UPDATE 3/7/12: So hitting the banks up on twitter went no where, they didn’t even approve my comments. I have a good disscussion going on in the “Internet Banking” group on LinkedIn if you want to join. Next step might be a reddit post or possible emailing some of the bank CSOs directly. Wish me luck.
5/5/12 I reached out to BofA’s CISO Patrick Gorman and was ignored. Don’t see much point in banging my head against the wall anymore.
Online banking and bill pay are two of the conveniences of the information age. I have memories of seeing my mom paying the monthly bills late at night filling out checks, opening and addressing envelopes, putting on stamps etc. She then of course had to manually balance her checkbook with a calculator. I cringe at the thought of having to spend several hours a month in such a manner, with online banking and bill pay it usually takes me 30 mins to send out the money with little or no writing or mailing. As with many conveniences, however it comes with a risk of potential abuse. Individuals certainly aren’t the only ones being victimized, especially vulnerable are small to medium-sized business who have relatively a lot of money compared to the average Joe Schomo like me and unfortunately for them they are not covered by the FDIC or the bank’s policy. Here’s a Bloomberg article from August last year that goes into several examples of theft and how the banks don’t always reimburse those companies like they do you when your CC is stolen. Bloomberg article
So without further ado here is what I humbly ask from my bank, 3 fairly quick wins that should be implemented as soon as possible. I’ll let you know if I hear anything back from them. I plan on hitting some of the bigger ones up on Twitter and LinkedIn to see if any of that social media mumbo jumbo works for me and my little blog.
1. Never include links in any email you send to a customer
In my opinion it is enviable that banks will stop sending their customers emails full of links. And I mean ALL LINKS, including the ones in your logo, the pretty banner pictures of middle-class people enjoying their lives, the legalese footer that no one reads, and especially in the message you are sending to the customer. Do not even include your domain as a non-clickable link. Keep the HTML format though I think this adds defensive capabilities that you are currently not using but that’s for another blog post. These extreme measures are needed because the average computer user is essentially helpless to see the danger as obvious it may be in hind-sight. This is because they need to click on links on a day-to-day basis to interact with friends, co-workers, and websites, and indeed do so with no negative repercussions. Then all of a sudden they get a call from someone like me who says you shouldn’t have clicked that one link in that one convincing looking email. My point is training and retraining users to recognize the signs of a Phish or trying to explain SMTP headers to them just won’t work if banks continue to send them an email talking about the dangers of clicking on links by asking them to click on links! Instead the bank should simply tell someone to go to their bank’s site. Get all your separate departments that send email at their every whim and tell them to redesign all their templates they use and send to 3rd party emailers to use. This is not a panacea to stop phishing but it will go a long way to condition customers to not to click on anything in emails representing your bank. Limiting the current most common social engineering infection vectors as well as forcing current Phishers to change their tactics drastically.
So Mr. bank executive you can be a leader with this policy, get all the positive press for not only protecting your customers but proving to shareholders you are trying to limit the increasing levels of fraud robbing value from “their” banks bottom line or you can be forced to do it as an also-ran follower when your competitor beats you to the punch. After all each email is a permanent voicemail to your customer representing your brand, why would you continue to encourage risky behavior?
2. Default to Read Only account for all online banking, and for budgeting services
This is another inevitable must-do, why do I have to use my administrator level credentials every time I log into my bank to do anything? How can I take advantage of cool services like Mint.com when to use it I must give my full account permissions to anyone working at Intuit? Admin credentials should only be needed for dangerous activities (i.e. potential for losing my money) for online banking such as transferring/withdrawing money, adding a bill payee, opening an account, etc. Once set up such dangerous activities are infrequently needed so I purpose you allow me to mark my current account read-only with all my desired “dangerous activities” requiring some sort of out-of-band authentication like SMS or Token verification, or if necessary (i.e. user can’t do SMS) separate pwd authentication. Using an account with reduced permissions is a fundamental security principal and would greatly reduce the attack surface from compromised customer computers. As it stands now you are making the decision for me, by not giving me the option to use an account with lesser privileges.
3. Let me configure email/SMS alerts when someone successfully authenticates
Even with all the above prevention techniques above you should still give me the option for getting an alert when someone auth’s successfully to either read-only or admin level access. Similar to the alerts I can configure now for large ATM or Check withdrawals. The information should include IP/User-Agent/Geo-location combined with time/date. Yes I’m well aware that information can be spoofed and/or misrepresented but it should be given to me none the less. You could easily massage the source information to make it more user-friendly, I mean if Facebook can do it for 840+ million users you really have no excuse.
So by your company’s own estimates you are losing millions a year because of this, I’d help you implement these for a million or so, sounds like an amazing deal to me. Pay the man. 🙂
PS. Disclaimer: I realize others may have put forth some or all of these ideas in the past, the following are just my thoughts and not meant to be some attempt to gain fame and fortune by plagiarizing others. If these ideas have been submitted to the internets before please consider me in agreement with them, and put the flame thrower down. Also some banks might even already employ one or more of these suggestions, all I know is the big national bank’s I’ve used don’t do any of these unfortunately.