Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Banking Law Blames Customers For Insecure OS

Zonk posted more than 6 years ago | from the laws-with-no-cause dept.

Security 430

twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?

cancel ×

430 comments

Sorry! There are no comments related to the filter you selected.

Oh no you didn't! (0, Flamebait)

symbolset (646467) | more than 6 years ago | (#22981158)

This should be fun.

Scare tactics (4, Informative)

plover (150551) | more than 6 years ago | (#22981212)

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

But I think there's an ulterior motive here. As a part of Chip-and-PIN, the UK is testing a brilliant two-factor authentication system this year for cards that will cryptographically render browser, PC, and merchant security moot. It's possible this is being used as a "warning shot" to frighten consumers into picking up the tab for the high cost (approximately $70) of the handheld security module.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves. (And I really wish we'd start seeing that kind of security technology available here in America. I'd switch banks and pay the $70 myself in a heartbeat.)

Re:Scare tactics (3, Informative)

aedan (196243) | more than 6 years ago | (#22981314)

Do you mean the things which look like pocket calculators and your card slides into the top? We have a couple of them already but the bank hasn't asked us to use them yet. They didn't charge for them.

Re:Scare tactics (5, Informative)

plover (150551) | more than 6 years ago | (#22981502)

Yes, those are the devices.

What they do is move all the encryption to a "trusted platform" -- the device itself. You enter your card and your PIN into the handheld, and it's their own crypto hardware using their own crypto algorithm to generate a one-time-use PIN for you to enter into the merchant's PIN pad or into a web site.

This turns your card into a pure identification token, and turns your PIN into a secure authentication token. Without both tokens, the bank refuses to part with your money. You can enter this into a sleazy internet cafe's browser. It doesn't matter if that transaction's data is stolen or not, because the bank won't authorize your one-time PIN for a second transaction.

What makes these a great solution is not just their security, but that they're backward compatible with current PIN pad technology. The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN. The bank takes care of that.

There's an even more secure variant that ABN-AMRO has deployed for web banking transactions. You enter the amount of the transaction into the handheld along with your PIN. That way, only the amount you authorize will be transferred, and the PIN is useless for any other amount.

(I'm basing my guess of $70 on the price of similar hardware offered by RSA with their SecurID scheme, but it's just a guess.)

Saftey (0)

Anonymous Coward | more than 6 years ago | (#22981592)

Keeping uninvested money in a bank is supposed to be *safer* than keeping it in a mattress at home. If the digital age has changed that, then perhaps it is time to go back to keeping cash in a mattress?

Either way, if most of your money is in a bank (or a mattress) then you need to educate yourself on the basics of financial management. You will never get ahead if you don't know how to invest.

Re:Scare tactics (5, Informative)

CRCulver (715279) | more than 6 years ago | (#22981316)

Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

At least in Finland (and I imagine probably the other Nordic countries as well), you can use cash for a decreasing amount of payments. Nearly everyone who demands money of you wants you to pay by bank transfer, and if you don't use your free online banking and decide you want to hand cash to a teller, there's a 3 euro fee for the service. Nearly everyone who wants to pay you money will only deposit it directly into your bank account, there are no more cheques. I'm sure this will spread to other EU countries.

Re:Scare tactics (2, Interesting)

plover (150551) | more than 6 years ago | (#22981590)

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount.

Of course, that's been tempered with the anti-money-laundering laws requiring identification for cash transactions exceeding $10 000. But still, if you owe $10, then the debtor must accept a $10 bill as payment in full.

Re:Scare tactics (5, Informative)

dissy (172727) | more than 6 years ago | (#22981680)

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount.
http://www.treas.gov/education/faq/currency/legal-tender.shtml [treas.gov]

Q) I thought that United States currency was legal tender for all debts. Some businesses or governmental agencies say that they will only accept checks, money orders or credit cards as payment, and others will only accept currency notes in denominations of $20 or smaller. Isn't this illegal?

A) The pertinent portion of law that applies to your question is the Coinage Act of 1965, specifically Section 31 U.S.C. 5103, entitled "Legal tender," which states: "United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues."
This statute means that all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor. There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills. In addition, movie theaters, convenience stores and gas stations may refuse to accept large denomination currency (usually notes above $20) as a matter of policy.

Re:Scare tactics (4, Interesting)

The_Wilschon (782534) | more than 6 years ago | (#22981736)

There is a subtlety here that you may have missed. Cash is legal tender for all debts. So, if you have already incurred a debt, then your creditor must accept cash as payment. However, most transactions do not involve you incurring a debt. For instance, when you pay to get on the bus, you have not yet incurred a debt, whereas if you eat a meal in a restaurant, then by the time you get the check, you do owe a debt. So, the bus driver may refuse cash; the restaurateur may not.

Interestingly, according to wikipedia [wikipedia.org] , the "legal tender" phrase was added because the government couldn't pay its debts with gold or silver, and nobody wanted paper money instead. The phrase was added to compel them to accept the paper money.

Re:Scare tactics (5, Insightful)

Wapiti-eater (759089) | more than 6 years ago | (#22981340)

"About damned time!", I say.

Banks are held accountable for THEIR systems.

Users should be accountable for THEIR systems as well.

Now, if the bank sold, loaned or leased to me a data terminal for accessing THEIR systems - sure, they'd be accountable for it. But since I'm using MY system, that I configured, operate and maintain - how on earth can the BANK be accountable for that?

For years now, geekly types have been crying about the vulnerability in the "popular products". Since that product held an effective monopoly on the market, consumers happily drank the only 'koo-aid' available.

Now that these same individuals that have been enjoying 'oblivious immunity' will have to pony up for the failures in their personally owned tools - they'll demand, and get, improvements.

It's only good for everyone.

Re:Scare tactics (5, Insightful)

Naughty Bob (1004174) | more than 6 years ago | (#22981556)

"About damned time!", I say.

Banks are held accountable for THEIR systems.
If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system.

I don't use my bank's internet-based facilities, because they don't support my (more secure) choice of software- bizarre...

Re:Scare tactics (3, Insightful)

SJS (1851) | more than 6 years ago | (#22981684)

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system.

I agree. I disallow any client-side code to run in my browser, and that makes it difficult or impossible to use many financial websites (not because allowing it would be more secure, but because the developers of the website go out of their way to make it that way).

