Re: limits of end-user "testing"

["Kurt Seifried" <bt () seifried org>]

> People occasionally ask me if I can help them figure out if the online
> banking site they use is secure. I tell them not unless the bank hires me 
> to
> do so.

Agreed.

> Is there *anything* that an end user can do in the way of checking for the
> Top 10 type of problems, that would be considered "fair use" (I know..
> copyright law term, not really applicable here) or "self-defense" rather
> than malicious?

That depends on what the Judge/Jury says. I wouldn't chance it. The good 
news is that banks want online transactions to take off so they'll continue 
to eat the losses for a while (until it becomes a bigger problem or they 
figure out a way to shift the cost to customers without causing to much bad 
publicity).

This isn't really self-defense either since the bank's servers have not 
attacked you. This is more along the lines of due diligence, i.e. I'm 
entrusting you with X, I want to make sure you are actually capable of 
handling X properly and safely. The one method that comes to mind is legal, 
for example 
http://www.computerworld.com/printthis/2005/0,4814,105638,00.html

This is a fundementally economic problem, banks could design systems and 
processes that would result in the customer having a near 100% secure 
experience with online banking, but it would be very very costly. Like 
Schneier says, shift the cost of phishing to financial institutions and 
they'll find a way to address it pretty quickly, leave the cost with 
consumers and.. well.. we'll have the situation we're currently in.

> For purposes of simplicity and relevance to my current location, lets 
> assume
> that both the user, the website, and the company that owns the site are 
> all
> in the U.S.

I would especially not even think about it in that case.

-Kurt