Slashdot Mirror
New Zealand Banks Demand a Peek at User PCs
Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"
I was wondering what the end of internet banking would look like, and this is it.
I'll go right back to using the branch if they start holding me liable for using their cost-saving website.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
So, if they're allowed to inspect my client, may I inspect their server? No?
All of you damned users not running Microsoft OS will be liable.
Just because anti-spyware software does not exist for your software platform is no excuse!
you BeOs users! how dare you not run a Virus scanner app!
gotta love Bank executives asking for things they dont even have the slightest clue about.
Do not look at laser with remaining good eye.
I really have to wonder if this is a kneejerk reaction to Banks having fraud problems?
I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.
I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.
...if they can access it, it ain't secure. 'nuff said.
This space intentionally left (almost) blank.
User: "My bank account is empty!"
Bank: "Yes, at 0325 yesterday your account was logged into and the money transferred"
User: "But I didn't do it!"
Bank: "Well, sir, the proper login and password were used, and our logs indicate it came from the same IP address your previous transactions came from. If you did not personally do it, did soeone else in your household do it?"
User: "I live alone, and I work night shift. No one was at the house last night"
Bank: "We're sorry sir, but it sounds like you have been a victim of computer fraud. That's when someone else has stolen your money, just like if you lost your checkbook. We would be more than happy to cooperate with the authorities to provide any data we have. Let us know who to send the data to. Thanks, buh-bye"
Cold? Yes. But I'd rather be responsible for my own computer security than the bank be allowed to root around in my computer.
(Please note this does not apply to data leaks from teh banks or other businesses - they are guilty of negligence, on top of whatever fraud drains the account)
"As God is my witness, I thought turkeys could fly." A. Carlson
I'd like to see some additional on-line banking security in these areas:
1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.
2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.
3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.
4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.
5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.
6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.
7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.
Just my thoughts.
I was just thinking about something similar. If the bank is so worried about the user's system being comprimised, then they should send out CDs with a VMWare image that the user can run so that it's known to be safe. There's probably still some attack vectors, because the Host OS could be majorly compromised, but it would make the process a whole lot more secure. But the VM Image could be signed, so that it could be verified to be unchanged upon each boot, and the memory contents could even be kept encrypted. It would also make sense for the access point of the bank not to be an actual web page you could visit with any browser, preventing people clicking on links in their email, or even being used to visiting the site in the browser. It would be plenty fast for online banking, and would take a lot of the risk out. But then again, they're probable going to just keep on adding layer after layer of stupid "security" functions like asking you your mother's maiden name (because nobody knows that information).
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall, ... all while you watch.
Well, even that seems objectionable. The only reason they would need to do that is if there has been a loss and they want to pin it on someone other than themselves. So, they aren't even "looking" at the computer, they are there for one and only one reason, document security holes. Whether one of those holes were used doesn't matter. If they document enough, then they will shift the blame to the customer. Why should I go out of my way to help the bank deny me the money I deposited into it?
Learn to love Alaska