spot on with your observation. Might I point to the submission in total for a moment though? I expect a slashdot audience to get the sarcasm, if not earlier in the piece, then certainly where I juxtapose the AT&T rant with the need to rush out and get an Iphone. The only Iphone provider in the US is AT&T. I believe that phone will be so hot that if AT&T required both a technical and BIOLOGICAL probe as a requirement for purchase there would still be no dearth of customers. Matter of fact, by the end of the first week, the only thing you'd be hearing in the mainstream media was how good a thing the probing really was. A colonic for both man and machine. Enjoy.
This ain't no upwardly mobile freeway This is the road to hell
This is just an attempt to deflect blame from themselves to the user. When your account gets defrauded, they *will* find something on your computer that does not add-up and indicate that they are not liable. Then what do you do? Sue?
The only real security alternative to this is to distribute hardware security devices that generate a password every 60 seconds or so. Then to sign in, you'd have to provide your username, password and the hardware security device generated number. Then even if your box is 0wned, your money is quite safe.
The bank could then report any failed accesses. They could also block your account if either of the above is not entered correctly more than 3 times in a row, or something like that.
But that would be security. What they are proposing is just an ability to deflect blame for stolen capital from them to you.
In Soviet Russia, internet banking systems intrude on YOUR privacy.
... wait a minute ...
Oh
My security clearance is so high I have to kill myself if I remember I have it...
IMO it's about time ppl had to take responsibility for what lengths other companies go to to shrug off responsibility. Why on earth should something like a bank work to protect your assets when they can take the cheap way out? I don't get to go to the bank and expect them to replace the cash I lost because someone impersonated me and opened a new card account / loan becasue the bank was too cheap to check if it actually was me.....This might be the push ppl need to get them to pay attention to how their banks give no shit about them whatsoever.....profit is here to stay....the "I don't understand why institutions that exist to protect my assets while profiting off them are doing this" excuse is really old.....just because you don't understand they don't give two shits about you doesn't mean you shouldn't trust them with your assets.....
But I'd rather be responsible for my own computer security than the bank be allowed to root around in my computer.
... all while you watch. To do otherwise would drive customers from banks that arbitrarily root around to banks that do an appropriately focused search.
That is probably a gross exaggeration. Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall,
Your "eat my own losses" argument has two primary flaws.
(1) You assume the mistake was the customers, not the banks. Those who are sure the error was on the banks side will be more likely to cooperate in ruling out their home computers.
(2) Privacy has a price, and often a limit. If the account emptied was a savings account with a lot of money rather than a checking account with a small amount of money then the customer will become increasingly cooperative.
This is interesting position for several reasons:
1) It is the most clear admission that even banks can not defend completely their own infrastructure, even on their own network, infrastructure, application environment.
It really puts a huge question mark on the viability of e-commerce in the future, especially at a time, when banks are pushing even to banking over cellphones.
2) The natural reaction from a user point of view is that if banks, with huge financial, technical, human resources are unable to provide 100% protection, how are individual computer users, customers supposed to be able to do it in a much less controlled home environment? How realistic is the expectation for home users to match up with banks?
3) Even if a home user is using firewall, applies updates, etc. it's well documented, that all the security products have security flaws from time to time. Even giants, like Microsoft can't patch security holes immediately, it's common knowledge, how security flaws were not fix for a long time, even when Microsoft knew about them.
This bags the question: will Microsoft - and all other companies, who's products are in any way withing the chain of e-commerce - be legislated to provide fixes within a limited, short time frame, or else... ?
4) If banks have the right to pass their liability on to their clients, there is no reason why users should not be able to pass it further down to ISPs, networking devices, PC hardware, software manufacturers.
5) What if the transaction was done using a corporate PC? It will be interesting to see, how all those players will try to push the liability on each other.
6) Are we going to see a new breed of products: the "e-commerce certified" PC?
Will all "non-certified" PCs eventually barred from online banking and e-commerce?
Is this going to be the end of e-commerce? Will banks be the driving force to bankrupt Microsoft and other tech companies?
I'd like to see some additional on-line banking security in these areas:
1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.
