Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
My Bank: Secure or Stupid?

By Blarney in Op-Ed
Wed Jul 25, 2001 at 01:39:23 PM EST
Tags: Security (all tags)
Security

After dealing with my bank's bargain-basement customer service today, I decided that I would like to try their online services. However, now I'm afraid of the consequences of the online signup. Somewhere in the US Post there is a letter containing my name, a user ID, a password, and perhaps some useful instructions, which would enable the holder of the document to drain my bank account. Is this really the safest way to handle signup for online banking? Or is it completely clueless and stupid?


My employer and I are currently engaged in a discussion of whether or not I was overpaid by $1300 during the year 2000. As the employer's record-keeping system is a total shambles, and I'm a disorganized slob who always loses his paystubs and bank statements, it seemed that the most reasonable thing to do here was for me to get a second opinion about the Direct Deposit payments from my bank.

My bank demanded $100 for photocopies of my records from Jan 2000 until now, and insisted that this was a reasonable fee, totally unwaivable, that I had agreed to pay in some Account Holders Agreement. I marveled at the excellent wages that they must be paying their clerical staff, and at the incredible quality of their photocopier. I was grateful to them for their excellent Account Holders Agreement that I had somehow magically agreed to when they'd bought the bank I formerly had used, and implored them to show me a copy of this miraculous document with my signature thereupon. I explained to them how a wonderful modern invention known as the "printer" allowed data to be sent directly from a computer system to paper, without the need for expensive copier toner or a worker's constant attention, and offered to instruct them on the use of this device. They were not amused, and it was strongly suggested that my continued presence in their building might be a problem, and that future dealings in this matter should be directed at my employer. D'oh!

Anyhow, I gotta get these records before I close my account, but I don't want to be extorted. Fortunately, the bank has an online system which I found while web surfing, with a 30 day free trial period which should adequately cover my remaining time as a customer of this bank. The employees that I spoke with were not aware of this system - perhaps they simply wanted $100 to cover the inconvenience of having to tolerate my presence. So I signed up for the system.

I put in my checking account number and name, gave them an email address, and agreed to have my information used for marketing purposes by any company willing to buy it. The system informed me that my login and password would be sent to me by postal mail within the next 5 business days or so, unless something went wrong or the bank decided that they didn't want to. It's perfectly reasonable that it would require days of work to add an account to a sophisticated system such as theirs, but now I'm hoping that somebody doesn't snarf the darn thing out of the mail and transfer all the money away - something similar happened to an acquaintance of mine when her mail was burgled for credit card cash advance checks.

Their website's FAQ claims that this is very good security, as at least they don't give this information out by email where some hacker could steal it. However, I rather wish that the signup process - which at least uses SSL security - had generated and granted me some sort of verification code on the spot for me to keep until such time as I need to login to my online banking account. Kind of like putting a deadbolt on the door, or wearing suspenders and a belt simultaneously. Does this seem like a reasonable alternative to trusting the US Postal Service for all the security? Can anybody inform me how their bank handles this issue?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Do you like your bank?
o Yes! They always smile when they see me, and even pay me interest! 12%
o Sure. They're very nice to me, so long as I pay all my fees. 13%
o Dunno. I bank electronically, nothing ever goes wrong, and I haven't been to the office in years. 29%
o No. We have a mutual codependant abuse type thing going. 30%
o What bank? I pay my bills with money orders, cash my paychecks at the grocery store, and keep my money in a coffee can under my bed. 3%
o Ask my mom! She handles all that stuff for me. 9%

Votes: 81
Results | Other Polls

Related Links
o Also by Blarney


Display: Sort:
My Bank: Secure or Stupid? | 26 comments (22 topical, 4 editorial, 0 hidden)
I like my bank. (4.00 / 4) (#4)
by Jin Wicked on Wed Jul 25, 2001 at 03:46:39 AM EST

I never used to go to tellers until I got an account with my current bank... ever since I had a deposit "adjusted" in an ATM, I'm paranoid of putting cash in those envelopes that won't be counted in front of me. Since I usually have big wads of $1s and such from the restaurant, and cheques from other places, I make alot of little, frequent deposits. I also recently drove the personal bankers nuts about trying to get a form notarized. They're always pleasant, and I've never had any problems with this account, deposits, or anything. My bank was recently bought by Washington Mutual, and they dropped the one fee that they were charging me -- $1/month for my cheque card.

