A recent editorial in “Computing” weekly called “Online security is a duty for us all” discussed new measures that banks are implementing against fraud:
The banks are taking a carrot approach, carefully avoiding the stick. But if new measures fail to halt the problem, the onus might shift to the consumer. Banks may one day only indemnify customers against fraud if they have the necessary precautions in place – from suitably secured home PCs to two- or even three-factor authentication tools such as biometrics.
That could lead us down a rocky road – a banking community divided by technical ability and personal security. Would the days of better interest rates for more secure customers be far behind?
This is not an option that anybody – banks or their customers – would want to consider.
Why on earth not? It sounds like an excellent idea to me. One reason people don’t pay too much attention to the security of their PCs at the moment is that don’t have that much obvious incentive to do so. If their bank said “turn on a firewall, use a secure browser and run regular spyware scans, and we’ll give you an extra 2% on your savings”, we might see quite a few more secure PCs.
How would your bank know whether you perform the security measures or not without some sort of spyware?
They could automatically give the savings, but deduct it if the user reports any security problems. This is unlikely to happen, though, since the banks would probably lose a lot of money, and it would give their customers a disincentive to report security problems. It is probably more likely that banks will start charging security fees for people who fall for phishing scams and the like.
1) it’s based on honor and we know that many people have no sense of honor when it comes to money or
2) we have allow the bank to some how access our computer to see if the necessisary precautions are taking. Well, I for one, welcome our new pc-controlling banking overlords.
Also, I don’t have a software firewall (I have a router), and I don’t have an spyware scanner (I’m running linux), does the bank consider me a security threat.
Better Interest Rates For Secure Customers
What if banks offered customers with more secure computers better interest rates on online accounts? Sounds like an interesting proposal to me….
Banks, eh? These same institutions which _still_ are often only supporting IE?
I wouldn’t have much trust in them being capable of of drating any kind of reasonable guidelines for security which wouldn’t severely limit progress.
“You MUST use Firefox 1.0.2 (higher versions not allowed) or MSIE 6.0 SP 2, a virusscanner by one of these three big (expensive) companies, and have windows update enabled,” sounds about right.
After that, it’ll be absolutely impossible to get regular users to ever switch to anything else, because it’ll _cost them money_.
Bonuses for those that have security precautions in place might be nice, but that’s “carrot” again, and as other comments point out, pretty much impossible to check on effectively, especially without invading privacy.
It’d have to work the other way around – 2% interest bonus for people using online banking, and you’d lose the bonus if you made a mistake with your security in whatever way. Same kind of thing as giving people interest free credit and then whacking them with penalties if they miss a deadline by a day or whatever, or giving insurance cheap to people that don’t make claims – the result is an unfair system that ends up encouraging people to do things wrong to whatever extent they can get away with it.
The idea sounds good in principle, but I can’t imagine any way that banks would implement it fairly.
Pah, why put the onus on the consumer when perfectly well suitable challenge/response systems are available? See: http://www.ubs.com/1/e/ebanking/internet/internet_security/requirements.html
And it works perfectly well with all modern browsers on all operating systems.
The problem with their first requirement is that it requires users to go out an buy extra hardware – hardware that is only useful for that one thing, which costs extra money. And as far as I can tell there’s nothing new in the rest of the page.
What a nice idea. Everyone has a smart card that uniquely identifies them and they muct use this card to access their bank accounts. You could put biometric data on it and personal details, next of kin etc. Of course you would always need to carry it if you ever wanted money – online or cashpoint….
Wait a minute.
You normally get the card and the reader for free with your account. If not it costs together with the reader something like 30$. And no, there’s no biometrics in there and it only identifies yourself towards one bank. You know, for once I *want* my bank to have the possibility to identify me, no privacy concerns here.
You identify yourself with something you’ve got (the smartcard) and something you know (your pin) and the thing you’ve got can’t just be copied like a sheet with numbers on it. It’s a smart card with its own processor RSA/DSA unit, protection against phyiscal attacks etc. It’s pretty damn secure.