Responsibility needs to go hand-in-hand with the power to make a decision; if a bank requires particular combinations of software, or disallows my preferred security policies, then it's their decision, and should be their responsibility. If the bank merely recommends software, but doesn't seek to subvert my security policy, then yes, faults in my security policy are my own damn fault.

Re:Scare tactics (1)

Yetihehe (971185) | more than 6 years ago | (#22981754)

Why don't you switch banks? My bank's internet website works fine on almost all browsers (i wanted to try with links, but it doesn't support ssl, I think it would work tho). I have also one-time passwords sent to cellphone (more useful than paper one-time pads).

Re:Scare tactics (2, Insightful)

buravirgil (137856) | more than 6 years ago | (#22981562)

I suppose your argument lies in the term "access" as when you sign on to the bank's servers, you have "entered" a bank and to what party a responsibility of security is assigned is the literal argument you so damn with time.

This very question has already been addressed by the Securities and Exchange Commission...
http://www.nytimes.com/2008/02/15/business/15norris.html?_r=1&oref=slogin
with a decision with which, I might infer from this quickly modded post, you profanely contend.

I would pose the question as to the greatest likelihood of fraud that might go undetected. A bank blaming an individual, of which there would be potentially hundreds of thousands to consider or an individual blaming a bank, fewer in number, properly regulated and inspected.

Moreover, given the advantage Gate's OS has maintained for decades and its nearly endemic nature of viral infection...pretty much anybody logging onto a bank's servers has a virus on it and all a bank need do is task the police to recover a computer, find a virus and claim the bank is not at fault.

So, the question becomes a chain of evidence and which route is of less resistance.

Re:Scare tactics (1)

Lobster Quadrille (965591) | more than 6 years ago | (#22981572)

Seconded. The banks need to be responsible for their own systems (I havent' been hugely impressed by that either), but they have NO responsibility to ensure that your access point is secure.

Re:Scare tactics (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22981586)

What worries me is that by the banks putting the onus on the end user they do not have to make their interfaces secure. Currently most banks only ask for certain parts of a password and ask to input using drop down boxes and buttons that require mouse clicks. This is pretty good step towards foiling the key loggers. Without the pressure on the banks will they continue to put resource into this sort of stuff. It won't be their fault any more.

Re:Scare tactics (0)

Anonymous Coward | more than 6 years ago | (#22981602)

It's a bank's burden to properly authenticate you. If they fail at it, it's their fault.

Re:Scare tactics (1)

turgid (580780) | more than 6 years ago | (#22981714)

They've changed that now. We have chip and PIN.

Re:Scare tactics (5, Insightful)

v1 (525388) | more than 6 years ago | (#22981688)

I'd mod you up but you're at +5 already so I'll just add my 2c to your comments. "About damned time!" Got that straight.

A coworker got his xbox-live account phished several weeks ago. Although he's having a really hard time getting his account recovered properly, he's fully accepted responsibility for what he did. I showed him an example phishing email I got and how it takes you to chase visa and you look in the url and it's some random IP in russia. He had no idea to pay attention to that, but now he does.

And he 100% accepts responsibility for his actions. And that's how it should be. But there's not enough of that going around right now, too many people wanting to blame their own lack of education on the world. If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it.

That's why we have drivers licenses. I've seen the idea jokingly suggested from time to time that you should require a permit to get on the internet. And it's things like this that make me seriously wonder if they have something there. But then it's someone taking the responsibility away from you and accepting the burden themselves. They can be held accountable for giving you a permit if you don't know what you're doing. So you see, these types don't want to accept the responsibility for making sure they are educated, and they don't want to accept the responsibility for what happens to them as a result.

Can't have it both ways.

You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence.

Re:Scare tactics (5, Interesting)

TheRaven64 (641858) | more than 6 years ago | (#22981744)

And what happens if your bank is Egg (now owned by Citi Group) and tell you every time you log in that you should try the Egg Money Manager, which is only available as an ActiveX control? It's frustrating to keep telling users 'disable ActiveX' and have banks tell them to enable it (and use IE), and if they do then I think they ought to accept at least partial responsibility for the user's poor security.

Re:Scare tactics (4, Interesting)

Kristoph (242780) | more than 6 years ago | (#22981362)

The issue at hand is not the bank's security. It is the security of the consumers account.

In any case, do you really want the bank to be responsible for the security of your system? Because, honestly, I REALLY DO NOT want the banks 'staff of professionals' ensuring my security by requiring I install some type of custom 'security' software.

]{

Re:Scare tactics (1)

plover (150551) | more than 6 years ago | (#22981642)

It's not software at all. It's external hardware that the banks distribute. You enter your PIN into the trusted device, it sends that into your smart card for encryption, and it outputs a one-time-PIN for you to use for one transaction.

It doesn't matter where you use that PIN -- it's just a set of digits. You can enter it into the PIN pad at the grocery store, into a web site to transfer money, or into a PIN pad at Tony Soprano's bar, and nobody can do anything with it.

Now, if you use it to send money to an eBayer and he keeps the money but doesn't send you your stuff, well, that has nothing to do with trusting the banks and everything to do with trusting some random schmuck on the internet.

Re:Scare tactics (1)

Idiomatick (976696) | more than 6 years ago | (#22981414)

Uh you are held responsible if you give your bank card and password to someone too. It is impossible i repeat IMPOSSIBLE for them to secure your computer from people reading your keystrokes. How ARENT you responsible for it?
 
  On the other hand i think banks should offer recovery services. But they should charge for them. AND the money should not be handed out to you. That would be like if i took money out of the bank and fucking lost it. Its not the banks fault in even the slightest.

Re:Scare tactics (2, Insightful)

nurb432 (527695) | more than 6 years ago | (#22981420)

Depends on where the leak was.

Was it on the user's pc? Then i guess its their fault technically. If its in the banks system, then the bank is on the hook.

Problem is that people really don't/can't understand the systems they are using as they are far too complex and to expect/demand them to keep them 'safe' is ludicrous. ( even "IT pros" cant always do it with the constant barrage of attacks on what is are fundamentally flawed systems )

However, the same logic goes for a car. Its far to complex for most people, but if their brakes go out or a wheel falls off and they cause a crash, its their fault.

