Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Zealand Banks Demand a Peek at User PCs

Zonk posted more than 7 years ago | from the see-you've-got-some-porn-there-sir-good-job dept.

Security 268

Montgomery Burns III writes with a link to a ComputerWorld article on a ... unique approach to bank security. New Zealand financial institutions are looking for a way to access customer PCs used in online banking transactions. Their goal is to verify the security of the user's terminal. "Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed and up to date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are uptodate.'"

cancel ×

268 comments

Sorry! There are no comments related to the filter you selected.

Just what I'd tell the bank (1)

Albanach (527650) | more than 7 years ago | (#19691013)

Nothing for you to see here. Please move along.

Re:Just what I'd tell the bank (1)

gravos (912628) | more than 7 years ago | (#19691131)

I realize that this approach is probably not the correct one, but do try to understand the position online banks are in. They have to have some way of safeguarding customer information when the customer may well have keyloggers and all sorts of nasties on their machine.

What is a bank supposed to do in this situation? Many have moved to distributing hash key devices and requiring passwords be entered using onscreen keyboards, but it's not an easy problem to solve.

Re:Just what I'd tell the bank (0)

omeomi (675045) | more than 7 years ago | (#19691171)

What is a bank supposed to do in this situation?

Go to a judge, and ask for a subpoena?

Rediculous to require a subpoena ... (1)

AHumbleOpinion (546848) | more than 7 years ago | (#19691391)

"What is a bank supposed to do in this situation?"

Go to a judge, and ask for a subpoena?


That is rediculous, that is equivalent to saying a customer should have to sue the bank to get their money back rather than have some prearranged agreed upon process. If you want to bring the courts in on such transactions consider how the judge is likely to rule when it is discovered that the customer didn't have current anti-virus, etc. There is nothing wrong with having some prearranged agreement, and nothing wrong with *both* parties having to give up something, for the bank the stolen funds and for the customer having their anti-virus and firewall settings inspected. I do not think you have thought this through, getting the courts involved will probably not help the consumers.

Re:Just what I'd tell the bank (3, Insightful)

R2.0 (532027) | more than 7 years ago | (#19691315)

User: "My bank account is empty!"

Bank: "Yes, at 0325 yesterday your account was logged into and the money transferred"

User: "But I didn't do it!"

Bank: "Well, sir, the proper login and password were used, and our logs indicate it came from the same IP address your previous transactions came from. If you did not personally do it, did soeone else in your household do it?"

User: "I live alone, and I work night shift. No one was at the house last night"

Bank: "We're sorry sir, but it sounds like you have been a victim of computer fraud. That's when someone else has stolen your money, just like if you lost your checkbook. We would be more than happy to cooperate with the authorities to provide any data we have. Let us know who to send the data to. Thanks, buh-bye"

Cold? Yes. But I'd rather be responsible for my own computer security than the bank be allowed to root around in my computer.

(Please note this does not apply to data leaks from teh banks or other businesses - they are guilty of negligence, on top of whatever fraud drains the account)

"Rooting around" is probably paranoid ... (1, Insightful)

AHumbleOpinion (546848) | more than 7 years ago | (#19691651)

But I'd rather be responsible for my own computer security than the bank be allowed to root around in my computer.

That is probably a gross exaggeration. Rather than arbitrarily root around a technician will probably come to your home, and check you OS version and patches, anti-virus version and updates, firewall, ... all while you watch. To do otherwise would drive customers from banks that arbitrarily root around to banks that do an appropriately focused search.

Your "eat my own losses" argument has two primary flaws.
(1) You assume the mistake was the customers, not the banks. Those who are sure the error was on the banks side will be more likely to cooperate in ruling out their home computers.
(2) Privacy has a price, and often a limit. If the account emptied was a savings account with a lot of money rather than a checking account with a small amount of money then the customer will become increasingly cooperative.

The Death of Online Banking (2, Funny)

Timtimes (730036) | more than 7 years ago | (#19691367)

This attempt by the banking industry to shift transactional liability away from their servers and onto the backs of the consumers is what I'd expect from the ruthless rat bastards. Don't think something like this would fly in the U.S. Notwithstanding the fact that our government is spending a king's ransom getting all up in our computers already (NSA-FBI), our citizenry would be OUTRAGED and OFFENDED if they thought their bank was all up in their hard drives! Pity the bank that tried to pull that chicanery over here in our independent, democracy minded, privacy loving people. We, (as normal lucid citizens) don't seem to have the ability to do anything about all the government spying and abuse because, among other things, corporate interests are aiding and abetting in this effort (who's to say the New Zealand pc 'scanning' doesn't have the ability for abuse/misuse by some corporate spy or government fascist?). Here in America, we have the ability on the personal level to avoid those corporation who facilitate and profit by working with the government in mass producing the technical equalivent of Zyclon B. We'd avoid any online banking that required our PC's be probed. Just like we're avoiding AT&T right now for helping our government spy on us while no doubt contracting for the service (private mercenary telecom army). Enough on my rant against AT&T, and the many evil corporate minions who are enabling the commander in thief. I've got other things to do. My Iphone awaits. Enjoy.

Re:The Death of Online Banking (1)

Volante3192 (953645) | more than 7 years ago | (#19691445)

our citizenry would be OUTRAGED and OFFENDED if they thought their bank was all up in their hard drives!

Me thinks you doth put too much faith in the sensibilities of USians...

Don't overlook the snark (0, Redundant)

Timtimes (730036) | more than 7 years ago | (#19691563)

I think you're spot on with your observation. Might I point to the submission in total for a moment though? I expect a slashdot audience to get the sarcasm, if not earlier in the piece, then certainly where I juxtapose the AT&T rant with the need to rush out and get an Iphone. The only Iphone provider in the US is AT&T. I believe that phone will be so hot that if AT&T required both a technical and BIOLOGICAL probe as a requirement for purchase there would still be no dearth of customers. Matter of fact, by the end of the first week, the only thing you'd be hearing in the mainstream media was how good a thing the probing really was. A colonic for both man and machine. Enjoy.

