Online Banking. Be afraid, be very afraid.

Feb 19 07:52 UTC 2000

Got back from a week at a major US banking conglomeratation - bank
formed from lots of little banks eating each other.  Somewhere in 'upper
management' it was decided to have an e-commerce/Internet security type
come in and look over the planned move of one online application from
one major US city's data center to another and my name came up.  (Not
sure of my exact reputation among the marketing types, I'm told its
'real no nonsense cut to the chase problem solver' but I think thats
just more because I am not a marketing type although I have played such
in the past - anyway I seem to get called in on a lot of problem
accounts.)

-No written plan of attack.  Made them all sit down in a conference room
with all four walls being whiteboard and remote site via
VideoConference/Speakerphone (very nice facilities actually) and diagram
out the testing phase, QA, and the final move in as much detail as they
could along with stars next to unanswered questions (minor details like
what is the process for each ISP in each city to switch the DNS entries
to point to the new physical/IP location).

-System Admin types at the new location were being blocked by the
corporate web proxy server from visiting 'bad' sites, such as most all
the Internet security sites.  I suggested that since they controll the
firewalls at the new site, they set up a private proxy server behind it
for their own use and bypass the general corporate one.

-Despite the private banking security group's warning about the 'DOS'
attack potential last year (August '99) it wasn't until the recent well
publicized attacks that they scanned their own systems.  (Over lunch
with the worker-bees I found out that they found a number of 'zombies'
but were adopting a 'mushroom' approach to their 1st line management on
acount they weren't sure that the recently fired en masse staff of the
data center that the application is being moved from might have had
something to do with it.  Or even that it might have been them looking
at the technology with no bad intent.)

-Internally, with the exception of WINS and Novell workstations there is
no centralized Name Service (DNS).  While this is not necessarily a bad
thing from a security standpoint, the hand editing of files on lots and
lots of systems is inefficient and has the potential for mistakes.  I
suggested they look at 'supper' a public domain solution to the problem.

-A recent chartered 'Internet Bank' that was started up offering higher
rates on CDs and other savings accounts along with no fees found that
some 70% to over 90% of the 'new' customers depending on the brief
studies were 'cannibalized' from their own existing 'brick and mortar'
customers - they were eating themselves.

-little understanding of the way SSL works.  The concept of becoming
their own certificate granting authority never occured to them.



And thats just one institution.  Now maybe I only see the 'problem
children' to I overgeneralize to assume things about the overall
population, but Whats-Her-Name's experience with the merger of BunkoOne
and First Chicago where after using Quicken for years it suddenly
stopped working and nobody at the 'new' bank could tell her why (I can,
but they haven't called me to pay me money to do so...) leads me to
belive that this whole e-commerce thingy is a lot more fragile than most
institutions would want you to believe.  (Whats-her-name is switching to
CitiBank where at least its totally free and can't be any worse.)

response 2 of 9:

Feb 19 11:10 UTC 2000

Revoking passwords after N failed attempts is just asking for DOS
attacks.

response 4 of 9:

Feb 19 18:52 UTC 2000

Now linked to cyberpunk, your conf to discuss security & computers and
society..

response 6 of 9:

Feb 25 10:55 UTC 2000

What it means is that in general the people making decisions about your
'online banking' applications haven't a clue.  For example, the
'mamagment' of the online banking appication I alude to in #0 are a week
away from 'go live' with its move from one major midwestern city to
another major midwestern city without understanding and resolving the
fact that its network access to the 'Internet' is in fact going from a
700K T1 to about a 56K T1 or less as measured- so its users are going to
experience greater than 10 times slower access (both are full T1
circuits which should be 1000K or so).  They think they are going to
meet their target date.  I get lots of money to yell at them that they
are not.

response 8 of 9:

Feb 25 17:01 UTC 2000

I opened an account with Net.B@nk, reachable at www.netbank.com, I'm not
really sure this qualifies as on-line banking, since all I use the net
link for is monitoring the clearing of checks and ordering refills when I
run out of deposit envelopes or checks.  (No check printing charge, for
that I can live with green safety paper.)  I make deposits by endorsing
checks with a rubber stamp I made from a DIY kit, stuffing them in a
business reply envelope, and dropping said envelope in the first handy
mail box.  THe interest rate, while seemingly not so hot, works out to
much better than I've ever gotten at any other bank.

I investigated thier on-line payment system, and left it to gather dust
when it turned out I had to get more information about my various payees
than I already had.  The only place I routinely send a check to at a
street address is the local paper carrier, and the payment system requires
street addresses.