Re:Scare tactics (3, Insightful)

ergo98 (9391) | more than 6 years ago | (#22981440)

I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards

Banks are responsible for their own systems, and that is the full-time focus of those professionals. It is irrational, in my opinion, to expect them to take full culpability for the entire universe of client systems as well. Unless you're willing to accept a dictum that you must you BankOS running on BankHardware over the BankNet if you ever plan on accessing your money.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves.

When you make demands on business, in the end the person who ends up paying is you, not "them". Personally I'd rather not subsidize people who can't take even rudimentary responsibility over their own risk factors, though I would like to see a great use of two-factor authentication and the like, as you rightly heralded.

Re:Scare tactics (0)

Anonymous Coward | more than 6 years ago | (#22981476)

Actually the terminals are a pain in the ass.

If I don't have it with me, I can't even log into my bank account. Every so often it stops working, and for a day or two I am completely unable to access my money.

What galls me is that the terminals are inconveniencing me to solve the banks' problem - not mine. I'm already offered cast-iron a guarantee by the bank that if anyone hacks my bank account, the bank will cover it. Therefore this terminal covers their losses, not mine. These safeguards were introduced to encourage people to use online banking (which lowers banks' running costs, btw).

I'm leaving the bank (Barclays) that forces me to use this crap, and going to a decent bank that remembers that being able to access your money is as important as minimizing the banks' losses.

Twofo Goatse (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22981494)

Goatse. [twofo.co.uk] [goatse.ch]

You nerds love it.

Re:Scare tactics (3, Interesting)

MyForest (597329) | more than 6 years ago | (#22981588)

How ironic. I just switched from Barclays because they implemented this scheme. Note that Barclays give you everything you need for free.

You need a user id, password, your card and the PINSentry device to access the site. That's sort of OK when you're at home. It's not great when you leave your card in the reader and don't realize until the next day when you're in the shop. It's not great when you travel and you have a few different accounts setup. Although Mr G [mrg9999.com] overcame that he wouldn't have his card to make payments with!

It's spectacularly bad when you have a Python script screen-scraping their site twice a day and you're running the transactions through your local "suspicious transactions" algorithm. I record the bulk of my future transactions, so it's easy for me to spot erroneous ones - heck, I even have a secure RSS feed for the transactions from my five accounts. There's no way to give my bank this payment information (yet) so their heuristics are running without the data that would really help them. I had a heart-to-heart with my Premier Account Manager at Barclays about this and his hands were tied - they just aren't advanced at all. If they want to keep the data in their closed world then they need to give me the tools in that world to manage my money (and yes, OpenPlan [barclays.co.uk] is a step in that direction - great if you only use Barclays I guess).

Chip and Pin design failure in the pos terminals (1)

sjwest (948274) | more than 6 years ago | (#22981598)

In England where cnp is 'working', what that means that fraud has mostly moved abroad once the fraudsters have your details.

Generally i think Cambridge university has the scoop which is that the chip and pin pos terminals don't encrypt data in the terminal and send it plaintext so it can easily intercepted for making new cards, as they have the pin number well before signing the data to the 'bank'.

So the thieves have been hacking the chip and pin terminals, threatening retail staff (petrol stations and clothing outlets) and then cleaning peoples accounts out.

Cnp works stopping idiots, but the thieves too have worked on cnp terminals and the game moves on. cnp terminals can be bought on ebay for hacking.

The banks and there trade body have yet to respond to the academics it has been several months but are 'aware of the flaws'

Re:Scare tactics (0)

Anonymous Coward | more than 6 years ago | (#22981670)

Whilst most banks insist that the only browser able to access their websites is INTERNET EXPLORER
then surely the banks should own some level of the responsibility

I'd gladly junk this bloatware for another browser... except 2 of my bank / credit card sites wont honour anything other than IE.

IE (and windows) are highly exploitable, and no amount of anti-virus, anti-spyware, firewall can protect 100% against any threat.

In a way this is just belt tightening by the banks (owing to the current credit crunch, and lack of lending between banks that has ensued as part of the Mortgage fiasco in the USA). If they make end users liable, they dont loose money.

Even the new two-factor cards that are due out wont stop all issues as they still rely on IE

You can bet the average on-line shop wont have facilities to use the new twofactor stuff. Thus you are still exposed.

Damned if you do... (5, Funny)

UbuntuDupe (970646) | more than 6 years ago | (#22981298)

So, to summarize:

bankers: "You better use a secure OS, or you'll be liable for any fraudulent transactions with your account."
customers: "Okay. What if we use Firefox on Linux?"
bankers: "That'll work."
customers: "Hey, we can't access your site using Firefox!"
bankers: [British equivalent of "hah! Sucks to be you!"]

Re:Damned if you do... (3, Insightful)

jonbryce (703250) | more than 6 years ago | (#22981436)

Are there any bank sites that don't work with Firefox on Linux these days? Even Natwest works now, and they are the most fussy about what browsers they allow.

Re:Damned if you do... (1)

Lobster Quadrille (965591) | more than 6 years ago | (#22981624)

Mine doesn't work, but it is complete shite.

I have to fire up opera and pretend to be MSIE to make anything happen.

I'm planning on changing banks soon. The final straw was when I showed them their publicly-accessible logs and a file upload vuln and they insisted that no such hole existed.

Re:Damned if you do... (1)

drsquare (530038) | more than 6 years ago | (#22981740)

Now? I've been banking online with Natwest using Firefox on Linux for years. In fact I haven't found a single banking site which has turned me down.

Re:Damned if you do... (1)

MyForest (597329) | more than 6 years ago | (#22981480)

Not really, I can confirm that Firefox on Linux works fine for Alliance and Leicester, Barclays and Halifax.

The banks are quite helpful in suggesting security products that will run on Linux too.

Re:Damned if you do... (1)

turgid (580780) | more than 6 years ago | (#22981584)

Add Royal Bank of Scotland to your list. They don't allow seamonkey, though.

Re:Damned if you do... (1)

fluffman86 (1006119) | more than 6 years ago | (#22981750)

You don't know how true this is. When I visit the Online Banking section of my local bank's website, using Firefox 2 or 3 in Ubuntu, I get an error saying that I need to upgrade to an up-to-date browser and Operating System, such as IE 6, Firefox 1.5, or Netscape in Windows, OR Safari 1.x, Netscape, or IE 5 on Mac. This is retarded, and I've contacted them several times about it. ...

