Slashdot Mirror
New Zealand Banks Demand a Peek at User PCs
Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"
I was wondering what the end of internet banking would look like, and this is it.
I'll go right back to using the branch if they start holding me liable for using their cost-saving website.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
So, if they're allowed to inspect my client, may I inspect their server? No?
All of you damned users not running Microsoft OS will be liable.
Just because anti-spyware software does not exist for your software platform is no excuse!
you BeOs users! how dare you not run a Virus scanner app!
gotta love Bank executives asking for things they dont even have the slightest clue about.
Do not look at laser with remaining good eye.
I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.
...if they can access it, it ain't secure. 'nuff said.
This space intentionally left (almost) blank.
I am frum the National Bank of Nijeria, after providing your name, social security number, bank acount number, and routin information, pleaze instal the attached file so that we may check your securitee settings. Pleaze disreagard all mispelings an gramer mistakes in this email, we were forced to outsource securty email to another countries to save you money and provide the best service that you are familar with us.
Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.
A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.
http://www.finextra.com/fullstory.asp?id=15177
When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.
load "$",8,1
We are glad to see such wide coverage of our new security measures. We are Central Bank are totally focussed on giving our users the most secure online banking experience possible. To that rnd and to help speed up the implementation of our new security measures could all Slashdot readers resident in New Zealand please respond to this post citing
(i) Full name, DOB and Address
(ii) Account number
(iii) Internet banking login name and password
(iv) Credit card number, expiry date and security code
(v) IP address and machine user name and password
Thank you for you assistance in this matter and we will report the security status of your machine to you as quickly as possible. If you feel uncomfortable entering this information you can always download our helper program (RapeMyAccountLikeItsaSheep.exe) from our website.
Central Bank
New Zealand
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.
Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:
One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.
But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.
So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.
So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.
Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?
This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.
Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.
So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.
Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.
This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.
Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.
The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.
No, its not ridiculous, its perfectly-goddamn-acceptable that if the bank wants to shift culpability form themselves to end users in terms of fraud and security, which is the purpose of this, they should ABSOLUTELY be required to get a subpoena from a judge to access your personal computer. There is a basic right to privacy, and the onus of security is on the bank, not the end user. If they choose to connect their financial systems to the internet, thats THEIR choice, especially if the access allows more than just read only information of accounts (eg. bank's online ability to transfer funds to other bank customers and outside accounts, automatic bill pay, etc.). I don't think you have a healthy understanding of just how bad this is. They will have the ability to access everything on your computer, it only takes one unscrupulous bank IT employee to start copying/logging/etc personal data.
Cheers.
This is my sig. There are many like it, but this one is mine.
Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall, ... all while you watch.
Well, even that seems objectionable. The only reason they would need to do that is if there has been a loss and they want to pin it on someone other than themselves. So, they aren't even "looking" at the computer, they are there for one and only one reason, document security holes. Whether one of those holes were used doesn't matter. If they document enough, then they will shift the blame to the customer. Why should I go out of my way to help the bank deny me the money I deposited into it?
Learn to love Alaska