Got back from a week at a major US banking conglomeratation - bank
formed from lots of little banks eating each other.  Somewhere in 'upper
management' it was decided to have an e-commerce/Internet security type
come in and look over the planned move of one online application from
one major US city's data center to another and my name came up.  (Not
sure of my exact reputation among the marketing types, I'm told its
'real no nonsense cut to the chase problem solver' but I think thats
just more because I am not a marketing type although I have played such
in the past - anyway I seem to get called in on a lot of problem
accounts.)

-No written plan of attack.  Made them all sit down in a conference room
with all four walls being whiteboard and remote site via
VideoConference/Speakerphone (very nice facilities actually) and diagram
out the testing phase, QA, and the final move in as much detail as they
could along with stars next to unanswered questions (minor details like
what is the process for each ISP in each city to switch the DNS entries
to point to the new physical/IP location).

-System Admin types at the new location were being blocked by the
corporate web proxy server from visiting 'bad' sites, such as most all
the Internet security sites.  I suggested that since they controll the
firewalls at the new site, they set up a private proxy server behind it
for their own use and bypass the general corporate one.

-Despite the private banking security group's warning about the 'DOS'
attack potential last year (August '99) it wasn't until the recent well
publicized attacks that they scanned their own systems.  (Over lunch
with the worker-bees I found out that they found a number of 'zombies'
but were adopting a 'mushroom' approach to their 1st line management on
acount they weren't sure that the recently fired en masse staff of the
data center that the application is being moved from might have had
something to do with it.  Or even that it might have been them looking
at the technology with no bad intent.)

-Internally, with the exception of WINS and Novell workstations there is
no centralized Name Service (DNS).  While this is not necessarily a bad
thing from a security standpoint, the hand editing of files on lots and
lots of systems is inefficient and has the potential for mistakes.  I
suggested they look at 'supper' a public domain solution to the problem.

-A recent chartered 'Internet Bank' that was started up offering higher
rates on CDs and other savings accounts along with no fees found that
some 70% to over 90% of the 'new' customers depending on the brief
studies were 'cannibalized' from their own existing 'brick and mortar'
customers - they were eating themselves.

-little understanding of the way SSL works.  The concept of becoming
their own certificate granting authority never occured to them.



And thats just one institution.  Now maybe I only see the 'problem
children' to I overgeneralize to assume things about the overall
population, but Whats-Her-Name's experience with the merger of BunkoOne
and First Chicago where after using Quicken for years it suddenly
stopped working and nobody at the 'new' bank could tell her why (I can,
but they haven't called me to pay me money to do so...) leads me to
belive that this whole e-commerce thingy is a lot more fragile than most
institutions would want you to believe.  (Whats-her-name is switching to
CitiBank where at least its totally free and can't be any worse.)

9 responses total.

(Oh, and the BunkoOne problem?  Simple.  You distribute a new version
of  the software which unless you read the documentation about saving
old setting (who reads windoze doc?  its all plug-and-play right?)
results in your revoking your ID on the front end server.  You call
support and have the password reset and on your first attempt to use it,
it forces you to change the password (good security for sure, now the
tech support pern doesn't know your password).  Now of course your new
password doesn't match your old password on the backend processor where
all the sexy data is secured that you want to get to and you try three
times and your ID is once again revoked.  You call support, who can only
reset your ID with a new password... yadda yadda yadda)  (I watch the
whole thing on the proxy server logs that whats-her-name uses from the
house network, even try to explain to the tech support person who hasn't
a clue what I am talking about as its not in her 'play book'...)

Revoking passwords after N failed attempts is just asking for DOS
attacks.

(hmm... it sounds like that old .plan [is it still around?] that
would show how many cans were left in the machine if you fingered
it. I assume you wouldn't have much control over what goes into the
oven, but it's still pretty cool to see things like temperature 
and all.)

Now linked to cyberpunk, your conf to discuss security & computers and
society..

So, what's all this mean inre online banking? I use online banking with
only minor (but aggravating) problems or errors. I probably like least
that questions and suggestions sent to them on their e-mail page don't
go to a bank person but rather the techie guru, who is otherwise
semi-illiterate, and takes his conduct lessons from Dilbert.

What it means is that in general the people making decisions about your
'online banking' applications haven't a clue.  For example, the
'mamagment' of the online banking appication I alude to in #0 are a week
away from 'go live' with its move from one major midwestern city to
another major midwestern city without understanding and resolving the
fact that its network access to the 'Internet' is in fact going from a
700K T1 to about a 56K T1 or less as measured- so its users are going to
experience greater than 10 times slower access (both are full T1
circuits which should be 1000K or so).  They think they are going to
meet their target date.  I get lots of money to yell at them that they
are not.

        What, someone's overprovisioning internet connections in the corporate
sector?  Never!

I opened an account with Net.B@nk, reachable at www.netbank.com, I'm not
really sure this qualifies as on-line banking, since all I use the net
link for is monitoring the clearing of checks and ordering refills when I
run out of deposit envelopes or checks.  (No check printing charge, for
that I can live with green safety paper.)  I make deposits by endorsing
checks with a rubber stamp I made from a DIY kit, stuffing them in a
business reply envelope, and dropping said envelope in the first handy
mail box.  THe interest rate, while seemingly not so hot, works out to
much better than I've ever gotten at any other bank.

I investigated thier on-line payment system, and left it to gather dust
when it turned out I had to get more information about my various payees
than I already had.  The only place I routinely send a check to at a
street address is the local paper carrier, and the payment system requires
street addresses.

I pay almost all recurring bills online. It does save time. Some bills are
the same amount every month, so I never have to think about those.  Most
require entering a new amount each month, which is pretty quick.  No
checks, envelopes, stamps, etc required. I do not use it with Quicken,
however. I don't keep track of my finances on a computer, at all. I used
to also balance my checkbook to the penny, but don't anymore, though I do
check the online transactions, and the few written check records, with the
monthly (paper) statement. Every once in a long while there is a
transaction error, which I can catch this way. The online program, by
the way, is called Allegro. It is more like Adagio, however. 

Response not possible - You must register and login before posting.

- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss