funsec mailing list archives
Re: bankone/chase non-scam
From: "Brian Loe" <knobdy () gmail com>
Date: Mon, 11 Dec 2006 08:27:00 -0600
On 12/10/06, Nick FitzGerald <nick () virus-l demon co uk> wrote:
Larry Seltzer to Drsolly: > >>I would tell Aunty Gi, not to access her accounts online. > > Really, you think it's that bad? I think the benefits of online banking > are so enormous that it's hard to blow it off like that. For myself, I agree -- but then, unlike your Aunty Gi, I am well-suited to accurately and reliably make the critically important calls that affect _my_ online safety (and yes, unlike some other high-profile techies on this list, I _do_ use online banking because my judgement of the risks is that those I take are acceptable for the convenience pay- off, BUT I doubt I'd ever use an "online only" bank or take some deal like lower bank fees for using only online services).
I use Quicken myself, but I'm far from a high-profile techie (just an annoying and loud one). The convenience level of this method of banking is so high that it is virtually the only way I process transactions. It's also a security tool, of sorts, because it allows me to see when something is amiss quite quickly. Thus far I've only busted the bank for making mistakes but I'm confident I would recognize fraud just as quickly. I've also been in charge of the OFX servers that Quicken talks through to get its data from a mainframe (or whatnot) and understand its vulnerabilities pretty well. Those that I was charged with the support of handled billions of dollars a day and were never compromised, at least not on my watch (and I'm fairly sure we would have heard about it if they had been since).
Sadly however, because most online banking users (perhaps those like your Aunty Gi?) are _not_ as well equipped as me to make those critical decisions, for the last several years my bank fees have continued to soar past the rate of general inflation _despite_ all of the bank's modernization, computerization, automation, reduction in face-to-face an voice-to-voice bank staff/customer interaction. Why? Because losses to fraud have gone up, reaching perilously close to (or surpassing) the "comfort level" already factored into the service fees, transaction margins and so on...
That to me is amazing. I pay virtually nothing at my bank. It is "free banking"...the only charges I can recall even are those I pay for the use of BillPay through Quicken - which is ten bucks and well worth it.
> If you were to tell Aunty Gi to ignore *all* mail purportedly from the > bank, without exception, I doubt she would be in trouble with respect to > online banking. The only real e-mails I've ever gotten from Bank of > America have been informative, not critical.
Another blessing of Quicken - e-mails from my bank go through it at the same time I download my transactions. I know they're my bank's e-mails because that's the only place Quicken talks to. Further, they've never sent me an e-mail asking me to edit/verify my account...since, after all, if there were an issue with something like my password I would have never received their e-mail in the first place!
Placing the onus on the user in an information poor, technology poor frame to make the "right" decision, there will always be too many "ooopsies"...
I have to agree with this 100%. Whether you're in support or security you need only know one thing, the end user's job is not to know what you do, only to know what they do. "Dumb End User" jokes are dumb for this reason - if they were all smart computer users lots of folks would be out of work. That is not to say they can't be trained, just that their is a limit to what we can expect them to know and understand outside of their own job requirements. I believe Marcus Ranum has another, different take on user education that I semi agree with (when I'm feeling contradictory at least) but I can't find that link right now... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: bankone/chase non-scam, (continued)
- RE: bankone/chase non-scam Drsolly (Nov 29)
- RE: bankone/chase non-scam Larry Seltzer (Nov 29)
- RE: bankone/chase non-scam Drsolly (Nov 29)
- RE: bankone/chase non-scam Larry Seltzer (Nov 29)
- RE: bankone/chase non-scam Drsolly (Nov 29)
- RE: bankone/chase non-scam Gadi Evron (Nov 29)
- RE: bankone/chase non-scam Larry Seltzer (Nov 29)
- Re: RE: bankone/chase non-scam der Mouse (Nov 29)
- Re: bankone/chase non-scam Paul Vixie (Nov 29)
- RE: bankone/chase non-scam Nick FitzGerald (Dec 10)
- Re: bankone/chase non-scam Brian Loe (Dec 11)