Slashdot Mirror
New Zealand Banks Demand a Peek at User PCs
Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"
I was wondering what the end of internet banking would look like, and this is it.
I'll go right back to using the branch if they start holding me liable for using their cost-saving website.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
So, if they're allowed to inspect my client, may I inspect their server? No?
All of you damned users not running Microsoft OS will be liable.
Just because anti-spyware software does not exist for your software platform is no excuse!
you BeOs users! how dare you not run a Virus scanner app!
gotta love Bank executives asking for things they dont even have the slightest clue about.
Do not look at laser with remaining good eye.
I really have to wonder if this is a kneejerk reaction to Banks having fraud problems?
I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.
So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?
I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.
Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?
I'd probably just set up a sandbox in VMware or something similar, to do all my online banking.
"Prefiero morir de pie que vivir siempre arrodillado!"
...if they can access it, it ain't secure. 'nuff said.
This space intentionally left (almost) blank.
User: "My bank account is empty!"
Bank: "Yes, at 0325 yesterday your account was logged into and the money transferred"
User: "But I didn't do it!"
Bank: "Well, sir, the proper login and password were used, and our logs indicate it came from the same IP address your previous transactions came from. If you did not personally do it, did soeone else in your household do it?"
User: "I live alone, and I work night shift. No one was at the house last night"
Bank: "We're sorry sir, but it sounds like you have been a victim of computer fraud. That's when someone else has stolen your money, just like if you lost your checkbook. We would be more than happy to cooperate with the authorities to provide any data we have. Let us know who to send the data to. Thanks, buh-bye"
Cold? Yes. But I'd rather be responsible for my own computer security than the bank be allowed to root around in my computer.
(Please note this does not apply to data leaks from teh banks or other businesses - they are guilty of negligence, on top of whatever fraud drains the account)
"As God is my witness, I thought turkeys could fly." A. Carlson
I am frum the National Bank of Nijeria, after providing your name, social security number, bank acount number, and routin information, pleaze instal the attached file so that we may check your securitee settings. Pleaze disreagard all mispelings an gramer mistakes in this email, we were forced to outsource securty email to another countries to save you money and provide the best service that you are familar with us.
This attempt by the banking industry to shift transactional liability away from their servers and onto the backs of the consumers is what I'd expect from the ruthless rat bastards. Don't think something like this would fly in the U.S. Notwithstanding the fact that our government is spending a king's ransom getting all up in our computers already (NSA-FBI), our citizenry would be OUTRAGED and OFFENDED if they thought their bank was all up in their hard drives! Pity the bank that tried to pull that chicanery over here in our independent, democracy minded, privacy loving people. We, (as normal lucid citizens) don't seem to have the ability to do anything about all the government spying and abuse because, among other things, corporate interests are aiding and abetting in this effort (who's to say the New Zealand pc 'scanning' doesn't have the ability for abuse/misuse by some corporate spy or government fascist?). Here in America, we have the ability on the personal level to avoid those corporation who facilitate and profit by working with the government in mass producing the technical equalivent of Zyclon B. We'd avoid any online banking that required our PC's be probed. Just like we're avoiding AT&T right now for helping our government spy on us while no doubt contracting for the service (private mercenary telecom army). Enough on my rant against AT&T, and the many evil corporate minions who are enabling the commander in thief. I've got other things to do. My Iphone awaits. Enjoy.
This ain't no upwardly mobile freeway This is the road to hell
Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.
A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.
http://www.finextra.com/fullstory.asp?id=15177
When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.
load "$",8,1
We are glad to see such wide coverage of our new security measures. We are Central Bank are totally focussed on giving our users the most secure online banking experience possible. To that rnd and to help speed up the implementation of our new security measures could all Slashdot readers resident in New Zealand please respond to this post citing
(i) Full name, DOB and Address
(ii) Account number
(iii) Internet banking login name and password
(iv) Credit card number, expiry date and security code
(v) IP address and machine user name and password
Thank you for you assistance in this matter and we will report the security status of your machine to you as quickly as possible. If you feel uncomfortable entering this information you can always download our helper program (RapeMyAccountLikeItsaSheep.exe) from our website.
Central Bank
New Zealand
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
I'd like to see some additional on-line banking security in these areas:
1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.
2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.
3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.
4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.
5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.
6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.
7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.
Just my thoughts.
The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.
Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:
One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.
But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.
So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.
So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.
Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?
This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.
Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.
So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.
Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.
This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.
Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.
The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.
He who has the gold, makes the rules.
My reply: certainly, but they must prove who they are first.
Oh, no - that is not the way that they do things, I must prove who I am first -- by answering exactly the same security questions that someone phishing would want to know. Needless to say: I refused.
