Throughout the existence of banking, it has been matter of utmost confidentiality and privacy, matter between customer and bank.
Online banking changed the setup to enable customer handle many tasks originally performed by bank. The operational model where trusted person in clerical function handled transactions and other activities in carefully controlled environment with discipline manner. Now many of these very simple activities are carried out by authorized customer or user in non-secure environment with manner introduced by web browser.
By going through the operational security involved with trusted clerical function and comparing it to online banking security principles, one must admit there is a lack of security in personal computing environment. People tend to say ‘there is nothing secret here‘. Right. Just before someone steals the identity or makes the banking transaction over.
Basically, people trust their life with banks, giving the most personal secrets for management and allowing to manage assets through the personal banking accounts. This trust should not be taken nothing but seriously. – including financial institutions to maintain their trusted posture.
Banks are willing to tell customers they should keep their computing environment secure, and thus washing hands of operational security aspects originally established in controlled environment. I am not saying here banks should buy laptop or tabled managed by banks to their customer. Banks are saying the “Data is encrypted with SSL, so no one is able to touch it.” – Do you buy it?
Online banking and the resulted privacy and security issues within has put me to think it again – How come banks are telling people to maintain their security better, without actually putting their OWN reputation and capabilities in line with the DIRECT consequences of the change paradigm towards ‘webalized’ approach we have witnessed for years, has now resulted as poor operational security resting on customers shoulders?
Faults will exist as long as there is poorly created code in browsers, applications and accessories with personal computers and people are – say lazy to continuously update them, not to blaim, even that is not enough. Serious criminals use 0-day vulnerabilities making the big money.
But could securing the end user environment be act to re(gain) TRUST for online banking? How? Is it even possible?
There are only but few initiatives ongoing to secure such an environment, while the malicious, highly offensive actions are pushing the lack of security further and further all the time. It is not possible to require countless individuals to secure their environment against each day evolving software vulnerabilities which may in turn allow criminals to empty your banking accounts. Banks have been reluctant and merely watching situation getting worse day by day.
However, I believe there is possibilities to deliver TRUST of which banks have been so proud of it before. So yes, it is possible to rethink what are the weakest points in user-centric banking and how the vulnerabilities should be avoided. Important – it is not required of patching each and every workstation, but implementing the online banking with such a set of techniques, technologies and procedures that disallow malicious man-in-the-middle attacks, code injection, data capture during transit and while data sitting on users browsers. This should not require touching of any user side components of the equation, making it transparent.
Elimination of online financial damages by setting defense in depth, including areas which have been unreachable and indefensible is the only way to neutralize local threats found in customers personal computing environments.
It is not matter of possibility, it is matter of are banks willing to establish such a trusted model to provide same operational security principles than before, extending it from the bank which is now online towards customer. It should be easier to know where the fraud initiated if you really can tell it should not come from trusted environment or you can accurately tell it was the clerical function. Same applies here.
Who wants to be the provider of most secure online banking in the world?