Oh, wow! I just went to their website and it works now! Looks like they took out the stupid javascript that was checking the OS. Well, I guess the above isn't true anymore, but I'm sure some banks still check...

This just in (2)

Mordok-DestroyerOfWo (1000167) | more than 6 years ago | (#22981306)

The police department will not be held responsible for the robbery of any house not armed with bulletproof glass, anti-personal mines, and a moat.

Re:This just in (0)

Anonymous Coward | more than 6 years ago | (#22981408)

Since when is the police department held responsible for burglaries?

Re:This just in (0)

Anonymous Coward | more than 6 years ago | (#22981468)

the police is not responsible if someone robs your house, you moron.
perhaps you should look up the word "responsible" in the dictionary

Holy crap. (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22981310)

Look, if an account compromise occurs as a result of a compromise on the bank's side (web server, backend network, etc), it's the bank's fault. If the compromise occurs because the user's login gets sent to some dude in Russia by a keysniffer running on the user's already compromised workstation, it's MOST DEFINITELY the user's fault. This isn't complicated. Wow.

this is scary (5, Insightful)

suck_burners_rice (1258684) | more than 6 years ago | (#22981318)

Suppose one is running a hardened version of OpenBSD on some PA-RISC machine. Suppose then that this person's bank account is drained out and that said draining has NOTHING to do with their computer or OS. Suppose it's drained by someone who prints checks with a random bank account number on them and it just so happens to be this OpenBSD user's bank account. Again, the theft has NOTHING to do with their computer, OS, computing practices, or hair color. What will happen? Will the bank file a discovery motion to check if the person has anti-virus software on their hardened machine? What? No anti-virus software? Never mind that there is no virus to check for. This is scary as it gives the bank a way to weasel out of its own responsibilities.

Re:this is scary (0)

Anonymous Coward | more than 6 years ago | (#22981370)

Or supposed he's running XP+SP2 with tons of malware. Now which case do you think is more likely?

You need a license for operating a fucking motor vehicle. You definitely should need one to operate a networked computer.

Re:this is scary (1)

The MAZZTer (911996) | more than 6 years ago | (#22981644)

He's not formulating a likely scenario, just a possible one. Yours would make it even easier for the bank, but even with his what he's saying is the bank can still claim it's the user's fault by using the letter of the law (no anti-virus software) rather than the spirit (secure computer). I wonder if the clamav package (on debian systems) would count as an "anti-virus software" even though, AFAIK, it only watches for POP3 activity and scans e-mails...

Re:this is scary (1)

kesuki (321456) | more than 6 years ago | (#22981416)

Well, if they'd just switch to using a hardened Linux configuration possibly on more standard hardware, rather than some obscure RISC chip (even apple stopped using RISC)

well, they could download anti-virus software, straight from a repository. anti-spyware? switch to firefox http://nixory.sourceforge.net/ [sourceforge.net]

Linux comes with firewall support built-in but you can get GUI tools to make firewall management more usable. The question is since Linux (even a hardened system) should have an intrusion detection system, are they going to nail you if you use Linux and don't run an IDS?

Re:this is scary (1)

Junta (36770) | more than 6 years ago | (#22981686)

Sigh, RISC as a platform strategy is not dead. PA-RISC, yes, it was abandoned in favor of Itanium, but Power, SPARC, MIPS,and ARM continue. Apple is not *the* benchmark of relevant technology, despite what they would like everyone to believe. And if you do need Apple to use something to consider it relevant, look at Apple's ARM platform iPods and iPhone.

And, more to the point, there is no relevance to security in talking about PA-RISC, or any instruction set at all. Once you hop OS, you no longer readily run Windows-compiled code anyway. Malware is just as likely to call upon a scripting interpreter as being compiled (in this day and age, most take advantage of scripting features of browsers or some other facility anyway.

In terms of Linux v. OpenBSD on the antivirus front, it doesn't really matter. The same antivirus my company forces upon my linux workstation is avalable for OpenBSD as well:
http://www.f-prot.com/news/gen_news/080225_bsdrelease.html [f-prot.com]

I'm a linux user for various reasons, but claiming that a linux platform is better than OpenBSD for complying with both the spirit and letter of this policy is silly. Both platforms have the tools that fit the description, and OpenBSD is far less likely from a philosophical perspective to give up security for convenience. Many Linux distros will embrace a new strategy before the security implications are thoroughly worked out for the sake of a feature, while OpenBSD will wait. Though not popular anymore, I remember when a handful of linux distributions had only the 'root' login, because they thought it was easy and didn't want to burden users with privilege escalation, as an example.

In any event, if the nature of the breach is obviously in no way related to compromising a computer system and rather is a more traditional way, than I doubt the bank would try to make a claim of relevance.

Re:this is scary (2, Insightful)

jez9999 (618189) | more than 6 years ago | (#22981464)

Suppose it's drained by someone who prints checks with a random bank account number on them and it just so happens to be this OpenBSD user's bank account.

Just in case anyone was taking this serviously, this scenario just aint gonna happen.

To login to my bank account online, I need the online account's ID, my PIN, and my secret word. In addition, I also now need my physical debit card, a card reader, and to enter my PIN in the reader and get back a code to enter for login. Not much chance of someone randomly getting in by guessing all those.

Re:this is scary (1)

Lobster Quadrille (965591) | more than 6 years ago | (#22981654)

On mine, it just takes a username and password, which get submitted in plaintext if you have javascript disabled.

Not all banks are created equal.

Re:this is scary (1)

jez9999 (618189) | more than 6 years ago | (#22981752)

What bank is this? I'd like to know to avoid it. :-)

Re:this is scary (1)

42forty-two42 (532340) | more than 6 years ago | (#22981722)

Fortunately, checks don't ask for any of those.

Humourous call (5, Funny)

sjwest (948274) | more than 6 years ago | (#22981486)

client rings up the bank, 'i have been stolen from',
bank rep asks: whats your operating system:
client says: mac osx
rep says: im sorry sir that means your liable for the losses
client asks: why
rep says: you dont run norton antivirus, only norton antivirus protected computers are safe. Thank you for banking with us, can i help you with anything else?

