Thursday, January 28, 2010

Bank secure software

Not naming names for obvious security reasons but with our old bank we used to be able to transfer funds, get statements etc via a standard internet connection passwords and a random number generator. Now with our new bank we have to use their piece of software obviously designed back in the Win95 days via a VPN.

Sure it's more secure but boy does the VPN foul up the network connection. Try sending something through close to the cut-off point when everyone else does it and not only will it throw back an error but it will disconnect that computers LAN connection for about 5 seconds until clever old Windows finds it again.

So having dealt with the previous bank's failure to use standard HTML, every credit card companies inability to use the internet to deal with fraud and now this I'm rapidly coming to the same conclusion as my father that all those in charge of these things have difficulty finding contacts on their mobile phones.


Orphi said...

Yeah, the banks in general do seem to take a pretty relaxed attitude to security, and a rather backwards attitude to technology in general.

Your bank card, for example, is protected by a mere 4-digit PIN number. Not 6 digits or 8 digits, just 4. I mean, like nobody could possibly see you type that! (Sure, some people can't remember that many digits. But most people remember their phone number, right?)

Most of the time, the bank's security question is your mother's maiden name. I mean, because nobody else could possibly know that, right? It's not as if your misfit brother might steal your card and try to pretend to be you or anything like that…

And then, as you point out, there's the software.

We had a program at work that allows our accountant's computer to talk to the bank. But to do this, your PC must have a modem and a connection to an analogue telephone line. In an office using all-digital telephone systems, this is non-trivial. Also, do you know how fast modems are?

It's good that they cater to people using ancient systems like Windows 95, but seriously, WTF? Welcome to 2010, mother****ers!

And you claim that other banks use random number security tokens or custom VPN software?

Interesting fact: The technology already exists to establish a secure connection between two parties using only a standard web browser. It's called HTTPS. Now usually it only authenticates the server to the client, but it is possible for the client to have a certificate too, and to authenticate in both directions.

This way, you can connect to the bank completely securely without needing any passwords at all, just the certificate file. (Although that does mean that anybody with access to your computer can impersonate you, so it's probably best to password-protect the file.)

Trouble is, setting up certificates is completely different depending on which web browser you have. They all support it, but you'd have to write a huge long document explaining how to do it for every browser and browser version on the market.

Way to design a feature which nobody will ever be using…

Alternatively, you can use SSH tunnelling — but again, there are several SSH products, and each of them has different controls.

I guess that's why the custom VPN solution [which is probably just SSH tunneling or using TLS or something; I doubt it's actually using IPsec just to tunnel one application]. But of course, companies that don't specialise in software are generally pretty crap at doing software. I should know; the number of ISP setup CDs which utterly screw your PC…

FlipC said...

It took them long enough to work out you could even use the internet for things like that and not just as a marketing tool. Now I'm stuck with crappy Win16 type software with its 32x32 16-colour icons.

Orphi said...

Could be worse… You could work for my company, where we have mission-critical applications with potential impact on human health written in QBASIC.

To quote Zero Punctuation, OH DEARS!