Now I was trained by the finest minds in the Fed.Gov to be paranoid, but this case doesn't need anything so extreme. What you need is the Internet equivalent of "drive defensively." If someone steals one of your credit card numbers, this is seen as a cost of doing business by the card issuers, and you're likely not exposed to a lot of liability (operative word is "likely"). If someone can get into your bank account, then there's much, much more ripple effect; since most of us have more than one credit card, you have options if one suddenly hits its limit because of fraudsters. If your bank account is cleaned out at 9:00 on friday evening, it's going to be interesting for you, and not in a good way.
Here chez Borepatch we simply won't do online banking, because I'm not convinced that banks have sufficient security in their online systems to stop massive fraud, or have processes in place to identify and react to it. In short, I'm quite unwilling to be a guinea pig for their new Web 2.0 e-Portal.
You shouldn't, either. The reasons include:
The Internet applications that banks are putting online are rushed into production, and therefore are probably not well tested. The Executive VP of online banking is in a hurry to "take the company 'e'", so time's a-wasting. It's hard enough to do basic functionality testing (do all the widgets work?), let alone figure out if security is well implemented. At the extreme, security isn't an afterthought; it isn't thought of at all.
The web 2.0 technologies that techies love so much (and which provide such a cool user experience) are brand new. People really don't know what the security implications of these technologies are. But everyone uses them anyway. How secure is the app? How would someone find out? How would you find out? Unfortunately, the answers are [sound of crickets chirping].
Credit card companies have been dealing with card fraud for decades. They understand how to find patterns much, much better than banks do. If you include telephone credit card ordering, the card issuers have been dealing with fraudulent orders for 30 or 40 years. Some of the most spohisticated data mining applications are in use at Visa and Master Card. Banks are new to this - if someone figures out how to transfer cash from online accounts, do they know how to identify this? Not clear at all.
It's getting worse, not better. Jeremiah Grossman is one of the smartest web security guys around, and he's done some very interesting analysis. If you're still hot to bank online, you should follow the link and watch his presentation on how the Bad Guys are making tons of money from exploiting the lousy security here.
We designed a presentation meant to be a lot of fun, that taught things anyone could do, and perhaps by the end might have people questioning their ethics. Judging from much of the feedback I think we might have succeeded on the last point. :)
The common theme? Lousy security in the web applications. Slide 39 is simply unbelievable, about an actual online banking service that they were hired to test:
How to hack 600 banks ...The banking service's response? Comment out some of the HTML, "until someone can get around to fix things." Yikes. Some things you really really can't fix with duct tape.
- We changed acct_id to an arbitrary but valid account #, and the error said Account #X belongs to Bank #Y
- We then changed the bank_id to #Y, and the error said Bank #Y belong to client #Z
- We changed the client_id to #Z, and you could drop into anyone else's bank account, on any bank, on any client
So, what should you do? Well, if you don't bank online, well done! You don't need to do anything. If you do bank online, then drive defensively. Meaning stop. Really. The system security is simply not ready for prime time and the technology is moving much faster than anyone's understanding of how to security it. Epic security fail.
But maybe you can help your girlfriend win the "cutest dog in Austin" poll.
UPDATE 14 November 2008 10:53: Chris Byrne has some interesting comments. I'll post more this evening, but if you're interested in the topic, you should read the comments.