Re:The Death of Online Banking (1)

Belacgod (1103921) | more than 7 years ago | (#19692521)

When it comes to rights, we're increasingly a nation of cowards. When it comes to money, we're bulldog/velociraptor crosses. This will not fly, for the same reason we can't balance our budget.

Re:The Death of Online Banking (-1)

Anonymous Coward | more than 7 years ago | (#19691507)

I think you just broke my sarcasm meter!

My problem with this... (0)

Anonymous Coward | more than 7 years ago | (#19692283)

Is the assumption that "security" programs (anti-virus, firewalls, etc.) are some measure of security. Yeah, I do keep an AV program around, even anti-spyware, etc. but they hardly ever do anything because the real security is that I don't download untrustworthy software, smilies, screen savers and other crapware, I don't fall for any of the random scams I see, and make sure I have the latest patches.

I often get asked about buying all the latest security products as if that's the answer to secure computing. But everything I use is free, and it barely matters. My most important weapons are computer literacy, a dose of paranoia, and an aversion to advertisements and adware of any kind.

The most important security tools can't be bought.

Interesting (4, Insightful)

MightyYar (622222) | more than 7 years ago | (#19691037)

I was wondering what the end of internet banking would look like, and this is it.

I'll go right back to using the branch if they start holding me liable for using their cost-saving website.

Re:Interesting (1)

Billly Gates (198444) | more than 7 years ago | (#19691709)

You already are liable. Either way the bank has better lawyers.

If I steal your identity and buy alot of products the only thing the bank will do is call the FBI. They will still ask for you to phony up. Refuse? Then they will put it on your credit report. Now try getting a job or apartment or home?

Its been ruled in court if someone sells your home you have to leave and the bank is not liable for the loan and you have to pay them. I do not know how but somehow they convinced a jury??

Its quite bad and there need to be laws to protect us from the banks who are cheap and do not want to pay for their own mistakes when making easy loans with minimal verification.

Re:Interesting (1)

citog (206365) | more than 7 years ago | (#19691791)

So you're saying a customer doesn't have any liability when it comes to securing their accounts held at a bank? As an internet banking customer you're usually told in the terms and conditions that you have a responsibility to secure access to your account within reasonable boundaries. Explain to me what's wrong with the bank verifying that you've complied when you're disputing a transaction.

Re:Interesting (3, Insightful)

MightyYar (622222) | more than 7 years ago | (#19692517)

Let me reverse that - will they let me audit THEIR systems to make sure that the security breach isn't from THEIR end?

Re:Interesting (0)

Anonymous Coward | more than 7 years ago | (#19692561)

Explain to me what's wrong with the bank verifying that you've complied when you're disputing a transaction.
Reciprocity.

Re:Interesting (1)

spellraiser (764337) | more than 7 years ago | (#19691793)

Well, that's always your choice, of course.

I personally think that holding the user responsible is the most natural thing in the world. Why would the bank have to take the blame if the user's machine is compromised? As long as security is not breached on their side, their only responsibility is to process the requests given to them correctly. If these requests happen to be fraudulent, I don't see how that's the bank's fault.

Of course, if the perpetrator is caught, and it can be proven that he accessed an account that he didn't have the right to access, he can be punished accordingly and made to return the stolen money. But asking the bank to refund all money stolen through a compromised user account just spells disaster.

The bank should only need to worry about security on their end. The user is responsible only for his own system. Just my 2 cents.

Re:Interesting (1)

MightyYar (622222) | more than 7 years ago | (#19692473)

Here's why I object. I am not a security expert, and yet I possess much more knowledge about computer security than the average bank customer. I, much less the average customer, cannot be expected to lock down my home computer to bank-network standards. The bank - who is an expert in security - has chosen to open their financial network to the internet at-large, and they should assume the costs and responsibility associated with that step.

I don't know what the solution is - perhaps they should have an automated system call me at home whenever I make significant transactions online. Perhaps they should abandon the internet for the same reasons that we don't vote on the internet, and ATMs don't use the internet.

For decades the holder of a credit card has been limited to $50 in liability, and yet banks have made gobs and gobs of money on credit cards. I see no reason why this simple consumer protection should not be extended to online banking. The banks save tons of money by having people do their banking online - I seriously doubt that they would stop offering the service even with such a law in place.

The feeling is mutual. (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19691039)

So, if they're allowed to inspect my client, may I inspect their server? No?

Re:The feeling is mutual. (2, Interesting)

DoofusOfDeath (636671) | more than 7 years ago | (#19691197)

So, if they're allowed to inspect my client, may I inspect their server? No?

That was my first thought too, but if NZ is like the US in this regard, they have government banking regulators auditing the heck out of their systems. So it's probably reasonable to more strongly assume the banks' systems have a known level of security.

OTOH, if the banks' security audit results aren't made public, then your instinctive reaction is probably pretty fair.

Re:The feeling is mutual. (2, Insightful)

trolltalk.com (1108067) | more than 7 years ago | (#19691335)

Yeah ... right.

The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.

When she went in to tell them about it, they were having another problem --- the ATM was spitting out paper and money all over the place.

Audited doesn't mean perfect any more than ISO9001 means low level of defects.

Re:The feeling is mutual. (1)

SwordsmanLuke (1083699) | more than 7 years ago | (#19691455)

That's not a bank error, that's winning the freakin' lottery! Cash it out and move to Thailand, baby!

Re:The feeling is mutual. (4, Funny)

woodlander (737137) | more than 7 years ago | (#19691877)

Could I ask the name of the bank? I need to move my account.

Re:The feeling is mutual. (1)

fishbowl (7759) | more than 7 years ago | (#19692141)

>Could I ask the name of the bank? I need to move my account.

My reading is that it will be the law in NZ that all banks must comply with.

Re:The feeling is mutual. (2, Informative)

alexgieg (948359) | more than 7 years ago | (#19691913)

The bank once deposited $80,000 into my sisters' account by mistake. She told them about it ....the next week, it was "corrected" - it was then $234,000.00.
The funny thing is that many banks (the huge ones mainly) are in fact allowed, by their respective central banks, to "invent" money out of nowhere. This of course causes inflation, but so long as they don't do it so much that it would cause the upper yearly inflation limit set by the central bank to be surpassed, it's perfectly okay.