Banks hate responsibility (4, Interesting)

plopez (54068) | more than 6 years ago | (#22981320)

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.

If there is a lawyer in the house can they confirm this?

Not sure what the state of the laws are elsewhere, but knowing what a bunch of whining snivelers the banking industry is it's probably the same. The bank is always right and the depositors and the taxpayer pick up the bill.

Re:Banks hate responsibility (5, Informative)

Nolde Huruska (1034512) | more than 6 years ago | (#22981610)

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.
The policy was actually started by Hugh McCulloch who was U.S. Treasury Secretary, serving under three presidents starting with Abraham Lincoln. Before he was Treasury Secretary he was the first Comptroller of the Currency in that position he declared his famous dictum "In case of a dispute, favor the bank." He became revered by bankers and after his death they commemorated him by putting him on the Series 1902 $20 National Bank Note. His policy has remained pretty much in force ever since.

Same here in Poland (3, Insightful)

hubert.lepicki (1119397) | more than 6 years ago | (#22981322)

I just seen on news the same news about our Polish banks. And to be honest, I can't see any way security can be made when used compromised operating systems on client's accounts. Even USB tokens are not enough when someone else than you controls your PC.

ummm ... it's not the consumers property (5, Interesting)

Kristoph (242780) | more than 6 years ago | (#22981330)

Should end users be ultimately responsible for the state of their systems?

The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

]{

Re:ummm ... it's not the consumers property (0)

Anonymous Coward | more than 6 years ago | (#22981396)

I like this - and oh so true - good point!!

In any other industry, manufacture's are held accountable for the weaknesses, failures or defects of their products - why not software?

Re:ummm ... it's not the consumers property (3, Funny)

MikeURL (890801) | more than 6 years ago | (#22981564)

Before we jump up on both feet and applaud we should bear in mind how MS would likely deal with this responsibility if it fell on them. For starters, they would implement a trusted computing model that would make DRM and WGA look like FOSS by comparison (probably something along the lines of being a node on a corporate network). They'd likely also shut down support for any software other than their most current offerings.

"3rd party software?" you ask. Aren't you cute! Well yes it would probably exist but it would all have to be Microsoft Certified and probably just about everything would move to a yearly subscription model.

I know some will say "well great! That would force people to choose Linux". Maybe. But more likely people would go along with MS and this new "locked down" model. After all, to Joe Sixpack, the computer is essentially a Black Box and he isn't likely to say "yeah, screw MS, I'm taking ALL the risk on myself and run Linux."

Re:ummm ... it's not the consumers property (1)

McDutchie (151611) | more than 6 years ago | (#22981692)

The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

What would that mean for Free and Open Source software, which is just as well the property of its respective authors and used under license?

As long as the banks offer the service... (0)

Anonymous Coward | more than 6 years ago | (#22981336)

As long as the bank offers an online banking system which relies on inherently insecure systems, the bank should be responsible, especially considering that they could phase out risky systems and only offer a smart card based system with class-3 readers where the customer can see the transaction on secure hardware.

My two cents (3, Interesting)

Antony-Kyre (807195) | more than 6 years ago | (#22981342)

1. How do they know whether or not one's computer had an AV, anti-spyware, and firewall software installed at the time it was supposedly compromised? (Privacy issue.)

2. Bank customers do have some responsibility in security. Analogy: A homeowner has no locks, leaves door unlocked all day long, then tries getting his or her insurance company to pay out when he or she is ripped off.

3. AV, anti-spyware, and firewall. All three must be done? I think most people are familiar with the AV and firewalls, but how many know about anti-spyware software? (I believe Lavasoft's AdAware is one program.) What they should do is say that the person must make a reasonable attempt at securing their computer. (This could include having a separate computer used solely for banking, and nothing else.)

4. A thought just crossed my mind. Will they deny a claim if someone just happens to have an unsecured computer, even if the computer never was used for banking?

Re:My two cents (1)

jonbryce (703250) | more than 6 years ago | (#22981452)

Windows Defender (formerly Giant Antispyware) is pretty popular, as it is from Microsoft, and it is free.

Most of the AV programs these days check for spyware as well.

Bullcrap. Don't need that stuff. (5, Insightful)

mboverload (657893) | more than 6 years ago | (#22981348)

I'm pretty freaking tired of all this "advice" that you need this protection for Windows machines.

Why should I have a firewall? I have a NAT router (hardware firewall).
Why should I have antispyware? I know what I'm downloading.
Why should I have antivirus?
- I don't download cracks. When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine.
- I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites.

Dear god, SOMEONE explain to me why any reasonable user should need this resource-hogging crap?

Re:Bullcrap. Don't need that stuff. (5, Insightful)

jonbryce (703250) | more than 6 years ago | (#22981472)

Someone finds a security hole in IE7 or Firefox. At the same time, they find a security hole in IIS or Apache. Using both these holes, they attack some well known and trusted site, maybe a newspaper, and use it to do drive-by attacks on visitors.

Yes, this does happen.

Re:Bullcrap. Don't need that stuff. (1)

Lennie (16154) | more than 6 years ago | (#22981706)

Or they just pay an ad-network 50 bucks and invect thousands od networks that way.

Re:Bullcrap. Don't need that stuff. (1)

Lennie (16154) | more than 6 years ago | (#22981716)

Just to be clear, in that case you still need the browser-security-bug, but no server-bugs.

Re:Bullcrap. Don't need that stuff. (1)

jez9999 (618189) | more than 6 years ago | (#22981506)

Fair enough, so if you don't need it, you won't be needing to make a claim to the bank for your stolen money back, presumably.

Re:Bullcrap. Don't need that stuff. (1)

eclectic4 (665330) | more than 6 years ago | (#22981614)

"SOMEONE explain to me why any reasonable user should need this resource-hogging crap?"

Because you seem to not realize the difference between "reasonable" and "average user". They are completely different I'm afraid... to be reasonable is one thing, to be a gullible newbie (90% of the computer using base) is another. Why do the intelligent /. readers/posters still not realize that they are not a representative of the average user? Oh wait...