2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.
3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.
4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.
5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.
6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.
7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.
Just my thoughts.
The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.
Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:
One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.
But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.
So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.
So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.
Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?
This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.
Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.
So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.
Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.
This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.
Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.
The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.
So, if they're allowed to inspect my client, may I inspect their server? No?
There is no need. If your system is clean they are not holding you liable and you are getting your money back.
Is the assumption that "security" programs (anti-virus, firewalls, etc.) are some measure of security. Yeah, I do keep an AV program around, even anti-spyware, etc. but they hardly ever do anything because the real security is that I don't download untrustworthy software, smilies, screen savers and other crapware, I don't fall for any of the random scams I see, and make sure I have the latest patches.
I often get asked about buying all the latest security products as if that's the answer to secure computing. But everything I use is free, and it barely matters. My most important weapons are computer literacy, a dose of paranoia, and an aversion to advertisements and adware of any kind.
The most important security tools can't be bought.
encourages them to become less ignorant. It's not that difficult to learn how to keep your security updated. If it is, pay someone else to do it for you.
Best Slashdot Co
The Web 2 model of browser-based scripting and interactivity has made the overall security model exceptionally difficult. It is too hard to develop secure web sites without XSS or XRF vulns, and it is too easy to use human engineering to overcome technical defenses on the end user platform -- "install this update for improved security", etc. I am highly dubious that general consumer devices are adequate for usage for arbitrary financial transactions -- features sell and what you need is assurance.
Payment of bills to known organizations / vendors can be done with reasonable risk from a home system. Monitoring accounts can be done as well. I do not believe that home systems have the necessary assurance for stock trading or similar operations without use of adjunct trusted devices to validate specific transactions as screen displays and keyboard interactions can be modified by malware.
I have a security professional friend who is now making a living as a trader. She uses locked down Windows PC's for her trading and does nothing else from them. She keeps them updated, but uses a different system for her browsing, e-mail, and general web activities. When doing security critical operations, harden the system, minimize the system functionality, and do nothing else but those operations from the system -- rather similar to a domain admin who uses a dedicated machine for their administrative tasks.
This is not what users want to believe. Sorry.
As for me, I do not do general financial operations over the web at all. I do not use ATM / debit cards. I do my selected purchases via credit card from trusted retailers from my notebook, which is running a beta of LongHorn server with me running as a normal user, not as a member of the administrators group. No one else has an account on the notebook and I don't install or run snap-ins or apps without careful consideration. My family uses the desktops, which are relatively untrusted.
My reply: certainly, but they must prove who they are first.
Oh, no - that is not the way that they do things, I must prove who I am first -- by answering exactly the same security questions that someone phishing would want to know. Needless to say: I refused.
I then took this as a complaint to the bank chairman - and have received platitudes as to how they take security seriously, burble, burble, ...
I'm not going to let this go: I shall chase them. I should be OK since I won't give the information out, but many people will do so.
Banks are crap.
So they decide if your OS is approved, or your antivirus vendor?
10 bucks its their 'partners' that are the only ones you get to use.
---- Booth was a patriot ----
Just show me what security YOU run before i give you my money to take care of ;P
Seems to me it's a reasonable request.
If they're dumping responsibility for security breaches on their customers, I'd be they're having trouble on their end of the comm line, too. This sort of thing would not make me confident in their operation.
Alternatively, they may be having a LOT of fraud costs from software targeting their particular customers. If they were reduced to announcing that the users with infected computers are now going to pay for the resulting fraud, they're probably losing a LOT of money to fraudsters. So their pooled assets are being shrunk badly enough to hurt and they're trying to head off a run. Again not the sort of thing that would encourage me to trust them with my money.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Cisco has a product called NAC, formerly Clean Access, which might be of use in a case like this -- or at least the idea of how it works may be of use. Of course, AFAIK, NAC only works if ActiveX works, by making sure things like AV are up to date (but I bet this can be done with FF plugins and whatever Safari/Opera use, or stand-alone programs). It's not foolproof, and it's been easily bypassed, but a similar approach might work if the bank wishes to make sure the client PCs are secure while being minimally invasive.
if they are running MS. Just put out a request to some of the worm writers.