This world we live in is crazy.

Re:The feeling is mutual. (1)

Hoi Polloi (522990) | more than 7 years ago | (#19692403)

As long as they (the banks) make sure their branches are understaffed during the day and close the instant everyone gets out of work they are content with the way things are.

They seem to be good and flooding upper class town centers with branches though. One nearby town's center is half banks. So instead of an appealing shopping/dining area it is mostly dead in the evenings.

The need is not mutual ... (1)

AHumbleOpinion (546848) | more than 7 years ago | (#19691991)

So, if they're allowed to inspect my client, may I inspect their server? No?

There is no need. If your system is clean they are not holding you liable and you are getting your money back.

Re:The need is not mutual ... (1)

Scudsucker (17617) | more than 7 years ago | (#19692287)

That giant "whooosh" noise you just heard was the point sailing over your head.

Therefore..... (4, Insightful)

Lumpy (12016) | more than 7 years ago | (#19691045)

All of you damned users not running Microsoft OS will be liable.

Just because anti-spyware software does not exist for your software platform is no excuse!

you BeOs users! how dare you not run a Virus scanner app!

gotta love Bank executives asking for things they dont even have the slightest clue about.

Re:Therefore..... (1)

Klaus_1250 (987230) | more than 7 years ago | (#19691485)

If I read it more closely:

"used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [...]"
it would think that Windows users have the real problem. Appropriate protective [...]operating system. That doesn't sounds like any Windows version I ever encountered.

Re:Therefore..... (1)

Billly Gates (198444) | more than 7 years ago | (#19691669)

More than likely you will be banned from online banking because their software wont know what anything but Windows is.

So the least secure OS gets the approval because its what everyone uses.

Re:Therefore..... (0)

Anonymous Coward | more than 7 years ago | (#19691889)

When I run a Windows operating system I don't use any security software at all. The reason is the following:

- don't execute files you don't trust (including media files and documents)
- keep the system fully updated (automatically)
- shutdown all open ports and services which Windows opens by default (no open ports)
- lockdown local computer security policies
- use a limited user account and either switch accounts or use 'runas' to do administrative tasks
- use free open source system diagnostic tools (debuggers, checksum verification, hook detection, etc) to check for suspicious behavior
- dump and inspect all network traffic using wireshark or some other sort of traffic sifting/filtering technique

For someone like me, Anti-* products lower my security level as they introduce new possibilities for buffer overflow exploits in the scanning engines. Besides, it is *my* choice of how I use the bank services via my computer. If they really wanted to help solve the problems they're facing with fraud, they should do some very simple (and tested) changes such as:

- send an SMS to the bank account owner when sums of money are being transferred
- drop the use of passwords and use one-time-password tokens instead
- give users more control over transfer limits, logging of account access, etc

However they want to place the burden of responsibility/proof on YOU, when it should be on THEM.

Great idea (1)

voice_of_all_reason (926702) | more than 7 years ago | (#19691047)

The police should immediately adopt this.

Want to file a criminal report? Let us search your home first, citizen. As long as it's not mandatory, things are perfectly legal since you're consenting to it. You're free to stop using our services at any time.

Re:Great idea (1)

rossz (67331) | more than 7 years ago | (#19691467)

Am I free to stop paying for the service if I stop using it? Damn, I didn't think so.

Banks having a fraud problem? (3, Insightful)

blahplusplus (757119) | more than 7 years ago | (#19691061)

I really have to wonder if this is a kneejerk reaction to Banks having fraud problems?

I think this is pretty extreme measure, as if companies didn't already have enough data about people already. What exactly is the criteria for a 'secure' system? Sounds like a lot of BS to me.

Re:Banks having a fraud problem? (1)

Billly Gates (198444) | more than 7 years ago | (#19691627)

Here in the US someone can sell your home without your consent and you would have to leave.

Yes its a big problem and for some reason the banks have been winning in courts and not paying for things like fraudulant transactions and letting the consumer deal with it.

Its a knee jerk reaction but they should do more things like do FBI bankground checks and fingerprinting for any major transaction over $10,000 or credit card application. I did so to work at the school district and its inconvenient to wait a month for a result but would you want a pedi watching your kids? With identify theft banks need to start doing this.

If the bank is really paranoid over fraudulant transactions then they need to stop having their services online. Phishing schemes are probably causing hte majority of fraud anyway and it has nothing to do with them.

How secure is your PC... (1)

Sunshinerat (1114191) | more than 7 years ago | (#19691099)

...if your bank can take a peek?

It's about time (1, Insightful)

korekrash (853240) | more than 7 years ago | (#19691107)

IMO it's about time ppl had to take responsibility for their system. Why on earth should a bank take a loss when it was your fault? I don't get to go to the bank and expect them to replace the cash I withdrew yesterday that got stolen from my pocket.....This might be the push ppl need to get them to pay attention.....computers are here to stay....the "I don't understand computers very well excuse is really old.....just because you don't understand the way a locking mechanism in your door works doesn't mean you shouldn't fix it if it is broken.....

Re:It's about time (1)

Bert64 (520050) | more than 7 years ago | (#19691141)

They should have a third party security testing company investigate the PC...
Also, since theyre claiming liability based on the security of your PC, you should have the right to investigate the security of their server.

Re:It's about time (2, Funny)

barzok (26681) | more than 7 years ago | (#19691967)

Also, since theyre claiming liability based on the security of your PC, you should have the right to investigate the security of their server.
We all know that won't happen, thanks to the golden rule.

He who has the gold, makes the rules.

Re:It's about time (1)

vtcodger (957785) | more than 7 years ago | (#19691345)

***Why on earth should a bank take a loss when it was your fault?***

I dunno. Maybe because they are the ones offering the damn service. If they can't provide it in a secure manner, why is that my problem? Now if I begged them to please offer the service ...