Easy eanswer (1)

WindBourne (631190) | more than 6 years ago | (#22981660)

the very fact that you are not running anti-virus/spyware on your MS box, AND are asking how you can get infected, says that you have absolutely no clue about this.

It is as the saying goes, it is not who you screwed, but who that person screwed or shot up with. This is just like HIV. When you KNOW the other party and KNOW that they are not screwing around, then you do not need a condom. But otherwise, you do. This is the same

If you connect to a site that is running an older version of a web site, they could be quietly infected. To be honest, it is actually true on cutting edge installs as well. In addition, it is easily possible for the company to decide to push an infection. perhaps a spy was hired and they were in there. The simple fact is, if you run a system that is well known for large number of openings, then you crazy to NOT these protective software. It is just the costs of using that software.

Re:Bullcrap. Don't need that stuff. (0)

Anonymous Coward | more than 6 years ago | (#22981662)

Why should I have a firewall? I have a NAT router (hardware firewall).
Because firewall not only alters you to "interesting" incoming connections, but rather to undesirable outgoing connections. Say you get a perfectly nice utility of the promotional CD, which just happens to hide a trojan. This trojan starts to log your every keystroke and sends it out the the master. Without proper firewall, how will you ever know?

Why should I have antispyware? I know what I'm downloading.
Because it's not about what you know you are downloading, but rather what you don't know gets uploaded from your computer. Befure you say you only visit safe web sites, thinks about the reality: even Ubuntu servers got hacked, Fortune 500 companies get hacked with frightning regularity. Antispyware is at least there to warn you about "interesting" things happening on your computer, sou you at least have a chance to react to an incident.

Why should I have antivirus?
Oh, I see now. You have lived under a rock for last 10 years. You will be happy to know that today you can get viruses and trojans from downloading BIOS updates, visiting your favourite news site, checking that freebies DVD added to your favourite magazine, auto-started from that nifty U3 USB key your S.O. just gave you for a birthday, together with motherboard drivers on a product support CD, ...

Overall you can generaly avoid such junk by:
a) not having your computer connected to internet
b) using something unpopular enough that probability of incident is significantly lower that it is for a mainstream OS

Yes and no (1)

IBBoard (1128019) | more than 6 years ago | (#22981378)

Should end users be ultimately responsible for the state of their systems?

Yes and no, really. The bank should have safeguards to protect against fraud (e.g. my bank has halted a purchase and phoned me because it was a reasonable sized computer purchase that I didn't normally make) but at the same time then if the user has been phished/keylogged because they haven't been paying attention and taking the correct precautions then why should the banks shell out?

It's a bit like expecting you car insurance to cover an accident when you've had dodgy brakes and a windscreen covered in crap - you could have avoided it if you had cleaned up and made sure it was safe, and there's nothing the insurers can do to do it for you.

It's about time (1)

jlarocco (851450) | more than 6 years ago | (#22981380)

I'm glad someone's finally doing this. People can't keep using the internet and keep being ignorant of computer/internet technology at the same time. Wise up or GTFO. You can't have your cake and eat it too.

That being said, insecure OS or not, if the user will download and install any random program, they're going to "get hacked" no matter the OS they're running.

This is bull. (2, Insightful)

Jane Q. Public (1010737) | more than 6 years ago | (#22981382)

Someone who obtains a bank account number via spyware is ethically (and should be legally) no different than someone who obtains a credit card number by picking someone's pocket.

People can be be so negligent that they are practically asking for their wallet to be stolen... in which case they should share some of the responsibility for the theft. But the criminal is still guilty of a crime.

Banks can also be negligent, by not keeping tabs on account activity, or not taking several other measures that can reduce theft and fraud. If they do not do those things, then they should share some responsibility, too.

I see nothing new here, unless the banks are trying to weasel out of their share.

But... (3, Informative)

blind biker (1066130) | more than 6 years ago | (#22981388)

even if a user's computer has a keylogger installed, the bad guys would only be able to steal the access code, not the password of the user - because the passwords are from a list and are unique for each session. At least that's how they do it in all banks in Finland. Once the user is logged on, to start a new (parallel) session, a new password would be requited, even if the bad guys would manage to steal the one-time password just when the user is logged on.

What if it is Linux or OSX (0)

Anonymous Coward | more than 6 years ago | (#22981394)

with no need for antivirus, I have read in the past some banks consider that an insecure OS because they don't understand it (much less support it on their Windows driven sites).

Think about it for a second ... (2)

daveime (1253762) | more than 6 years ago | (#22981398)

No "sensible" person leaves their cheque book open, with 25 presigned cheques ... because the bank could hardly be held responsible if someone stole that chequebook and emptied your account.

No "sensible" person leaves their car wide open, with the engine running ... because no insurer would ever pay out for the theft of that car.

So why is it okay to leave your PC "wide open" and the banks have to pick up the tab ?

Your security is your own personal responsibility ... this culture of "what the hell, someone else can be the scapegoat" make us all too lax ...

I like this proposal ... maybe if you knew that YOU were going to have to pick up the tab for your losses, you'd take a bit more care about what you do online.

Okay, so the banks are two faced for talking about secure browsing, and then only accepting Internet Explorer ... but MSIE, Firefox, any other solution is really academic ... ANY solution is only as secure as the PC you are running on, and a keylogger logs keystrokes from ANY application ... so be 110% sure you DON'T have a keylogger before using online services ... and don't expect someone else to pick up the tab when you screw up. Because let's face it, it ISN'T the bank picking up the tab anyway, it's the rest of us.

Re:Think about it for a second ... (1)

Sperbels (1008585) | more than 6 years ago | (#22981512)

No "sensible" person leaves their car wide open, with the engine running ... because no insurer would ever pay out for the theft of that car

This analogy is flawed. Just as car manufacturers gives is the ability to lock our cars, Microsoft does provide some ability to lock your computer. But that security is easily undermined. Should car owners be responsible for someone slim-jiming their car to break in? That is a better analogy. Or what if they just break a window and you didn't buy the *optional* security system. And what if you did, but the thief knew how to disable the security system. How many countermeasures is the automotive layman expected to take?

electronic banking is not my style (1)

FudRucker (866063) | more than 6 years ago | (#22981410)

if i had a substantial sum of money to keep in to a checking or savings account (many thousands or millions) i would insist that no electronic transfers of cash are allowed on my accounts from any PC no matter what OS & web browser is used or i go elsewhere, this sounds like a good way for corrupt bank managers to wipe people's accounts clean = "hmm, you must have been using an insecure OS" (makes a good excuse)...

