Windows unsafe for online banking

Take a look for yourself here.

What a load of crap.  That’s like saying people die wearing seat belts, thus it must be the seat belt’s fault so you shouldn’t wear your seat belt.  The reason there are so many viruses and malware for Windows is because it is such a big “prize” for hackers.  MS owns the desktop OS market, thus making them the biggest target.  If you were going to rob a bank, wouldn’t you pick the branch that had the most money in it?  It doesn’t make much sense to write a virus for Linux because it owns such a small portion of the market that the payoff would be nothing.

The FFIEC guidelines for multi-factor authentication are a pain.  But the concept behind MFA is a must.  There are three ways to identify someone online: something they know (Q&A), something they are (bio-metrics or computer ID), and something they have (cell phone or email).  If an FI really, truly applies 2 of those factors, it will make it nearly impossible to directly hack a person’s account.  The article speaks of the proverbial “man in the middle” attack in which a hacker somehow manages to gain access to the user’s password, either through a keylogger or a fictitious webpage made to look like the real thing.  Both of these are easy to stop:

  1. Don’t download anything from anyone you don’t know.
  2. Don’t install anything from anyone you don’t know.
  3. Don’t follow a link to an FI website, type it in or bookmark it yourself.
  4. Look at the url of the webpage you are on and make sure it says

Now some will argue that most people aren’t smart enough to figure that out on their own.  True, it is possible to build such a great phishing site that even an employee couldn’t tell the difference, but it is highly unlikely.  This is where the FI has to step in.  Companies like Trusteer have built a glorified browser add-on, but it works.  It prevents any type of keylogging software from detecting what is being typed into the webpages that the browser is serving up.  They’ve done the right thing and they count on the users machine already being infected.  Additionally, FI’s could help with 3 and 4 by offering other security measures like RSA keys.  Make it optional for users if they want it or if a member has had fraud on their account, make it mandatory.

However FI’s and online banking companies handle their security, two things need to happen: The users have to take some responsibility for their actions (don’t log into phishing sites or download shady applications) and FI’s have to offer appropriate security measures to make unauthorized access to someone’s account extremely difficult.

More on OpenID

I was just reading an article in Information Week talking more about OpenID and how it has been starting to catch on and is being implemented on mainstream sites, like MySpace.  As quickly as they praise it, it rapidly turns around into how many sites enable the use of their OpenID, but they don’t accept ID’s issued by other providers because of “inherent risks”.  This sentence got my brain thinking:

“Since no OpenID provider makes public its practices around vetting and protecting identities, there’s effectively no way of assessing liability for faulty initial identification.”

Who is bound by law to verify ID’s stringently?  Oh, that’s right.  Financial institutions.  So why don’t banks and credit unions jump on board and offer OpenID?  (I’d love to see a start-up virtual credit union do this.)

One potential issue I see with this is there will still need to be a verificaiton step involved to verify that the OpenID was really issued by a bank or CU.  I could go get, issue “verified” OpenID’s that could be used to log into sites requiring stricter control over the content they are offering on their site.  So the question becomes how can you create a secure OpenID that is provided by numerous companies?  I think the answer may lay in an uber-secure TLD for banks and credit unions. Literally, have .bank or .creditunion or the like.  The registrar for the TLD would verify that the FI buying the domain is legit, using government verified documents like call reports.  This concept has been kicked around before but many it just doesn’t have any legs.

So what do you think?  Is there a need for a secure TLD for only financial institutions?  Do banks or CU’s really need to offer an OpenID service?

Big banking news from Second Life

Second Life LogoSecond Life issued a statement today effectively banning in-world banking.

“As of January 22, 2008, it will be prohibited to offer interest or any direct return on an investment (whether in L$ or other currency) from any object, such as an ATM, located in Second Life, without proof of an applicable government registration statement or financial institution charter. We’re implementing this policy after reviewing Resident complaints, banking activities, and the law, and we’re doing it to protect our Residents and the integrity of our economy.”

After the collapse of Ginko Financial last year, many residents of Second Life began raising concerns about legalities of in-world banking.  It’s a shame that Second Life couldn’t come up with a way to make this work.  They do make provisions for organizations that have valid financial institutions charters or the applicable governmental registration, but as their last paragraph says, “We will not apply this policy to companies who submit a registration statement, charter, or other applicable license from a governing regulatory authority, or who are merely conducting marketing or education, but not accepting payments.”