Usually when someone sends a notice like that in the mail to me, though, every time I've gotten one the password or PIN has come seperately from the other details to prevent anyone making much use of it, should one of the two pieces of mail get stolen. Did you actually get it yet or not? I'd be really suprised if they actually mailed the password and everything in one envelope.


This post was probably not written by the real Jin Wicked. Please see user "butter pie" for Jin's actual posts.


That's reassuring (2.50 / 2) (#5)
by Blarney on Wed Jul 25, 2001 at 04:09:59 AM EST

I'm glad to hear that they take some sort of precautions. I hope that's how my bank does it. Is one of the mailings usually delayed?



[ Parent ]

Yes... (none / 0) (#25)
by Jin Wicked on Fri Jul 27, 2001 at 01:45:35 AM EST

If I recall correctly, I think they sent everything else first, then I got the PIN #s a day or two later.


This post was probably not written by the real Jin Wicked. Please see user "butter pie" for Jin's actual posts.


[ Parent ]
I blame the masons. (2.33 / 3) (#8)
by Holloway on Wed Jul 25, 2001 at 05:26:28 AM EST

jinwicked.com/portfolio is a 404.


== Human's wear pants, if they don't wear pants they stand out in a crowd. But if a monkey didn't wear pants it would be anonymous

[ Parent ]
Ick. Washington Mutual (none / 0) (#21)
by yankeehack on Wed Jul 25, 2001 at 01:16:29 PM EST

I had a totally different experience dealing with those morons not their consumer banking divison, but their mortgage people. For a mortgage, I wouldn't recommend them to anyone.

Perhaps what we really need is a new feminism...It will focus on something that liberal feminism has failed to do--instill a sense of dignity, honor and s
[ Parent ]

A Caveat... (4.60 / 5) (#6)
by ti dave on Wed Jul 25, 2001 at 04:46:23 AM EST

Beware my friend,

As I understand your story, you signed up for the on-line banking so that you could access and then print out your deposit activity. I assume you'd be doing this from Home.

My personal experience with this method is, that no authority who requires the banking information from me, will accept a copy from my computer as being legitimate.

Only copies provided by the bank, on their crappy bank paper, with their crappy little bank stamp, will do.

This, my friend, I find *lame*.

Apparently, I might be capable of "hacking" the printout, thereby defrauding the agencies.

So, in a nutshell, find out in advance if your Employer's Lawyers will disregard your "proof".

Cheers,

ti dave

"If you dial," Iran said, eyes open and watching, "for greater venom, then I'll dial the same."

a second caveat (3.33 / 3) (#18)
by garlic on Wed Jul 25, 2001 at 10:41:18 AM EST

My bank (bankone) does not give me access to more than about 1.5 to 2 months of records online. So even if your boss will accept that as proof, you may not have access to far enough back in the records.

HUSI challenge: post 4 troll diaries on husi without being outed as a Kuron, or having the diaries deleted or moved by admins.
[ Parent ]

bank one (4.00 / 2) (#19)
by jayfoo2 on Wed Jul 25, 2001 at 12:37:24 PM EST

<vent>

BankOne is going to create a black hole that will swallow the earth it sucks so bad.

I signed up for their online banking about 2 years ago (after they bought my bank). The original username? My SSN. The default password? My mother's maiden Name.

Let me say that I briefly contemplated a life of crime.

On top of that the site is down constantly.

</vent>

[ Parent ]
No real surprise (3.00 / 1) (#7)
by loaf on Wed Jul 25, 2001 at 05:05:09 AM EST

Banks are in it to make money.

If you're in credit, they can use your money to make more money elsewhere.

If you're not in credit they need to screw you somewhere to obey point one.

My bank's online system isn't bad and, from what I remember of the hoop-jumping process I had to go through in order to get a log-on, it is fairly secure. (They gave me a username face-to-face in the branch and sent the password in an unmarked envelope with no reference to my account on the enclosed slip, assuming that I'd know what it meant.)

