« So long, Foxtel | Main | Our own little browser battle »
March 23, 2005
Online banking: a door without a vault
It's at least 25 years since our banking industry established the EFTPOS system on the principle that a stand-alone keypad device was necessary to ensure security. The fact that those devices are still being used in retail transactions indicates what a good decision they made, way back in the 70s.
But when the Internet offered the opportunity to save hundreds of millions of dollars on counter staff, the banks didn't hesitate to tip their customers into an environment that is inherently insecure - and shift the responsibility for that on to the customer. As our foremost network security expert, Professor Bill Caelli puts it: "When you go to a bank, and they access your account, you don't see them entering the information on a home PC over the Internet. But that's what they provide for their customers."
Professor Caelli puts it this way: "It's not the Net that's the problem. It's the nodes. The question is really one of what's happening at each end. The problem is the whole of these systems being talked about today critically depend upon the security of a PC."
The banks' security experts - unless they're completely incompetent - must be aware that most PC operating systems do not have Access Control Lists, and are therefore not designed for use in secure environments. They've ignored their responsibilities to their customers, and our governmments have allowed them to get away with it.
Caelli has been saying this for years and he isn't the only one saying it. Over here Robin Good quotes eminent cryptographer Taher Elgamal, who is responsible for the SSL security protocol on the topic. Asked “What’s the biggest mistake people are making with their security architectures?” Elgamal responded: “The biggest mistake is that there are no security architectures!”
Good describes the second-level security devices that are now being touted by the banks as "trinkets", and suggests our best hope lies in Public Key Infrastructure. Unfortunately, the deployment of PKI has proved beyond the capabilities of the industry. Good suggests that you should start demanding it.
Oh, and by the way, attacks on online accounts have more than trebled in the past three months.
Posted by cw at March 23, 2005 08:54 AM
Comments
Don't banks have insurance against criminal activity any how? Why should we as a consumer be so worried when if someone hacked into our bank account, the bank would cover it anyway?
Posted by: Alister at March 23, 2005 12:41 PM
You think the bank will cover it? They seem to be taking the view that the only way someone could get hold of a password is if the customer was negligent.
Bill Caelli tells me that he's regularly appealed to by people who've had large sums of money removed from their accounts, and have been shattered by the absolute refusal of their bank to believe them.
Posted by: cw at March 23, 2005 01:03 PM