In any case, prudent users probably will not use these services. You don't have to be Nostradomus to project that even if the banks gain access to the user PCs,.they are unlikely to be able to act intelligently on what they find there. You also don't have to be much of a fortune teller to project that the banks are unlikely to admit that this scheme isn't working even if it does not. On top of that, it is likely only a matter of time until somebody finds a way to hijack the bank's gateway into user PCs

Re:It's about time (1)

korekrash (853240) | more than 7 years ago | (#19692115)

vtcodger: I agree that abuse could happen....but if an unbiased third party were involved then the abuse factor would almost be eliminated. As for "I dunno. Maybe because they are the ones offering the damn service." If you use that logic...all car accidents are the fault of the state...they provide the roads so they should make sure your car is safe!? That makes no sense....their service can be totaly secure...but if you have nine key-loggers installed from torrent trojans they can't do shit about it and it is YOUR fault your money was stolen. Also, you said: "In any case, prudent users probably will not use these services." Uhhhhh......A LOT of people use online banking and purchase things online, myself included. If your system is secure, then it is a relatively safe environment....

Re:It's about time (1)

Lumpy (12016) | more than 7 years ago | (#19691401)

Sounds like a plan. Problem is you are being idealistic and the bank is going to execute it in a asenine fashon.

Are they going to hire a team of $100,000.00 a year plus It experts? no. they are going to hire MSCE flunkies that dont know what a Live Cd is or what any other OS is even like.

Apple users will be liable because they don't run virus scan or spy ware scan ignoring the fact that those platforms are typically unaffected by the mess that Microsoft OS's have.

are the flunkies going to have the skills to determine if the PC was re imaged after the event? I highly doubt it because banks don't hire highly paid experts, they half ass everything at the lowest cost they can.

This "policy" will end up being half assed and ineffective at anything but pissing off customers.

Re:It's about time (1)

korekrash (853240) | more than 7 years ago | (#19692281)

Well, it didn't sound like they were asking more than an MCSE flunky could do....All they want to do is verify that all of the basic safety measures are there.....to make sure the user made a reasonable effort to protect themselves. I don't think they will require much more than entry level college grads....how hard is it to make sure a reputable AV scanner is installed and a firewall is in place? They didn't say they wouldn't cover fraudulant charges cuz you have a root kit installed that isn't detected by the AV, just that the AV was up to date enough to detect it if possible...

Re:It's about time (1)

Zebra_X (13249) | more than 7 years ago | (#19691413)

IMO it's about time ppl had to take responsibility for their system.

I agree - however, to mandate that an end user must be "inspected" and "certified" to transact with them is absurd. It's not like the bank comes to your house to ensure that your locks are up to their code, and they will keep people from entering and trying to steal your checks, or account information.

The bottom line is that the bank can't or won't spend the money to provide a reasonable level of security for their online bankers. It's not our problem that they can't figure out how to protect their web site from being used fraudulently.

Re:It's about time (1)

korekrash (853240) | more than 7 years ago | (#19692203)

It's not our problem that they can't figure out how to protect their web site from being used fraudulently.
The point here is that their web site IS safe...but the users system is not...with no access to your system how is their site going to determine the transaction is safe....It would be IMPOSSIBLE to make sure the transaction was indeed secure without your local PC being inspected.

Responsible? (0)

Anonymous Coward | more than 7 years ago | (#19691633)

IMO it's about time ppl had to take responsibility for what lengths other companies go to to shrug off responsibility. Why on earth should something like a bank work to protect your assets when they can take the cheap way out? I don't get to go to the bank and expect them to replace the cash I lost because someone impersonated me and opened a new card account / loan becasue the bank was too cheap to check if it actually was me.....This might be the push ppl need to get them to pay attention to how their banks give no shit about them whatsoever.....profit is here to stay....the "I don't understand why institutions that exist to protect my assets while profiting off them are doing this" excuse is really old.....just because you don't understand they don't give two shits about you doesn't mean you shouldn't trust them with your assets.....

Re:Responsible? (1)

korekrash (853240) | more than 7 years ago | (#19692387)

As with a reply I posted earlier....how are they going to "take responsibility" for someone else's actions and inactions? If YOUR system is insecure then YOUR system is insecure and not theirs. I get shit like this from users all the time. How am I supposed to protect you or your assets if you don't do the trivial things needed to protect yourself? Again...PERSONAL RESPONSIBILITY.....don't expect the bank to make sure you are protected against yourself....

Re:It's about time (1)

Megatronium (1074679) | more than 7 years ago | (#19692083)

just because you don't understand the way a locking mechanism in your door works doesn't mean you shouldn't fix it if it is broken

It's obvious when your door lock doesn't work because you turn the handle when it's "locked" and it opens. But for the average user, how obvious is it that your computer's not secure?

Re:It's about time (1)

korekrash (853240) | more than 7 years ago | (#19692461)

And it is just as obvious when Norton displays a bubble everytime you log in saying "Norton Auto-Protect is not running!" and displays an X through the NAV icon by the clock and puts entries in the event logs. You could then call NAV support if you are too inexperienced to reinstall the software or troubleshoot the problem. A very similar situation exists when your virus patterns can't be updated. So, short of a Symantec, McAfee, etc. rep showing up at your house, they've done what they could to alert you. Also, MS has a little shield that started showing up with XP SP2 that tells you when your system isn't secure and even recommends a solution. You don't have to know how to rebuild an engine to know that the check engine light is on!!

LiveCD (2, Interesting)

kungfoofairy (992473) | more than 7 years ago | (#19691109)

So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?

Re:LiveCD (4, Funny)

WrongSizeGlass (838941) | more than 7 years ago | (#19691193)

So if I do internet browsing (online bank transactions included) using a LiveCD of BSD or GNU/Linux can I just send them a copy of the CD I use?
No ... who do you think they are, NetFlix? ;-)

Could be disastarous... (1)

cromar (1103585) | more than 7 years ago | (#19691111)

I hope the average computer user in NZ is smarter with computers than the average user in the US. Most of the (non-tech) people I know are mystified even by automatic OS updates.