Measuring heath (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22981422)

Measuring security by the number of AV programs is like rating the health of a person by the number of medicines they take and the number of band-aids on them. The more medication and the more patches over the cuts and sores must mean that they are healthier ?

This is the banks' position now... (1)

idiotnot (302133) | more than 6 years ago | (#22981444)

I seriously doubt many juries, comprised of fellow bank customers, would agree after someone files a lawsuit against those banks who say it's the customer's fault.

MS avertising ... (1)

Alain Williams (2972) | more than 6 years ago | (#22981446)

does this mean that their TV ads, etc, are going to have to stop showing people doing on line banking ?

NO! (0)

Anonymous Coward | more than 6 years ago | (#22981460)

Banks shouldn't be allowed to push security issues onto their customers. If a major portion of home PC's have too many security issues for secure banking to be implemented than it's unethical for a bank to implement the feature: Regardless of demand!

The banks should take the fall on this one.

A finance company gave me antivirus software. (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22981482)

One of the financial companies that I have an account with (Scottrade) gives all their customers a free license to McAfee antivirus.

I know that several ISPs do the same thing for their customers.

This seems to be a *far better* preemptive solution to the problem - trying to make sure the customer never gets infected in the first place.

Oversimplification is the politician's lip service (1)

wickerprints (1094741) | more than 6 years ago | (#22981490)

The blame lies with everyone involved: (1) The banks who do not strive to achieve adequate protection against fraud or identity theft because there is a point at which the amount of effort needed to further reduce the risk exceeds the financial benefit to do so. (2) Law enforcement and government, whose primary concern is punishment, employ an antiquated bureaucracy that is ill-suited to correct issues arising from identity theft, and are too reliant on numbers, databases, and records when taking action. (3) The systems designers, who share little if any accountability for their product, because users of such systems (be it government, corporations, or the people) only seem to care when those systems break. (4) The criminals--you know, the ones who perpetrate the actual theft or fraud. (5) The consumer, who, through ignorance and blind faith, does not educate and protect themselves.

But you know what? As long as everyone keeps pointing fingers at everyone else, the real loser here is (5). That's why (1-4) do what they do--at the end of the day, none of them lose through their action or inaction, because (5) does not hold them accountable. And that, my friends, is the only crime they are ultimately guilty of.

Soitenly! Nyuk Nyuk Nyuk (4, Insightful)

EdIII (1114411) | more than 6 years ago | (#22981504)

I wholeheartedly agree. It's only logical. Banks are responsible for the security within their own networks and their web servers which are on the edges. That is Just Fine.

I (The Bank Customer) am 100% responsible for the security of my own systems that I use to access the banking website. How could I POSSIBLY expect the bank to be liable for rootkits, malware, spyware, etc. I can't. That's just not reasonable.

The only thing I can think of that might go either way would be DNS type hacks since that would depend on how it was done and just exactly what point in the communication it was affecting.

Now with that being said.........

It would be the BANKS'S RESPONSIBILITY to TELL the consumer THE BAD NEWS. I can't wait. That's a "shitstorm" waiting to happen.

So basically, the vast majority of PC's are hopelessly insecure. We could talk forever about Microsoft this and Microsoft that, and "what about Safari?", blah blah blah blah. The situation is still the same. The Bank Customer's computer is just not secure enough in most cases and it could only be a matter of time before you are the "lucky" one and get nailed. Kind of like a lottery, except you get bent over.

In the end the only thing that will happen is that people will stop using online banking. I know plenty of people now that outright refuse to use it for the perceived security risks NOW. If the bank's outright say that they will not be responsible for the security on your computer, that will only make the situation worse (for them).

I'm pretty good at securing my systems, but even I know it would only take one determined person to get me. If the bank will not at least insure my losses, I can't take the risk of online banking. That simple.

If this really does go down, that will be a pretty big statement about PC security in general. Regardless of who is responsible, if a bank says it will no longer trust the end user's security that is a bad omen for the rest of e-commerce. What about the credit card companies? How will they react to the bank's position?

How do you define secure? (2, Insightful)

LordOfYourPants (145342) | more than 6 years ago | (#22981514)

This may sound facetious, but is any system really secure from keylogging?

I dual boot Ubuntu and Windows. If I type:

sudo apt-get install lokkit (as an example, not an accusation) how do I know I'm not getting a free keysniffer as an added bonus?

I run windows with a firewall, have a firewalled router with minimal ports forwarded, use ad-aware/the windows spyware program/spybot search and destroy as well as AVG. How do I know that none of these pieces of software are, in themselves, spyware/keylogging software? How do I know that my browser hasn't been attacked by some 0-day hack embedded in an ad banner despite rigorous/consistent upgrading of both of my OSes?

Are people really diligent to that point that every time they're about to do their banking, they close all active programs, update and run their suites of virus scanners and anti-spyware software, and *then* do their banking once the all-clear is given by all programs?

Honestly, I just see it as a game of probabilities. *Most likely* I don't have a key logger installed on my system, and *most likely* my banking experience is going to be a sane one, but if the shit ever hits the fan, I'm willing to bet that there are people hired to specifically poke holes in my system and say "Linux is an unapproved OS. We can't cover your banking losses."

I look forward to a better solution.

Re:How do you define secure? (2, Insightful)

WindBourne (631190) | more than 6 years ago | (#22981574)

sudo apt-get install lokkit (as an example, not an accusation) how do I know I'm not getting a free keysniffer as an added bonus? Unless you personally check the code yourself, AND know what to look for, then no, you do not really know (even then, you may make a mistake). But based on past history, I would trust k?ubuntu over MS.

This is crap (4, Informative)

Mwongozi (176765) | more than 6 years ago | (#22981520)

My old bank [barclays.com] closed my online banking account without warning, and without bothering to tell me they had. I called them and they said it was because "I had a virus". This, despite the fact that I run a secure operating system [apple.com] (with no known viruses) and have an up-to-date virus scanner [sophos.com] . Couldn't they just suspend my account until I "fixed" the problem? No, I had to open a whole new one.

