Yet Another Cycling Forum

General Category => The Knowledge => Ctrl-Alt-Del => Topic started by: Dez on June 01, 2012, 12:52:41 am

Title: Why is it that banks are so bloody clueless about Internet security?
Post by: Dez on June 01, 2012, 12:52:41 am
Dear Sir/Madam, [Santander Business Banking]

You have failed in most regards to help me to protect my identity with this email.


While I'm on the subject of security, please stop advertising that ridiculous Trusteer Rapport software every time I log into the online banking website. I am not going to install it. If it can insert itself into a web browser and make claims about the security of websites, then so can malicious software. The way to tell if you are on the right site is to verify the SSL certificate and who owns the IP you are connecting to, not rely on whether some dodgy security company's middleware has turned an icon green.

Regards,

--
Denis Walker
Big Red Design
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: barakta on June 01, 2012, 01:10:45 am
Please tell me you sent this? :)

My friend who is blind installed Rapport and it ate his JAWS screenreader. That was fun uninstalling that lot for him and removing its claws from his system so his screenreader would work again.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Valiant on June 01, 2012, 03:00:42 am
Please tell me you sent this? :)

+1
Title: Why is it that banks are so bloody clueless about Internet security?
Post by: Aidan on June 01, 2012, 06:25:53 am
What? A bank with the veneer of caring for its customers, not actually doing that, I'm shocked! :-)

That's great Dez, I also really hope you sent it! 
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Jaded on June 01, 2012, 06:59:05 am
Emails purporting to be from Santander represent about 75% of the banking spm that my customers get. You'd think they'd know this and act accordingly to make their own emails stand out.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Dez on June 01, 2012, 09:25:23 am
Please tell me you sent this? :)

+1
Yup :D
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: mrcharly-YHT on June 01, 2012, 09:33:30 am
excellent stuff.

Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: barakta on June 01, 2012, 01:17:47 pm
 :thumbsup:

Goodo, I look forward to hearing what their response is!   
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Jacomus on June 01, 2012, 02:26:44 pm
:thumbsup:

Goodo, I look forward to hearing what their response is!

I reckon it'll look something like this...

Quote
Dear Denis,

Thank you for your letter about Santander Business Banking online security. We take your security online seriously and have a number of measure in place to protect you and your business.

Here are some easy steps you can take to keep your financial information safe online:

1) Download our Trustee Rapport software to help keep your financial details safe, it will alert you to the danger of malicious software that wants to steal your bank details, all from within your browser.
2) Make sure your anti-virus program is up to date.
3) Never give your bank details to someone via e-mail. We will never ask you for them.

If you have any questions, need help or want to learn more about keeping your money safe online, phone our premium rate line and talk to one of our call centre representatives.

Regards,
Santander Business Banking Team

 ;D
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Kim on June 01, 2012, 03:53:18 pm
Or you'll get a visit from the ossifers because you've been hacking their SSL certificate :)
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Cudzoziemiec on June 02, 2012, 11:10:23 am
While I'm on the subject of security, please stop advertising that ridiculous Trusteer Rapport software every time I log into the online banking website. I am not going to install it. If it can insert itself into a web browser and make claims about the security of websites, then so can malicious software. The way to tell if you are on the right site is to verify the SSL certificate and who owns the IP you are connecting to, not rely on whether some dodgy security company's middleware has turned an icon green.[/color=green]
Doubtless true, but as most people (including me) probably don't know anything about SSL certificates and how to verify them, this Rapport software might perhaps be better than nothing. Having said that, several other banks are pushing it too and I downloaded it a couple of years ago, found that it wanted me to remove my firewall (or something - can't remember exactly) so I deleted it.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: rogerzilla on June 02, 2012, 08:12:36 pm
What's Spanish for "we don't care, nanana"?

Anyway, it's all your fault for dealing with such a shower in the first place.  As one of our non-exec directors observes, Santander is the Ryanair of banking.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Cudzoziemiec on June 02, 2012, 09:07:54 pm
Also - businesses which cover themselves in a bright red colourscheme are the equivalent of the redtop press. There is, I'm told, psychological reasoning behind this in the way we perceive and react to certain shades.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Kim on June 03, 2012, 12:27:45 am
And their logo looks like a steaming turd (or it did on the Euston Road in the dark through wet glasses one time, and I haven't been able to un-see it).
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: ian on June 03, 2012, 12:52:41 pm
To be fair, the problem for real people is that email isn't secure. We're conditioned to receiving letters and believing them. They have the company's letterhead etc. Obviously, that wasn't secure either, but it took effort to mess with, so it's a safe bet that if a letter landed on your door mat claiming to be from Company X, it came from Company X. Online that breaks because it's trivial for anyone smarter than a nematode to generate authentic-looking email from whomever (though I'll admit it helps to have fingers). Solutions like PGP signing fail because they're too complicated. Once you are forced to use acronyms like SSL and HTTPS and PGP, you might as well impale yourself on the giant stick of FAIL and make sucky-sucky dying noises as your remaining clue dribbles out and soaks into the ground. Can anyone normal deal SSL certificates? Sure, click the padlock, navigate a labyrinth of nested dialogues, and then what am I supposed to do? It doesn't help that about the certificates on the net seem to be wrong (my own beloved ISP does the same, I was Pipex, it's now TalkTalk - whose the certificate still for? Tiscali, after their brief dalliance). Should I stop sending email?

Email is HTTP these days and people will put their responses at the top. Other than sullenly insisting on repositioning my cursor at the bottom of messages (thus ensuring that most of planet think I suffer from premature email despatch, and are thus receiving blank messages), I'm rolling with it. Stupid shit like munging domain names and setting their clocks, welcome the world of marketing emails. The people who press the SEND button just assume it's set-up. If you dealt with our IT people, you'd know why that's a dangerous assumption.

I'm not sure what the solution is, other than like all solutions, it should be at least 50% commonsense, and whatever portion is technological should be friction free.

Santander are shit though. They have our mortgage (since that swallowed up Alliance & Leicester) and never manage anything right. I think it took about eight letters and 72 hours on the phone to get them to reverse the inclusion of our last rearrangement fee from the loan. We clearly stated several times that we wanted to simply pay the fee. Even ticked a box to that effect.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Pickled Onion on June 03, 2012, 01:04:46 pm
They don't help the situation by doing stuff like sending out genuine emails that ask you to click on a link ... when the other arm is trying to tell you how to avoid getting phished. It's about as brain-dead as phoning you up then asking to "take you through security".

The issue with emails is not that they're easy to fake - anyone with a colour printer or access to a copy shop could run off a convincing letterhead - the difference is being able to send a million copies for nothing. If somehow email was charged per item, even 0.1p, this would stop overnight.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: rogerzilla on June 03, 2012, 01:54:34 pm
Email is HTTP these days and people will put their responses at the top. Other than sullenly insisting on repositioning my cursor at the bottom of messages (thus ensuring that most of planet think I suffer from premature email despatch, and are thus receiving blank messages), I'm rolling with it.
To be fair, the top posting thing was Microshaft's arrogance/error in the first place.  Netscape Communicator, Mozilla and Thunderbird have always bottom-posted.  This, of course, leads to an unreadable mess when a person using one e-mail package communicates with someone using the other.
Title: Re: Why is it that banks are so bloody clueless about Internet security?
Post by: Dez on June 07, 2012, 08:15:21 pm
I reckon it'll look something like this...

So far, it's absolutely nothing. Them not even being competent enough to bother responding is strangely reassuring somehow.