Social Engineering (1)

slashwritr (1009921) | more than 7 years ago | (#19691135)

All the "protective software/systems" in the world won't protect users from their own stupidity. Yes, trust that e-mail from your bank asking for your SSN and password! You're running Windows Defender, so you're perfectly safe!

Gee Wally ... (4, Interesting)

WrongSizeGlass (838941) | more than 7 years ago | (#19691163)

a computer or device that does not have appropriate protective software and operating system installed and up to date
Who determines what an appropriate protective operating system is? Does that rule out XP SP1? (or Win2K. Win ME, Win 98, etc) Does lack of AV software on my Mac or Linux box define my computer as 'unprotected'? And does 'up to date' refer to the AV definitions, the OS patches or just the latest & greatest releases (such as Vista and/or IE 7)?

Re:Gee Wally ... (1)

internetcommie (945194) | more than 7 years ago | (#19691349)

Don't worry; the bankers don't know the answer to that either.

No, wait! That is exactly the reason we should worry!

Re:Gee Wally ... (0)

Anonymous Coward | more than 7 years ago | (#19691417)

My bank is still using windows 98, so I guess it's good enough.

Re:Gee Wally ... (1)

Silentknyght (1042778) | more than 7 years ago | (#19691719)

Who determines what an appropriate protective operating system is? Does that rule out XP SP1? (or Win2K. Win ME, Win 98, etc) Does lack of AV software on my Mac or Linux box define my computer as 'unprotected'? And does 'up to date' refer to the AV definitions, the OS patches or just the latest & greatest releases (such as Vista and/or IE 7)?
Expounding upon this, what if you (gasp) don't use a firewall or anti-spyware software on your computer? The absense of any "security" software is NOT an indictment of a compromised system. What if you have it, but they're not able to detect it like (perhaps Vista would throw up a security alert?). What if you have it but they'd never be able to know, such as if build your own linux router and the firewall is on the router, not on your computer?


This idea is foolish. As one poster put simply, if banks make it costly (in effort, time, or money) for me to use their online and therefore cost-saving method of banking, then I'll just go back to the local branch.

All about Trust. (4, Insightful)

Shambly (1075137) | more than 7 years ago | (#19691165)

I don't trust the banks to secure their data or use it in non malicious ways. They don't trust me to be able to secure my computer properly. I also don't trust the connection between my computer and their servers to be completly secure. All of these have reasons not to trust each other since all of these have failed at some point or another. I think i'll stick to ATM's for my needs. At least if it fails it's their hardware that's getting blamed and not mine.

banks find secure connection (1)

192939495969798999 (58312) | more than 7 years ago | (#19691179)

the bank just wants to install a little program and ask for your various identification numbers, biometrics, etc. What could be dangerous about trafficking that information plus the apparent security info about your computer over the internet?

Re:banks find secure connection (1)

internetcommie (945194) | more than 7 years ago | (#19691505)

Apart from everything, you mean? Wouldn't matter to the bank though, if security was entirely the customer's responsibility.

Why not...; (1)

packetmon (977047) | more than 7 years ago | (#19691191)

Here is my hard drive-less Dull unInspiron running Knoppix

About damn time. (1)

wiredog (43288) | more than 7 years ago | (#19691205)

If more companies that consumers interact with begin to insist that the consumers use good security practices then the consumers will either do so, or get offline. Or pay through the nose, and then do so or get offline. Any one of which will, eventually, reduce the numbers of people susceptible to bots, trojans, and other malware.

Re:About damn time. (1)

neowolf (173735) | more than 7 years ago | (#19691395)

I know a lot of people are arguing against this, especially those concerned about things like what OSs and software would be acceptable and personal privacy. Those are very valid concerns, but I think this could be a good thing if done right.

It appears from the article that this would only come up if there was an incident (fraud case or theft) that warranted it. Frankly- there are WAY too many people using computers online that shouldn't be. I have seen too many computers with outdated or no anti-malware software installed, no firewall, and at least several months behind on security updates. These same people set up open WiFi hotspots in their homes and have never heard of a VPN. They also save all of their logins and passwords in their browser without any additional security, and are suckers for phishing scams.

I'll bet just about everyone on Slashdot knows at least one person like this. Why should a bank or any other online company have to pay for their stupidity or negligence? Granted- I'm sure they wouldn't pass on any savings to consumers, but we could always hope.

Re:About damn time. (1)

SwordsmanLuke (1083699) | more than 7 years ago | (#19691645)

Why should a bank or any other online company have to pay for their stupidity or negligence?
Why should people have to pay for their ignorance? My parents are both very bright, college educated people who get confused when I browse the net on their machine with Firefox instead of IE. I try to teach them, but the fact is, bright people don't necessarily understand computers. They're not stupid or even negligent. They run an anti-virus, but they don't understand why a "firewall" is something they need. (Try explaining packet filtering to someone whose understanding of the internet begins and ends with "double click the blue 'e'"!)


To use an ever-popular car analogy, should I be held negligent if someone steals my car and runs into someone with it? Sure, there were better door locks available for my car, but I'm not a mechanic and I don't know how to install them.


How much should the average person be required to know before they can go online? Should we start licensing people?

Because the payment (1)

wiredog (43288) | more than 7 years ago | (#19692311)

encourages them to become less ignorant. It's not that difficult to learn how to keep your security updated. If it is, pay someone else to do it for you.

sure thing (1)

hurfy (735314) | more than 7 years ago | (#19691241)

Just show me what security YOU run before i give you my money to take care of ;P

Catch-22... (2, Insightful)

GradiusCVK (1017360) | more than 7 years ago | (#19691245)

Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?

Re:Catch-22... (1)

kiwimate (458274) | more than 7 years ago | (#19691711)

Is it just me or does it seem like the only correct answer to the bank's request would be, "I'm sorry, I am so security conscious that I simply cannot allow you to access my computer"?

In which case -- says the article -- they may refuse your claim.

If I was subject to this... (3, Interesting)

JesseL (107722) | more than 7 years ago | (#19691257)

I'd probably just set up a sandbox in VMware or something similar, to do all my online banking.

Re:If I was subject to this... (1)

graphicartist82 (462767) | more than 7 years ago | (#19692073)

How can you make the case that your guest OS is secure if the host is found to be insecure?