I then took this as a complaint to the bank chairman - and have received platitudes as to how they take security seriously, burble, burble, ...
I'm not going to let this go: I shall chase them. I should be OK since I won't give the information out, but many people will do so.
Banks are crap.
No, its not ridiculous, its perfectly-goddamn-acceptable that if the bank wants to shift culpability form themselves to end users in terms of fraud and security, which is the purpose of this, they should ABSOLUTELY be required to get a subpoena from a judge to access your personal computer. There is a basic right to privacy, and the onus of security is on the bank, not the end user. If they choose to connect their financial systems to the internet, thats THEIR choice, especially if the access allows more than just read only information of accounts (eg. bank's online ability to transfer funds to other bank customers and outside accounts, automatic bill pay, etc.). I don't think you have a healthy understanding of just how bad this is. They will have the ability to access everything on your computer, it only takes one unscrupulous bank IT employee to start copying/logging/etc personal data.
Cheers.
This is my sig. There are many like it, but this one is mine.
Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall, ... all while you watch.
Well, even that seems objectionable. The only reason they would need to do that is if there has been a loss and they want to pin it on someone other than themselves. So, they aren't even "looking" at the computer, they are there for one and only one reason, document security holes. Whether one of those holes were used doesn't matter. If they document enough, then they will shift the blame to the customer. Why should I go out of my way to help the bank deny me the money I deposited into it?
Learn to love Alaska
Anyone who's ever dealt with the kind of call centres you get with banks knows what's going to happen.
[Rings up to complain of fraud]
Bank: Hello, this is ${BANK}, how can I help you?
Customer: Yes, I appear to have a transaction for £3000 leaving my account which I don't know anything about.
Bank: OK, I see you use our Internet banking service. Do you have antispyware software on your computer?
Customer: No, I use a....
Bank: Do you have antivirus software on your computer?
Customer: No, I use a Mac....
Bank: No antispyware, no antivirus. Not our problem. Goodbye.
One of my banks has a bad SSL certificate configuration.
I emailed then to let them know. Their response? "Clear your cache and cookies".
I thanked them and explained that the problem wasn't on my end, that Verisign actually documented their problem and provided them with the URL. Their response? "Maybe the date on your computer is wrong, our certificates expire in 2011".
I again explained that it wasn't a certificate expiration issue, and in fact the certificate in question expired in 2009. Their response? "No one else is reporting the problem". I stopped reporting the issue, and we started moving money elsewhere.
The problem isn't so much that they didn't have a properly configured certificate, the problem was their response to a security issue. The ticket went back and forth several times (to multiple representatives), and there was no automatic escalation or intercept. The ticket was reporting a security matter, but again, there was no intercept. I can understand not having tier 1 customer support be security experts, but the exchange exposed a complete lack of proper security practices and procedures.
I am not now, nor have I ever been impressed with the security practices at any bank. Some are just not as bad as at others. They will never be permitted to lay hands on a computer of mine.
Can You Say Linux? I Knew That You Could.
"Why not provide customer with an anti virus/malware/spyware of bank's choosing before letting customers make transactions ?"
Because that means the bank would be responsible if something went wrong. And the banks don't want that responsibility, hence this whole deal.
Sigh, this is why we need an "incorrect" moderation.
That is possibly the worst explanation of the money multiplier effect that i have ever heard.
And I'm here to check your computer's security for the bank.
What a wonderful opportunity for social engineering granny's password. Idiots. The only way they can realistically do this is if they force install of their own application to handle all bank transactions with strong encryption of everything going on and some sort of built in way to break keyloggers. As is it is completely unrealistic and creates more security holes than it closes. The whole "we will never ask you for your password" idea will be gone as you will be expected to report pins, passwords, etc. to make sure you picked a good one.
Fred
Please be aware that this is a scam! The New Zealand central bank is in fact called the "Reserve Bank of New Zealand". Don't provide the information the post asks for from him.
Look out!
For example how many banks were only accessible via IE even when there were warnings about using IE and that everybody should be using Firefox, no whose fault is that. If banks are serious, then what they should simply do is force everyone to dual boot and only access the bank services via Firefox running on top of Linux.
Or more realistically they can demand the use of a hardware security device, like a usb based device combined with user name and password, but of course the buggers are way to greedy and cheap to do something like that.
Chaos - everything, everywhere, everywhen
The tech they send out probably won't be able to take your word for it.
In fact, he'll probably be outfitted with a CD that has programs on it that root around inside your machine and sends the information back home via the Internet. In a perfect storm of stupidity, the programs would have to be run as Administrator.