If you try to bear in mind that all banks are money-grabbing con artists whose only aim is to make money and only tolerate you if you are helpful to those aims, then you won't go far wrong.

Party line (2.85 / 7) (#9)
by Ludwig on Wed Jul 25, 2001 at 05:38:29 AM EST

Since at the time of this posting this I've yet to see the logical and perfectly reasonable Objectivist viewpoint presented, please allow me:

"If you don't like your bank's policies, you are perfectly free to take your business to any of the myriad other major banking institutions that offer less onerous conditions at no cost of time or effort to yourself. If you happen not to be able to find any banks that aren't trying to screw you over at every turn, and furthermore aren't immediately bought out by larger, less well-meaning organizations... well then, you of course have the freedom to start your own bank, and market forces will naturally favor those institutions that offer the best balance between the interests of their customers and profitability, so you should do very well. So whatever could you possibly be complaining about?"

How's that?

Heheh (none / 0) (#15)
by ajf on Wed Jul 25, 2001 at 08:02:49 AM EST

You missed the point that the information he wants is the history of his account, so going to another bank - which he implies he going to do anyway - won't help.

So, that was spot on.



"I have no idea if it is true or not, but given what you read on the Web, it seems to be a valid concern." -jjayson
[ Parent ]
Security (5.00 / 3) (#10)
by sventhatcher on Wed Jul 25, 2001 at 05:40:12 AM EST

It would seem to be a much better idea to use multiple pathways for identity confirmation. In fact, that would be a hard system for anyone not specifically casing you or the bank to break.

If one portion of the account information was snail mailed and the other given upon creation, it's unlikely that one individual would randomly end up with both.

Does anyone know of any place that already does this?

--Sven (Now with bonus vanity weblog! (MLP Sold Seperately))

Uk (5.00 / 1) (#16)
by pallex on Wed Jul 25, 2001 at 08:49:23 AM EST

Banks send out credit cards seperately from the PIN numbers. I think they send the numbers out before the cards, so people dont spot that its a card and then wait for the number.
I guess they could do that with passwords etc if they were bothered.

[ Parent ]
Who are they? (4.66 / 3) (#11)
by benzilla on Wed Jul 25, 2001 at 05:50:23 AM EST

Assuming the factual accuracy of the story, would it not have been a service to the K5 community to name the bank involved? On of the things the internet is great for is the rapid dissemination of information regarding companies who cannot even be bothered to appear to give a toss about their customers.

__________

*BenZilla*


HSBC (in the UK) and First Union (in the US) (5.00 / 1) (#12)
by Ticino on Wed Jul 25, 2001 at 05:51:36 AM EST

First for the technical question that you requested (how to get your online banking details to you without relying on the US Postal Serivce) This is how my banks (HSBC and First Union) handled it.

HSBC asks you to provide a six to ten digit security code when you open your account. I don't think you can open the account over the phone so you are at the branch office when you are doing this. This security code is maintained and handled by the bank and is used by their telephone banking serivce and to register and use their Online Banking service. When you elect to use online banking, you register by providing your bank details (account number , branch sort code etc etc) via ssl on their website as well as your security code. Then woila, a login is created for you and your password is your security code. It's all seamless and quick once your account is up and running.

First Union pretty much does this the same way, I provided both a 4 digit security code as well as a security word. When I registered for online banking at First Union, I provided these details along with my account number and then woila, instant online banking.

LLoyds in the UK (of which I banked for only thirty days, evil bank) pretty much had the same setup that you are talking about. Furthermore, even after I had closed my account with LLoyds (which took a month for them to get around to because of staff shortages), I still had access to my online banking account. But then again, like I said, Lloyds is evil.

Lastly, no matter how bad your bank is in the US, it can't be nearly as bad as banks here in the UK.

why it costs so much (3.50 / 2) (#13)
by streetlawyer on Wed Jul 25, 2001 at 07:00:17 AM EST

You have a lot of my sympathy, but where's the fun in saying that? So ...