Re:If I was subject to this... (1)

JesseL (107722) | more than 7 years ago | (#19692515)

Who's gonna find anything about the host? That's the whole point. Let them see what I want them to see, satisfy them them that everything is A-OK, and keep the rest of the box fee from their snooping.

They want to "know if it's secure", huh? Well... (4, Insightful)

The_REAL_DZA (731082) | more than 7 years ago | (#19691261)

...if they can access it, it ain't secure. 'nuff said.

First WOW now the Banks? (0)

Anonymous Coward | more than 7 years ago | (#19691271)

Hey if world of warcraft can get away with it, it was just a matter of time before everyone starts using the approach.

uptodate is perfectly cromulent (1)

XaXXon (202882) | more than 7 years ago | (#19691273)

When did 'uptodate' become a word?

Oh that's right. It's not. Try 'up-to-date'.

It's like 5:30am in the morning here atm (1)

bunbuntheminilop (935594) | more than 7 years ago | (#19691289)

Why post stories on us when we're all asleep?

On topic, most of the banks here are Australian owned, so I don't think many people cared if they lost a little bit of money. In any case, I'm all for some small advantage if I can show that I keep uptodate antivirus software on my computer.

My bank has just released a system [nbnz.co.nz] where I can add an extra authentication using my mobile phone, so I can make online transactions of up to $10,000.

so... (1)

cosmocain (1060326) | more than 7 years ago | (#19691325)

...how often will they do the check? will they visit me at home unheralded? or how do they actually want to determine that i just use THAT special computer? honestly, besides any privacy matters, it's just leaving me with a stupid ghrin on my face. this i more like a sort of PR-stunt gone miserably wrong.

From the ultra paranoid department... (1)

McNihil (612243) | more than 7 years ago | (#19691333)

What about those users that have a transient vmware instance of an OS that only does one banking session at a time and get "shred -v -n 25 -z -u" 'ed?

Who Decides what is 'Appropriate Software'? (1)

CodeBuster (516420) | more than 7 years ago | (#19691347)

Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have 'used a computer or device that does not have appropriate protective software and operating system installed.

What is and is not appropriate and who decides that? If it is the banks then you can bet that Linux and FOSS will probably not be on the pre-approved list and will require substantial hassles to be approved by the bank. Perhaps they intend to run Active-X controls on their sites to run and enforce these checks? How long until we see a "Banking Designed for Windows" or "Certified Banking for Windows" logo campaign complete with FUD marketing issuing warnings and alerts concerning "risky" open source or free products?

Re:Who Decides what is 'Appropriate Software'? (0)

Anonymous Coward | more than 7 years ago | (#19691819)

We already have that.

It's called "South Korea".

The phishing scam (4, Funny)

mh1997 (1065630) | more than 7 years ago | (#19691355)

Helo,

I am frum the National Bank of Nijeria, after providing your name, social security number, bank acount number, and routin information, pleaze instal the attached file so that we may check your securitee settings. Pleaze disreagard all mispelings an gramer mistakes in this email, we were forced to outsource securty email to another countries to save you money and provide the best service that you are familar with us.

In Soviet Russia ... (1)

SplatMan_DK (1035528) | more than 7 years ago | (#19691597)

In Soviet Russia, internet banking systems intrude on YOUR privacy.

Oh ... wait a minute ...

Burden of proof? (1)

gregor-e (136142) | more than 7 years ago | (#19691399)

To be safe, the bank would have to require that you be able to prove that you have all the latest security add-ons and proper configuration, and that you have maintained these without a break, on every computer you've used to access their website (including, presumably, computers at work, school, your public library, etc). If their user agreement places that burden of proof on the user, then the bank will probably end up washing their hands of every fraud case. Of course, most consumers just skip the fine print and will only become aware of this requirement once they have no recourse for having been defrauded.

My antivirus software (1)

fluch (126140) | more than 7 years ago | (#19691471)

From /usr/locl/bin/virus_scan:

#!/bin/sh
echo "Scanning for viruses...
echo "No viruses found! Congrats, you are save! :-)
exit 0
Thus I can prove that I am safe and not liable. :)

Re:My antivirus software (1)

PitaBred (632671) | more than 7 years ago | (#19692327)

I am "save"? Jesus, is that you Lord? Just learning English since Hebrew has gone outta style?
 
;) Sorry, I just had to... and I don't even believe in jeebus

Reverse the argument. (4, Interesting)

fishthegeek (943099) | more than 7 years ago | (#19691473)

Okay. Let's assume that the banks are somewhat justified in asking for the right to inspect a users pc. If I were in New Zealand I would be petitioning my lawmakers for the right to sue for damages beyond actual loss when, by reason of lack security, personal information is compromised and theft is the result.

A quick search on google resulted in a large list of banks that have lost information or had fraud that was the result of a security breach. My personal favorite from the list was this little gem from no other than the Bank of New Zealand. Apparently theives outfitted a few ATMs with skimming devices and harvested the account & pin information from the banks customers cards. The bank is resonsible for the security of those ATM's and should be held accountable for more than just the theft of cash.

http://www.finextra.com/fullstory.asp?id=15177

When banks take fraud seriously enough to protect themselves and their devices then I might take their position a little more seriously.

Use Quicken, no protection (1)

russotto (537200) | more than 7 years ago | (#19691487)

Looks like if you use the Quicken PIN-vault feature, or Apple's Keychain, or any other method (including paper) for retaining the PIN and password, the bank can tell you it's your fault. Nice. So you've got to remember all those secure passwords yourself. (if you use an insecure password, you're liable).

Under the rules they're setting up, the only reasonable thing to do is go back to using tellers.

Let me see if I get this straight... (0)

Anonymous Coward | more than 7 years ago | (#19691499)

...they want to put spyware on our computer... so they can see.. if we have spyware on our computers.

Anyone else see something funny here?

comming soon to a bank in your neighborhood (1)

Corson (746347) | more than 7 years ago | (#19691509)

it sounds reasonable to me.