So what is there left for FI’s to do in Second Life that could actually have a real world impact?

I’m not sure about the name, but Banktastic looks cool!

My earlier post this week,  Making RSS Easy, stirred up a great pot.  Mark over at the Garland Group has been working on exactly what I was talking about.

Banktastic is, "A community helping bankers quickly find relevant, industry specific information and share it with others".  While I can pick on Mark about the name, the work they (he) has done to aggregate RSS feeds is awesome.  The page that lists all of the feeds is here.  This is the Credit Union Feed and this is the Master Feed.  I can’t wait to share this with my peers!

Flash, Flash, everywhere!


As of late, I’ve been seeing flash websites pop up everywhere.  The latest FI-related one is called Lose Your Lunch Hour.  We’ve seen Dump Your Bank and the Coop Crusader this year.  It seems that lots of FI’s and organizations are spending money on these great looking flash sites, but what exactly is it they do?  How are they getting monetized? (I doubt they are)

Two more examples outside of the FI industry: The Simpson’s Movie and Honda F1 Racing.  These are clearly great marketing tools, but how can CU’s best take advantage of this new trend?  Picking on bankers forever isn’t going to make any money, so how we incorporate great flash with a functional website?  Coast Capital has some cool use of flash, but again, it is not a key component of their functional website.  Maybe VanCity’s We All Profit?  Another great example of a flash marketing website, but how can we use these?




Making RSS easy

I’m continually finding myself talking to more executive level employees about ideas generated from the blogosphere (like Doug’s funeral plot lending) and the sources of the ideas.  Most of them are now familiar with the the term blog and kinda have a grasp of it, but now we need to make the information easy to consume.  Subscribing to RSS feeds is fairly easy to do with the appropriate tools (Google Reader, Outlook 2007, etc) however keeping tabs on all of the sources of information is challenging.  Open Source CU has a great blogroll that’s pretty inclusive, but doesn’t catch everything CU related, try as they might. 

So what I want to be able to do is provide one, or maybe two, feeds to c-level employees, or anyone else interested, to simplify their consumption of feeds as well as the management.  I’ve been looking everywhere for a community-like tool in which a group of people (myself, Trabian, Garland Group, Gene, Ron, etc) would be able to contribute and manage a list of RSS feeds that simply aggregate into one massive feed.  That way instead of trying to subscribe to the 50 CU-related feeds or 50 FI-related feeds the new user to RSS could simply pick one or two feeds and have their finger on the pulse of the whole industry.

So to sum it up, I’m first looking to see if there is a tool to aggregate RSS feeds into one simply syndication and if it can be setup to have a group of people manage it…

The .Bank Debate Part II

In my previous post, I commented on the proposed “.Bank” TLD. Since then, F-Secure has defended their proposal in their blog, addressing many of the key issues I commented about.

Here is what they had to say about users still being fooled the new addresses:

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users’ software to work better. Security software and browser tool bars would essentially have a “white list” to work with.

Yes, .bank would help browsers know whether a site is legitimate or not, but users would have to look for something in their browsers.  If the EV-SSL certificate message below isn’t clear enough, what could web browsers possibly say that would be?

EV SSL Certificate

F-Secure addressed the issue of EV-SSL certificates as well:

We’re not against these new high-security web certificates. However, a secure top-level domain would still be a good idea: it would authenticate the domain as trusted by the name alone. There’s no way to know if a site has a high-security certificate without visiting it.

True, but EV-SSL certificates identify web sites while also assuring security in transactions.

What about a compromise, a variant of EV-SSL certificates just for financial institutions, a FI-EV-SSL Certificate? This wouldn’t give much additional benefit. One must prove they are a legitimate business to get an EV-SSL certificate anyway.

I’m still not convinced “.bank” is worthwhile, what do you think?

The World’s Best Presentation

Tired of boring PowerPoint presentations?  Looking for some inspiration?

Shift Happens recently won the World’s Best Presentation Contest hosted by SlideShare.  It’s a pretty amazing presentation and there is a host of other resources on the site as well.  If you’re looking for some pizazz to spice up those really entertaining credit unions presentations, look no further.