I marveled at the excellent wages that they must be paying their clerical staff, and at the incredible quality of their photocopier [...]

I explained to them how a wonderful modern invention known as the "printer" allowed data to be sent directly from a computer system to paper, without the need for expensive copier toner or a worker's constant attention, and offered to instruct them on the use of this device.

Heh. Funny. In actual fact, of course, the actual action of photocopying, or emailing your statements costs very little indeed. On the other hand ....

Suppose I wanted my Vaio made with a red "JSM" painted on the main PCB. All I have to do is call up Sony and ask them to do it for me, right? All it takes is one of their employees for a minute, a paintbrush and a few cents worth of paint. Should cost a dollar, tops.

Of course it wouldn't, and for the same reason that the basis you're using is wrong for the bank. The main cost here is that of "raising an exception" -- interrupting a process which is designed to be continuous. Furthermore, you're paying for a lot of idle "overhead" time for the skilled employees who can manage interrupts to the process -- employees who the bank wouldn't have to employ at all if everything ran to standard. They make you bear the fully allocated cost of the exception, rather than the marginal cost, to discourage you from raising a whole load more exceptions in future. Transactions which they can automate are usually much cheaper -- but expecting to have instant access to eighteen months' worth of transactions for every customer is a bit much.

On the other hand, most banks also see someone who *needs* a non-standard service and can't do without it, as a chance to do something for the stockholders once in a while, so it's not at all impossible that you've just been gouged.

--
Just because things have been nonergodic so far, doesn't mean that they'll be nonergodic forever

Keep your records. (4.00 / 1) (#14)
by iGrrrl on Wed Jul 25, 2001 at 07:27:51 AM EST

This article is basically a whinge disguised as a question about security. I'll answer both.

My husband and I bank in two different fashions. For our household accounts, we bank with one of the largest Northeast banks, and he does almost all our bill-paying on line. We've never had trouble with it, and they've never claimed they "don't support Linux." This bank has ATMs everywhere, since we do most banking via direct deposit, etc., and keep our statements, we've rarely had any issues with them. As another comment noted (Jin Wicked?), all login names and passwords were handled via the US Postal Service, and the pieces were sent under separate cover. Someone would have had to look at all our outgoing and incoming mail for a week or so to get our login.

OTOH, the estate accounts I had to open were done at a smaller bank with branches in the area where my folks lived. I do almost everything in person or by the mail. The tellers know me by sight, and they have more than the proverbial clue. Plymouth Savings Bank has been very, very good to me.

My guess is that if we needed the statements Blarney needed from the Big Corporate Bank, they would charge us similar large amounts. The smaller bank I use for estate work charges me only three dollars per monthly statement for additional printouts. Like Blarney, our Big bank is the product of a merger or two and a couple of changes in policy have surely come in under our radar. So far we've barely noticed them.

Basically, though, the banks send you statements so you have a record of your account activity. If you choose not to keep those records, it isn't their problem. If you do get on line access and your boss doesn't accept your home printouts, log in from work and show him/her the same information on line. If the on line information backs you up and the boss still questions your integrity, you might want to consider changing jobs.

--
You cannot have a reasonable conversation with someone who regards other people as toys to be played with. localroger
remove apostrophe for email.

Find a credit union (3.50 / 2) (#20)
by yosemite on Wed Jul 25, 2001 at 01:16:06 PM EST

A couple of recommendations:

First, switch to a credit union. It may take you a while to find one that's compentent and fits your needs (and that you're allowed to join), but you'll be amazed what a difference it makes.

Second, keep all your financial documents (monthly account reports, paycheck stubs, 401(K) reports, copies of tax returns, etc.) forever. Yes, forever. It's doesn't actually take that much space, and if you're ever in dispute/audit/whatever, the documentation is invaluable. (I realize it's too late for Blarney, but today is the first day of yadda, yadda)

--
[Signature redacted]

Interesting topic... (4.00 / 1) (#22)
by jd on Wed Jul 25, 2001 at 01:40:13 PM EST

Really, the two -fundamental- issues raised are:

  • How much is information worth?
  • How secure should information be?