I understand thier dillema (1)

JoeCommodore (567479) | more than 7 years ago | (#19691525)

But this is surely the wrong approach.

I can imagine:

- The IT guys at the banks are probably going to define some thin definition of security (as another /.er said it probably will also center around being Windows only). Which will be to the joy of one security company and result in legal action from a bunch of others.

- The bank will still have breaches as they find that the security measures for that circumstance may work, but when connected wirelessly or at a hotel room, not to mention advances in virtulization, etc. it then becomes a completely different matter, and then they have to add more rules and regs. etc.

Can I offer a near perfect solution, yes, no on-line banking from anything not owned and maintained 100% from the bank (which includes the wires connecting the system, and where the remote units are housed).

A quiet evening at the Petersons ... (0, Troll)

SplatMan_DK (1035528) | more than 7 years ago | (#19691527)

In A.D. 2007, internet fraud was beginning.

(or: a quiet evening at the Petersons)

Mom: What happen ?
Dad: Someone set up us the malware.
Son: We get signal.
Mom: What !
Son: Main screen turn on.
Mom: It's you !!

BANK: How are you gentlemen !!
BANK: All your PC clients are belong to us.
BANK: You are on the way to destruction.

Mom: What you say !!

BANK: You have no chance to survive make your time.
BANK: Ha Ha Ha Ha ....

Son: Mom !!
Mom: Take off every 'Internet banking app.' !!
Mom: You know what you doing.
Mom: Remove 'Internet banking app.'.
Mom: For great justice.

Central Bank of New Zealand (4, Funny)

Timesprout (579035) | more than 7 years ago | (#19691535)

We are glad to see such wide coverage of our new security measures. We are Central Bank are totally focussed on giving our users the most secure online banking experience possible. To that rnd and to help speed up the implementation of our new security measures could all Slashdot readers resident in New Zealand please respond to this post citing

(i) Full name, DOB and Address
(ii) Account number
(iii) Internet banking login name and password
(iv) Credit card number, expiry date and security code
(v) IP address and machine user name and password

Thank you for you assistance in this matter and we will report the security status of your machine to you as quickly as possible. If you feel uncomfortable entering this information you can always download our helper program (RapeMyAccountLikeItsaSheep.exe) from our website [pleasetakeallmymoney.com] .

Central Bank
New Zealand

By Clicking On This Link: (0)

Anonymous Coward | more than 7 years ago | (#19691551)

You agree to pay the poster [whitehouse.org] the sum of U.S. $100,000,000,000.00. Please call 41. I'm too busy getting ready for my Paraguay flight.

I need some quick cash to explain the Iraq deficiencies although most of the U.S. population is brain-dead about the vast sums we've kickbacked to ourselves.

Insincerely as usual,
W.

Retarded idea - NOT security (1)

gnuman99 (746007) | more than 7 years ago | (#19691593)

This is just an attempt to deflect blame from themselves to the user. When your account gets defrauded, they *will* find something on your computer that does not add-up and indicate that they are not liable. Then what do you do? Sue?

The only real security alternative to this is to distribute hardware security devices that generate a password every 60 seconds or so. Then to sign in, you'd have to provide your username, password and the hardware security device generated number. Then even if your box is 0wned, your money is quite safe.

The bank could then report any failed accesses. They could also block your account if either of the above is not entered correctly more than 3 times in a row, or something like that.

But that would be security. What they are proposing is just an ability to deflect blame for stolen capital from them to you.

End of e-commerce? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#19691713)

This is interesting position for several reasons:

1) It is the most clear admission that even banks can not defend completely their own infrastructure, even on their own network, infrastructure, application environment.

It really puts a huge question mark on the viability of e-commerce in the future, especially at a time, when banks are pushing even to banking over cellphones.

2) The natural reaction from a user point of view is that if banks, with huge financial, technical, human resources are unable to provide 100% protection, how are individual computer users, customers supposed to be able to do it in a much less controlled home environment? How realistic is the expectation for home users to match up with banks?

3) Even if a home user is using firewall, applies updates, etc. it's well documented, that all the security products have security flaws from time to time. Even giants, like Microsoft can't patch security holes immediately, it's common knowledge, how security flaws were not fix for a long time, even when Microsoft knew about them.
This bags the question: will Microsoft - and all other companies, who's products are in any way withing the chain of e-commerce - be legislated to provide fixes within a limited, short time frame, or else... ?

4) If banks have the right to pass their liability on to their clients, there is no reason why users should not be able to pass it further down to ISPs, networking devices, PC hardware, software manufacturers.

5) What if the transaction was done using a corporate PC? It will be interesting to see, how all those players will try to push the liability on each other.

6) Are we going to see a new breed of products: the "e-commerce certified" PC?
Will all "non-certified" PCs eventually barred from online banking and e-commerce?

Is this going to be the end of e-commerce? Will banks be the driving force to bankrupt Microsoft and other tech companies?

suggestions to banks (3, Insightful)

fred fleenblat (463628) | more than 7 years ago | (#19691727)

I'd like to see some additional on-line banking security in these areas:

1. 100% first-class support for macs, linux, solaris, firefox, opera, etc. Any environment that is less targetted than windows+IE should be encouraged by the banks as a way to reduce fraud.

2. Start issuing SecurID tokens (or similar) to bank customers. This would take care of the simpler keyloggers and phishing attacks.

3. Pay attention to the IP addresses. Compare them to known bot-infested netblocks. Track the IP's that a particular customer uses and flag it when it's not from their home ISP or employer's http proxy.

4. Don't allow wire-transfers or on-line bill pay of large amounts to arbitrary parties via the web banking interface.

5. Look for *patterns*. Change of address followed by any kind of withdrawal or request for a card or checks. Transactions from different people's accounts sending money to the same or similar destination. Hire some game AI dude or data mining people to proactively look for fraud in real time instead of waiting for customers to report missing funds.

6. Criminally investigate fraud. Don't just push the problem back on the customer or write it off as a business expense, actually go out and prosecute the people committing the fraud. Hire the RIAA's legal staff and put them to good use.