Anyone who's ever dealt with the kind of call centres you get with banks knows what's going to happen.
[Rings up to complain of fraud]
Bank: Hello, this is ${BANK}, how can I help you?
Customer: Yes, I appear to have a transaction for £3000 leaving my account which I don't know anything about.
Bank: OK, I see you use our Internet banking service. Do you have antispyware software on your computer?
Customer: No, I use a....
Bank: Do you have antivirus software on your computer?
Customer: No, I use a Mac....
Bank: No antispyware, no antivirus. Not our problem. Goodbye.
Uh, no. Nobody can sell YOUR home but you. Now, if the home belongs to the bank i.e., they have the loan, then they are allowed to call the loan in whenever they want. You have the option to pay, re-fi elsewhere, or move. But these are your choices.
I prefer the "u" in honour as it seems to be missing these days.
One of my banks has a bad SSL certificate configuration.
I emailed then to let them know. Their response? "Clear your cache and cookies".
I thanked them and explained that the problem wasn't on my end, that Verisign actually documented their problem and provided them with the URL. Their response? "Maybe the date on your computer is wrong, our certificates expire in 2011".
I again explained that it wasn't a certificate expiration issue, and in fact the certificate in question expired in 2009. Their response? "No one else is reporting the problem". I stopped reporting the issue, and we started moving money elsewhere.
The problem isn't so much that they didn't have a properly configured certificate, the problem was their response to a security issue. The ticket went back and forth several times (to multiple representatives), and there was no automatic escalation or intercept. The ticket was reporting a security matter, but again, there was no intercept. I can understand not having tier 1 customer support be security experts, but the exchange exposed a complete lack of proper security practices and procedures.
I am not now, nor have I ever been impressed with the security practices at any bank. Some are just not as bad as at others. They will never be permitted to lay hands on a computer of mine.
Can You Say Linux? I Knew That You Could.
My bank's (ASB - New Zealand) online service simply wont let me have what I would consider a secure password, The maximum length is 8 characters - which, surely is considered the absolute MINIMUM for a secure password. Couple that with their use of Windows servers, I"m unhappy!
And I'll bet I don't fit into their narrow-minded security definition, in fact, I bet whatever tech they would send out to examine my PC wouldn't have ever used bash and lynx before.
Also, what about people using their online banking service from an internet cafe or somesuch, is that considered safe or not?
The only reason for this is to deny a remedy to the customer who got owned. Shifting blame doesn't help anyone in the long run.
Why not provide customer with an anti virus/malware/spyware of bank's choosing before letting customers make transactions ?
This way, you pre-screen the computer the customer plans to use to initiate transactions, instead of HOPING it's secure and then DENYING any claim resulting from the machine being hacked.
If somebody installs a card reader at the entry to an ATM plus a camera near the PIN keypad, can the bank blame YOU for falling a victim to it ? It was YOU that swiped it through the wrong reader, therefor they could deny responsibility as well...
I wonder if this is the same bank which had one of their minisites for a new service hacked to include a 1x1 pixel iframe pointing to a malicious site a couple of weeks ago.
I found it and tried to call them about it, but the person on the end of the phone didn't understand what I was talking about and transferred me to the internet banking callcentre who weren't open outside of work hours.
I emailed them about it and the problem disappeared 12 hours later, but they denied any problem in the first place.
they want to pin it on someone other than themselves.
In the US this is already how it's done. But I digress...
Three probable Executive-level scenarios.
The Executive-level jokers don't have competent security professionals
The Executive-level jokers aren't listening to their own competent staff.
Hired an outside big-wig consultant who smokes the Microsoft security weed and blows some of the smoke up their skirts.
They are ignoring the very secure EMV standard because it's too expensive.
I'm inclined to believe number two.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Right. "Proper security" would be so subjective, any excuse would do for refusal. Not having a virus checker on my Linux box must surely make me high risk.
Sigh, this is why we need an "incorrect" moderation.
That is possibly the worst explanation of the money multiplier effect that i have ever heard.
which is why i use a bootable puppy linux CD to surf the internet.
