Chris Byrne stopped by, and since he's the technical architect for this sort of thing, he brings a lot to the discussion. I wanted to sleep on this before replying, because it's an important topic, and my first post was wrong in presenting this as a technical problem. It's not - it's a risk management problem.
Now most of us are pretty good at risk management for some things - wear your seatbelt, change the batteries in the smoke detectors, stay out of bad neighborhoods at night. Concealed Carry is really another form of risk management, too.
Risk Management isn't about eliminating risk; it's about managing risk. All the actions that I take to mitigate my risk could fail. I could get killed in a car crash even if I'm wearing my seatbelt. So I make sure that I have life insurance so that the family is taken care of should I shuffle off this Mortal Coil. I can't eliminate the risk, but I can to some extent control how much it will effect me.
Online activities are a lot harder for most folks. They typically don't understand the ins and outs of the technology (most don't want to). Even if they did, they don't own the server or the application that they're visiting, so there's not a whole lot they can do, in a technical sense. However, the most important problem people have with online security is in estimating risk and estimating consequence.
And this brings things to why I'm still leery of online banking: I'm not at all sure what would happen if something were to go BUMP in the net. Chris left a great comment that cuts to the heart of this, in a reply to a question about should someone use a debit card for online transactions:
Very definitely. Never let your debit card out of your sight, or use the number online.Now as I've said, I was professionally trained at Three Letter Intelligence Agency to be paranoid, so I'm not quite normal here. However, I'm moderately well versed in how the banking system works, and I'm pretty well versed in Internet Security, and I'm still not at all sure what would happen if someone emptied my bank account. At the same time, I am sure what would happen if someone started using my credit card for fraudulent transactions, because I've gotten calls from them asking me if I had just bought something from Russia.
You are not liable for fraud executed against your credit card.
Unfortunately, electronic funds transfers and debit card transactions are not nearly as protected. It is up to the discretion of the issuing bank as to how much they can recover for you on a fraudulent transaction, if any.
Now I think that my bank would cover me. I quite like my bank, although a lot of this is Heather at the local branch. But I'm not sure, and if I weren't dealing with Heather, I'm a lot more unsure.
So the issue here isn't technical, really at all. The issue is that I find it terribly difficult to estimate the risk in online banking, or the consequences if something goes south.
And this is pretty unfair to guys like Chris. While all of the stuff he and his team do is important (careful design, code reviews, 3rd party review, penetration test, etc), we're now in the realm of bank policy. If my bank would offer the same guarantees that my credit card company does, my objections would pretty much disappear. I'd still be less than entirely happy, because I am paranoid, but the risk would be manageable.
Maybe the bank already offers this, and I just don't know. In this case, the problem is a disconnect in the marketing department.
UPDATE 15 November 2008 20:18: Very informative comment by Chris Byrne on the regulatory situation for banks. IANL (not sure if Chris is, either), but this gives really important context. I'd excerpt, but it's long and very informative. If you're interested in the subject, RTWT.
So bottom line (summarizing my two posts and Chris' three comments), you will way reduce your risk if you:
- Don't ever use your debit card online. Use a credit card instead.
- If you do bank online, do it directly at your bank, and not a third party.
- If you really have to bank online (sigh), then you should really, really follow the suggestions in the Two Simple Rules of Safer Browsing.