7. Implement an undo. On-line transactions should only be allowed to/from banks and financial institutions that pledge to reverse any disputed transaction (instantly) and assist in investigating those who would have benefited from it.

Just my thoughts.

My bank is incompetent (4, Interesting)

cdn-programmer (468978) | more than 7 years ago | (#19691779)

The problem with this idea is that as my bank demonstrates - they are incompetent. Mind you the vast majority of people have practically no clue whatsoever about security and hence the bank does need to do something to protect itself. At present they have a HUGE liability and this is illustrated by the fact that there are keystroke loggers and viruses residing in at least 1/3 of PC's at one time or another.

Now here is a for instance to illustrate the outright incompetence of my bank's tech support people:

One of their servers was misconfigured and reported a file not found error. Of course - they sent it to me. The message contained the IP address and the apache version number. Sooo... I know what internal addresses they are using and what version of the webserver daemon. No big deal.

But why do they send their error messages to the client? Am I suppose to debug it for them? A guess the short answer might be "yes" because I - along with a number of other programmers - might be working in the apache source code so potentially we do debug their systems. But this was just a misconfiguration.

So I was nice enough to call their tech support and advise them of the problem. The tech support person insisted I re-boot my computer! Not only this she would NOT pass on my error report to the department which handles their servers. When I demanded to speak with her supervisor I found the supervisor also stonewalled me. So I flatly told her that she is incompetent and as such should not be making decisions about things she knows nothing about. Since she would not pass the error report to the people responsible for dealing with it - she made the decision that it isn't necessary for them to know one of their servers was misconfigured.

So this is what you get. Banks are large beauracratic organisations filled with incompetent people who like to sweep things under the rug and are too stupid to both think outside of the box or pass even a trouble report over to someone who might be responsible for dealing with it.

Why would we want people like this to run code in our computers? Why would we want to be held resonsible for their errors - which will happen under the New Zealand system?

This reminds me when I wanted to set up an e-commerce system. The bank at the time was in bed with a company out of India. They wanted the root password for my servers. I said No.

Why should I had over the root password to a group of unknown people in India? If something happens have I any recourse against them? Of course not. Sue in an Indian Court? Bullshit! We all know that would go nowhere and be bloody awful expensive and even if we did win India has laws which prevent money leaving their country. You can pay money to Indian citizens after you go to great trouble - but just forget the idea of taking money out of the country.

So its triple-ly a poor idea to hand over a root password to a company in a foreign country! Of course I advised the bank that their e-commerce terms were totally unacceptable.

Guess what? The company they dealt with in India was bankrupt within a year. It truely was fly by night.

This is what you get from large beauracratic organisations filled with incompetent people: You get really dumb ideas hatched.

Richard Feynman writes in one of his books about the incompetence of the military with regard to the Manhattan project at Los Almos. Back then they had a hole in the fence. They had guards stationed at the main entrance and made everyone sign in and out. But they didn't fix the hole in the fence and didn't station guards there either. So Feynman too great joy for a while by entering through the main gate and signing in - then exiting via the hole and signing in again. This did not trigger a red light in the guard's mind. Neither did me telling the tech support person at my bank that one or more of their servers was misconfigured and was bitching about it.

The short of it is that the banks really do have a problem and the way they handle things they are probably some of the worst people to address their problems. In part - this is why the banks have a serious problem.

Security of user systems for home banking (1)

secPM_MS (1081961) | more than 7 years ago | (#19692375)

Neither the Internet (Peter G. Neumann, Practical Architectures for Survivable Systems and Networks, 63- 66 (2000), at http://www.csl.sri.com/~neumann/arl-one.pdf [sri.com] ) nor the PC were designed to provide trustworthy critical services. The Internet model was designed to be robust against significant physical destruction of communications links and nodes. The PC started as a personal hobbiest device and migrated to more general usages. The UNIX systems started from timesharing and migrated both up and down. No system, unless it is properly installed, managed, and controlled has any hope of being trustworthy. This includes Windows, *nix, and *BSD based systems. Properly handled, these systems can be quite secure.

The Web 2 model of browser-based scripting and interactivity has made the overall security model exceptionally difficult. It is too hard to develop secure web sites without XSS or XRF vulns, and it is too easy to use human engineering to overcome technical defenses on the end user platform -- "install this update for improved security", etc. I am highly dubious that general consumer devices are adequate for usage for arbitrary financial transactions -- features sell and what you need is assurance.

Payment of bills to known organizations / vendors can be done with reasonable risk from a home system. Monitoring accounts can be done as well. I do not believe that home systems have the necessary assurance for stock trading or similar operations without use of adjunct trusted devices to validate specific transactions as screen displays and keyboard interactions can be modified by malware.

I have a security professional friend who is now making a living as a trader. She uses locked down Windows PC's for her trading and does nothing else from them. She keeps them updated, but uses a different system for her browsing, e-mail, and general web activities. When doing security critical operations, harden the system, minimize the system functionality, and do nothing else but those operations from the system -- rather similar to a domain admin who uses a dedicated machine for their administrative tasks.

This is not what users want to believe. Sorry.

As for me, I do not do general financial operations over the web at all. I do not use ATM / debit cards. I do my selected purchases via credit card from trusted retailers from my notebook, which is running a beta of LongHorn server with me running as a normal user, not as a member of the administrators group. No one else has an account on the notebook and I don't install or run snap-ins or apps without careful consideration. My family uses the desktops, which are relatively untrusted.

Banks don't give a f**k about security (2, Insightful)

Alain Williams (2972) | more than 7 years ago | (#19692381)

At least twice this year I have had someone from the bank 'phone me up out of the blue, say that they are from Nat West Bank and that the need to talk to me about something ... but first would I prove who I was by answering some questions.

My reply: certainly, but they must prove who they are first.

Oh, no - that is not the way that they do things, I must prove who I am first -- by answering exactly the same security questions that someone phishing would want to know. Needless to say: I refused.

I then took this as a complaint to the bank chairman - and have received platitudes as to how they take security seriously, burble, burble, ... I'm not going to let this go: I shall chase them. I should be OK since I won't give the information out, but many people will do so.

Banks are crap.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?