I did. At another bank [firstdirect.com] .

End users will not know which way to turn (0)

Anonymous Coward | more than 6 years ago | (#22981530)

OTOH, you have sites that REQUIRE Windows. Yet, OTH, you have sites like this that will require a secure OS. That means by all legitimate definition of secured, that Windows is out. This will drive them batter.

It's not just customers (1)

theurge14 (820596) | more than 6 years ago | (#22981532)

There's many, many companies out there running important financial machines on a certain large software vendor's OS without proper group policies or even passwords. Still! Whole networks with unpatched NT machines with blank superuser passwords. These companies will be struggling to become Sarbanes-Oxley compliant for years to come.

Mac and Linux users beware? (1)

fyleow (1098657) | more than 6 years ago | (#22981536)

Some financial institutes in the US have this policy as well. Vanguard will reimburse any losses made through fraudulent activity if you've taken some precautions they've outlined which includes the need to "Make certain that any computer you use to access Vanguard.com has up-to-date security and anti-spyware, antivirus, and firewall software."

https://personal.vanguard.com/us/help/SecurityOnlineFraudPledgeContent.jsp [vanguard.com]

So what happens if you're a Mac or Linux user and those security programs don't exist for your platform or they are unneeded? Can they just deny your claim and you lose all your assets for using an OS with a higher track record of security?

I guess that's better than TreasuryDirect's policy on the issue which states that they're not responsible if someone cleans out your account as long as it was done with your password.

Regulations Governing New TreasuryDirect System 31 CFR Part 363 363.21 Who is liable if someone else accesses my New Treasury Direct account using my password? You are solely responsible for the confidentiality and use of your password. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost or expense that you may incur as a result of transactions made using your password.

Why should on-line banking be any different... (4, Insightful)

Copley (726927) | more than 6 years ago | (#22981552)

... from physical cheque books and credit cards. If I leave my wallet in a place where cards, etc. might be stolen, I'm responsible for any loses that occur - shouldn't the same be true if I leave my electronic 'wallet' open? I really think that, within limits, people need to be held responsible for their actions/inactions - too much 'I never realised/knew/expected/thought that might happen' in the world. The banks should have similar guidelines to those used for stolen physical banking paraphernalia - if you suspect your PC might have been compromised, report it to the bank within a given time fame and they thereafter accept responsibility for subsequent losses.

unsupported browsers (1)

matpod (1156965) | more than 6 years ago | (#22981554)

are these the same banks that don't support anything but IE, i have to fake it with my browser of choice (opera) with my bank (abbey) or read and digest their unsupported browser legalise.... so, we can't use basic standards, but we are responsible for when we're shoehorned, nice.

smelling class-action (0)

Anonymous Coward | more than 6 years ago | (#22981570)

A few questions...

If banks with probably one of the industries with the most extensive resources to provide security can not protect their own online applications, how are customers, with much less resources supposed to do it?

If Microsoft - with all their resources, including their engineers, who wrote the software - can not guarantee their operating system - how are customers (brick layers, hair dressers, teachers, bank clerks) supposed to protect it?

If Microsoft keeps hiding the source code of their software - how is anybody else supposed to be able to guarantee the security of their software?

Laws like this will put out of business e-commerce and possibly Microsoft once customers world-wide will start to sue their banks and Microsoft.

We can just return to the happy era of cash and bank branches with lots of tellers and long business hours.

Ha Ha Ha!!! (0)

no-body (127863) | more than 6 years ago | (#22981578)

Every time I log onto this bank (US Bank) with my favorite Opera, I get a popup bitching about my browser - I contacted them they replied:

-----
The technical issues you are experiencing can be caused by the use of an unsupported browser or
incompatible browser settings. Please check to make sure you are using a supported browser. If you
are, please check the browser settings for your browser type by following the procedures listed below.

Operating System: Microsoft Windows 2000
                                                Microsoft Windows XP
                                                MacIntosh OS X

-----

And, they claim this on their site:

Browsers
The following browsers are compatible with U.S. Bank hosted web pages and web-based applications:

Microsoft® Internet Explorer 6.0 or higher
Firefox
Safari

Upgrade Your Browser
It's quick, easy, and free! Even if you already have the required minimum browser version, you may want to consider upgrading. Just follow one of these links...

Microsoft Internet Explorer Downloads *
Firefox Product Downloads *
Safari Downloads *

Find Your Current Software Information
To find your current software information, choose "Help" located on your top browser toolbar. Then choose the "About..." option.

Operating Systems
The following operating systems are compatible with U.S. Bank hosted web pages and web-based applications:

Microsoft® Windows 2000 or newer, XP, and Vista
Mac OS X

SecureID and Ilk (1)

JimCDiver (1217114) | more than 6 years ago | (#22981638)

Banks should hand out token card that combines with a username and password/pin. You need all 3 to login. So now you need to have a physical object of the users to break in. Something people are much more familiar with protecting. Username and password authentication is a poor lock. Double especially when you let the user pick the password.

Law?? (1)

shabble (90296) | more than 6 years ago | (#22981652)

The 'Banking Code' is a voluntary code of conduct between banks and their customers. It has nothing to do with 'Law.'

Banking is basically a Ponzi scam (0, Troll)

Colin Smith (2679) | more than 6 years ago | (#22981664)

As the US in particular is finding out (yet again) right now. Why on earth would you do more than the absolute minimum business with these people?

Caveat Emptor...

 

ATTN Banks (0)

Anonymous Coward | more than 6 years ago | (#22981672)

Unfortunately the users aren't criminally responsible and banks themselves should be a little more pro-active...

  • Make sure banking sites are functional without the web's number one security liabilty [mozilla.org] (javascript).
  • Publish -all SPF records to help stop phishing emails.
  • Check the HTTP referer before serving web content linked by a third party page.

The Banking Code produced by the British Bankers' (0)

Anonymous Coward | more than 6 years ago | (#22981676)

The Banking Code produced by the British Bankers' Association...

Has anyone checked if it contradicts The Banking Code produced by the British Bank Customer's Association?

Wait a minute...
The British Bankers' Association as a legislative body?!

Really? Since when?
When have they been elected to do legislation applicable for British subjects?
How about the Parliament? What has happened to them?

Can someone tell me please that I am just dreaming...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?