Homer: Hmm, that's not the real wallet inspector...
let them in to look around, this idea is about as stupid as it gets. Do they really want to expose themselves to the liability of opening up your computer's defenses in order to allow inspections such as this? The article should have been dated April 1st...
Bank: Hello, this is ${BANK}, how can I help you?
... and then I woke up.
Customer: Yes, I appear to have a transaction for £3000 leaving my account which I don't know anything about.
Bank: OK, I see you use our Internet banking service. Do you have antispyware software on your computer?
Customer: Yes, it's called ${PROPER_OS}
Bank: Thank you. I see you have a clue - please wait while I pass you on to our technical team.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
And I'm here to check your computer's security for the bank.
What a wonderful opportunity for social engineering granny's password. Idiots. The only way they can realistically do this is if they force install of their own application to handle all bank transactions with strong encryption of everything going on and some sort of built in way to break keyloggers. As is it is completely unrealistic and creates more security holes than it closes. The whole "we will never ask you for your password" idea will be gone as you will be expected to report pins, passwords, etc. to make sure you picked a good one.
Fred
So, your bank wants to check your PC to see if you have an antivirus? Brilliant! Show them your GNU/Linux/BSD/MacOS/Solaris box and let them figure it out.
Citibank's online system worked brilliantly well with Konqueror until someone decided to update the online banking application to make it more "secure". Guess what was one of the security features they implemented. While in the past the application worked just fine with Konqueror, it is now programmed to check the browser string and completely disallow you to use the banking system unless the string is that of MSIE or Mozilla, asking you to update your "outdated" browser instead. Of course, it still runs perfectly well if you make your Konqueror to report an MSIE or Mozilla string. Bureaucratic organisations excel in making unnecessary choices, implementing them in the most worst way possible, and presenting them as security features. Anyway, this is better than the banking application of other banks that can work only with MSIE thanks to mystery Javascript. But even this is nothing compared with what I have seen at another bank, where all customers get by default access to the informational banking application with their credit card's number as the username and their birth date as the password, meaning that any cracker having these two pieces of information at hand would be able to find out your address, phone number, list of CC transactions, CC balance, and other private data.
I've thought about this in the past. The biggest problem is keystroke loggers -- software ones. Hardware ones are practically impossible to stop (at least, on PS/2 connectors... never thought about USB).
We're worried about programs intercepting passwords. The only way to do that is a keystroke logger, or somehow faking the bank login. A VWMware image won't do anything for keyloggers.
What would do it is a bootable CD -- but trying to get drivers to work for a broad range of users makes this practically impossible. I have an infrequently used Linux install in VMWare because the last time I tried to get WiFi to work I failed miserably on my laptop...
If you have internet access at work then do all your internet banking from work.
Are they going to give the customers perfect keylogger detection and removal software? Without that all the firewalls and standard kruft in the world of "secure" computing is so much hot air. Of course many governments will object to that. Are they going to go through a rigorous and very public security audit of their own systems especially the ones with which they wish to snoop user computers? PGP level encryption and keylogger free systems would do wonders to making making and other transactions secure from crackers and all matter of legal snoops. Instead they want to tell the people what (probable business partner) software they must have on their boxes and even have free reign within your digital extension of your brain before they will deign to do business with you in a responsible manner.
E-Trade is pretty nice, give you a SecurID to log in with and stuff. Funny thing is, to activate my accounts online, I called in; the representative told me how to trick the CMS into giving me extra options. Basically if you go to a certain page it gives you some options; if you go to a DIFFERENT page first and THEN go to that page, it gives you the option to activate your accounts for online banking. So, he told me how to make their Web application behave inconsistently... effectively I just hacked into it (made it perform a function it wasn't intended to do? Yep!). I'm tempted to call them back later and tell them they need to do a severe audit of their code base... and tell their TSRs to NOT tell their customers how to make their site misbehave in strange ways.
Support my political activism on Patreon.
Please be aware that this is a scam! The New Zealand central bank is in fact called the "Reserve Bank of New Zealand". Don't provide the information the post asks for from him.
