What a load of crap.  That’s like saying people die wearing seat belts, thus it must be the seat belt’s fault so you shouldn’t wear your seat belt.  The reason there are so many viruses and malware for Windows is because it is such a big “prize” for hackers.  MS owns the desktop OS market, thus making them the biggest target.  If you were going to rob a bank, wouldn’t you pick the branch that had the most money in it?  It doesn’t make much sense to write a virus for Linux because it owns such a small portion of the market that the payoff would be nothing.

The FFIEC guidelines for multi-factor authentication are a pain.  But the concept behind MFA is a must.  There are three ways to identify someone online: something they know (Q&A), something they are (bio-metrics or computer ID), and something they have (cell phone or email).  If an FI really, truly applies 2 of those factors, it will make it nearly impossible to directly hack a person’s account.  The article speaks of the proverbial “man in the middle” attack in which a hacker somehow manages to gain access to the user’s password, either through a keylogger or a fictitious webpage made to look like the real thing.  Both of these are easy to stop:

1. Don’t download anything from anyone you don’t know.
2. Don’t install anything from anyone you don’t know.
3. Don’t follow a link to an FI website, type it in or bookmark it yourself.
4. Look at the url of the webpage you are on and make sure it says mycu.com.

Now some will argue that most people aren’t smart enough to figure that out on their own.  True, it is possible to build such a great phishing site that even an employee couldn’t tell the difference, but it is highly unlikely.  This is where the FI has to step in.  Companies like Trusteer have built a glorified browser add-on, but it works.  It prevents any type of keylogging software from detecting what is being typed into the webpages that the browser is serving up.  They’ve done the right thing and they count on the users machine already being infected.  Additionally, FI’s could help with 3 and 4 by offering other security measures like RSA keys.  Make it optional for users if they want it or if a member has had fraud on their account, make it mandatory.

However FI’s and online banking companies handle their security, two things need to happen: The users have to take some responsibility for their actions (don’t log into phishing sites or download shady applications) and FI’s have to offer appropriate security measures to make unauthorized access to someone’s account extremely difficult.

“Since no OpenID provider makes public its practices around vetting and protecting identities, there’s effectively no way of assessing liability for faulty initial identification.”

Who is bound by law to verify ID’s stringently?  Oh, that’s right.  Financial institutions.  So why don’t banks and credit unions jump on board and offer OpenID?  (I’d love to see a start-up virtual credit union do this.)

One potential issue I see with this is there will still need to be a verificaiton step involved to verify that the OpenID was really issued by a bank or CU.  I could go get robbiewrightbank.com, issue “verified” OpenID’s that could be used to log into sites requiring stricter control over the content they are offering on their site.  So the question becomes how can you create a secure OpenID that is provided by numerous companies?  I think the answer may lay in an uber-secure TLD for banks and credit unions. Literally, have .bank or .creditunion or the like.  The registrar for the TLD would verify that the FI buying the domain is legit, using government verified documents like call reports.  This concept has been kicked around before but many it just doesn’t have any legs.

So what do you think?  Is there a need for a secure TLD for only financial institutions?  Do banks or CU’s really need to offer an OpenID service?

“As of January 22, 2008, it will be prohibited to offer interest or any direct return on an investment (whether in L$ or other currency) from any object, such as an ATM, located in Second Life, without proof of an applicable government registration statement or financial institution charter. We’re implementing this policy after reviewing Resident complaints, banking activities, and the law, and we’re doing it to protect our Residents and the integrity of our economy.”

After the collapse of Ginko Financial last year, many residents of Second Life began raising concerns about legalities of in-world banking.  It’s a shame that Second Life couldn’t come up with a way to make this work.  They do make provisions for organizations that have valid financial institutions charters or the applicable governmental registration, but as their last paragraph says, “We will not apply this policy to companies who submit a registration statement, charter, or other applicable license from a governing regulatory authority, or who are merely conducting marketing or education, but not accepting payments.”

So what is there left for FI’s to do in Second Life that could actually have a real world impact?

Banktastic is, "A community helping bankers quickly find relevant, industry specific information and share it with others".  While I can pick on Mark about the name, the work they (he) has done to aggregate RSS feeds is awesome.  The page that lists all of the feeds is here.  This is the Credit Union Feed and this is the Master Feed.  I can’t wait to share this with my peers!

As of late, I’ve been seeing flash websites pop up everywhere.  The latest FI-related one is called Lose Your Lunch Hour.  We’ve seen Dump Your Bank and the Coop Crusader this year.  It seems that lots of FI’s and organizations are spending money on these great looking flash sites, but what exactly is it they do?  How are they getting monetized? (I doubt they are)

Two more examples outside of the FI industry: The Simpson’s Movie and Honda F1 Racing.  These are clearly great marketing tools, but how can CU’s best take advantage of this new trend?  Picking on bankers forever isn’t going to make any money, so how we incorporate great flash with a functional website?  Coast Capital has some cool use of flash, but again, it is not a key component of their functional website.  Maybe VanCity’s We All Profit?  Another great example of a flash marketing website, but how can we use these?

So what I want to be able to do is provide one, or maybe two, feeds to c-level employees, or anyone else interested, to simplify their consumption of feeds as well as the management.  I’ve been looking everywhere for a community-like tool in which a group of people (myself, Trabian, Garland Group, Gene, Ron, etc) would be able to contribute and manage a list of RSS feeds that simply aggregate into one massive feed.  That way instead of trying to subscribe to the 50 CU-related feeds or 50 FI-related feeds the new user to RSS could simply pick one or two feeds and have their finger on the pulse of the whole industry.

So to sum it up, I’m first looking to see if there is a tool to aggregate RSS feeds into one simply syndication and if it can be setup to have a group of people manage it…