Re: bankone/chase non-scam

["Brian Loe" <knobdy () gmail com>]

On 12/10/06, Nick FitzGerald <nick () virus-l demon co uk> wrote:
> Larry Seltzer to Drsolly:
>
> > >>I would tell Aunty Gi, not to access her accounts online.
> >
> > Really, you think it's that bad? I think the benefits of online banking
> > are so enormous that it's hard to blow it off like that.
>
> For myself, I agree -- but then, unlike your Aunty Gi, I am well-suited
> to accurately and reliably make the critically important calls that
> affect _my_ online safety (and yes, unlike some other high-profile
> techies on this list, I _do_ use online banking because my judgement of
> the risks is that those I take are acceptable for the convenience pay-
> off, BUT I doubt I'd ever use an "online only" bank or take some deal
> like lower bank fees for using only online services).

I use Quicken myself, but I'm far from a high-profile techie (just an
annoying and loud one). The convenience level of this method of
banking is so high that it is virtually the only way I process
transactions. It's also a security tool, of sorts, because it allows
me to see when something is amiss quite quickly. Thus far I've only
busted the bank for making mistakes but I'm confident I would
recognize fraud just as quickly.

I've also been in charge of the OFX servers that Quicken talks through
to get its data from a mainframe (or whatnot) and understand its
vulnerabilities pretty well. Those that I was charged with the support
of handled billions of dollars a day and were never compromised, at
least not on my watch (and I'm fairly sure we would have heard about
it if they had been since).

> Sadly however, because most online banking users (perhaps those like
> your Aunty Gi?) are _not_ as well equipped as me to make those critical
> decisions, for the last several years my bank fees have continued to
> soar past the rate of general inflation _despite_ all of the bank's
> modernization, computerization, automation, reduction in face-to-face
> an voice-to-voice bank staff/customer interaction.   Why?  Because
> losses to fraud have gone up, reaching perilously close to (or
> surpassing) the "comfort level" already factored into the service fees,
> transaction margins and so on...

That to me is amazing. I pay virtually nothing at my bank. It is "free
banking"...the only charges I can recall even are those I pay for the
use of BillPay through Quicken - which is ten bucks and well worth it.

> > If you were to tell Aunty Gi to ignore *all* mail purportedly from the
> > bank, without exception, I doubt she would be in trouble with respect to
> > online banking. The only real e-mails I've ever gotten from Bank of
> > America have been informative, not critical.

Another blessing of Quicken - e-mails from my bank go through it at
the same time I download my transactions. I know they're my bank's
e-mails because that's the only place Quicken talks to. Further,
they've never sent me an e-mail asking me to edit/verify my
account...since, after all, if there were an issue with something like
my password I would have never received their e-mail in the first
place!


> Placing the onus on the user in an information poor, technology poor
> frame to make the "right" decision, there will always be too many
> "ooopsies"...

I have to agree with this 100%. Whether you're in support or security
you need only know one thing, the end user's job is not to know what
you do, only to know what they do. "Dumb End User" jokes are dumb for
this reason - if they were all smart computer users lots of folks
would be out of work. That is not to say they can't be trained, just
that their is a limit to what we can expect them to know and
understand outside of their own job requirements.

I believe Marcus Ranum has another, different take on user education
that I semi agree with (when I'm feeling contradictory at least) but I
can't find that link right now...
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.