Look out!
Surely, if someone gets my password, they need to take some of my money, and put it somewhere else.
But where do they put it? A fake account? And then withdraw the money at an ATM?
Surely it's not that easy to get a fake bank account!
Where do they get their bankcard sent to? Someone else's address, and then steal it from their mail?
not only does this violate the privacy act, but it would probable violate the requirement to not ask for passwords.
- Kaos games and encryption systems developer
I work for the world's second largest bank.
We tried this approach of blaming the customer whenever he lost money online.
We ended being sued and settled for 10 times the value.
We then implemented the SecurID.
Our website now carries the slogan that says if the customer loses their money while transacting with us, we will repay them in full.
NZ banks are a bunch of pussies.
We knew then, and we know now.
St. George Bank in australia was the last bank to implement revolutionary banking in 2001. Now they too have succumbed to the quarterly reports
"Doing what i can, with what i have." ~ Burt Gummer
OECDFAIRINFORMATIONPRACTICE (FIP) PRINCIPLES In its 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data , the OECD enunciated eight basic principles for data privacy. These have served as a basis for a number of other regulatory guidelines,which are often referred to generically as Fair Information Principles (FIP). The United States Federal Trade Commission FIP and the EU Privacy Directive draw on the OECD document. The eight principles, drawn verbatim from the OECD document, are: 1. Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. 2. Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. 3. Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 4. Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the previous principle] except: (a) with the consent of the data subject; or (b) by the authority of law. 5. Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. 6. Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. 7. Individual Participation Principle: An individual should have the right: (a) to obtain from a data controller, or otherwise, con-firmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him: within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. 8. Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above .
...if they can access it, it ain't secure. 'nuff said. The bank is secure, because they have your money.You are lucky! You actually got to contact support! (or something named "support").
When I tried to contact my bank's "interent support" about the email they sent being marked as a phishing attempt (because a link specified one domain and pointed to another) I never got through. Something in their support system was not functioning.
The email itself was really sent by the bank, to a unique address I gave them only they know, and the domain their email linked too was their domain (figuring that out required some DNS+whois detective work. More than one query).
Anyway, they seem clueless, and I wouldn't trust them in anything related to internet (though I do trust them with all my savings...)
Let's suppose privacy concerns did not exist.
Let's suppose it was possible to know the state of your system at the time of the alleged fraud as opposed to looking afterwards.
Let's suppose this does not create a situation where a tech-savvy user can potentially game the system by checking his system after challenging a transfer.
Let's even suppose laptops and portable computers did not exist.
Still, this system is broken. Of course, a solution has been available for years: HBCI cards with class 3 or 4 readers. You get a smart-card with an external reader. This reader has its own pinpad (class 2 and above), it also has it's own display to show account numbers, the amount you are about to transfer etc (class 3 and above). I think class 4 is additionally hardened against snooping attacks, but I could be wrong. In any case, the smart card does all computations, the reader handles the important parts of the input and output. There is no remote attack vector. You must have physical access and steal the card.
In Germany, this system has worked for years and I know of no single case of abuse if the card was not stolen.
FinTS is the successor of HBCI. FinTS 3.0 offers the use of signature cards (special smart cards that fulfil certain legal requirements) which enables you to do all transactions on all accounts and with all banks with the same card you can use to sign documents etc.
FinTS 4.0 employs XML and allows asynchrounous transfers, for example via signed email.
Of course, this costs money (about 40-60 Euro for the card and a good reader). And as we all know, the sheep would rather have their lifes and PCs inspected by everyone and his grandma than to use a technologically sound system that is proven to work.
Almost everything you said describes a former employer of mine, with everything from MVS and the silly JCL hacks to the old-school attitude of management. They refuse to accept any new ideas and are only concerned about the short-term bottom line. They discourage education and growth and prefer everyone to be a yes-man. After being laid off from their stupid decision to outsource everyone, I am also making more now and am working at a better company that actually cares about what I do.
I would not ever trust the Internet for anything involving monetary transactions, and if I ever did, I certainly would never trust a highly incompetent organization such as JPM Chase.