I'll answer the second one, first. IMHO, all information should be as secure as possible. If you "differentiate", by using different degrees of security, you immediately tell any interested party what to focus on, and what to ignore. Since social reverse-engineering often allows a person to deduce elements of that "secure" information, you essentially have no security at all.

IMHO, banks and other financial organizations should use secure identification methods, ALWAYS. For a computer, this would mean using SSL (128-bits), an IPSEC tunnel (using 3DES), or PGP/GPG, depending on the type of information being transferred.

For personal access, be it an ATM or via a bank teller, the same level of security should apply. Public key encryption of information on bank cards and credit cards would seriously reduce the risks involved. Checks should ONLY be usable by the person they are made out to. Using them as an alternative to cash makes them VERY high-risk.

Now, on to how much information is worth. If it's kept so secure, it must be worth a lot, right? Yes. But only in the context of the person and their bank. If it's kept safe, it should be worthLESS to everyone else.

Ok, so that information has duel-ownership. How much can one owner charge the other, for transfer?

Since the information, in and of itself, has no value, the answer would presumably be "nothing". It only has value in a specific context, and that context doesn't apply in simple exchanges like this.

HOWEVER, it is entirely right and proper for one owner to charge the other for any exceptional or unusual exchanges, where said exchange places a burden on the owner who is delivering.

The problem with banks, though, is that these charges are all one-way. The bank never has to pay, when the burden is on the customer. Sorry, but if you are valuing & charging for one set of burdens, you should really value and charge for all of them.

This applies to company computers, too. If a company computer generates or records erronious data, and this places a burden on an employee, the employee should have a perfect right to bill the payroll department for that burden.

Often, computer payroll software is written and maintained by cheap student labour. Very often, it is flawed and buggy. Faulty software has consequences, and those consequences should not be transferrable. Those who cause them should cure them, and pay for them. The rest of the world shouldn't have to play nanny to Accounts.

This leads me neatly into a final, generic point: ALL Software Should Be Free Of Defects! You can write programs which meet all the usual Consumer Protection laws and regulations. By making software magically "exempt" from any kind of mandatory quality control, all that has happened is that there is NO quality control at all. And, yes, I include the protection of personal information and identity in that.

What about your company.... (4.50 / 2) (#23)
by Belatu-Cadros on Wed Jul 25, 2001 at 02:43:43 PM EST

and their bank? Even if your company is disorganised, I'll assume that they pay you from a bank account. Couldn't they get their bank's records on how much was transfered to your account? The other option is to get your company to pay your fee for you. If it really is a concern to them, they'll pay the $100.

If your company is soo disorganised that they can't prove they did overpay you, why should you have to prove they didn't? Personally, I believe it should be up to the company to prove that they overpaid you first. Then it would up to you to prove that they didn't.

Please forgive my poor grammar and speeling, English is my first language.

Mailing PINs (5.00 / 2) (#24)
by lucidvein on Wed Jul 25, 2001 at 10:25:56 PM EST

I recently got a shudder of fear a few weeks ago when pulling some cash out of a machine during lunch. I slipped in a credit cards by mistake and keyed my account number. Didn't work, card spit out... oh wrong card. Three days later I receive a letter in the mail from my credit company. "We noticed you recently experienced difficulty using your card at an ATM, so we're taking the opportunity to remind you of your PIN.

Your current PIN is: XXXX
for your account ending in XXXX

Now while that may be helpful for some people, I find it a bit invasive and unsafe. How hard would it be for someone with a stolen wallet w/ID to use a card, arbitrarily punch in numbers, and then swipe the mail of the victim to get the correct PIN? For a few years mail theft in my part of town has gotten so bad, whole mail boxes were being stolen. The big blue ones. It was reported that the culprits were raking in about $3000 a week in stolen checks. Don't know if they were upscale enough to be draining bank accounts.

cost of learning (none / 0) (#26)
by bodnath on Mon Jul 30, 2001 at 08:59:20 AM EST

I would agree that US$100 seems high to produce a statement which is just a printout of computer files. However it has been noted from other posts that an exception case is always charged highly by banks.
Most banks do not make profits from the day to day banking of folk, but from the charges they apply when people go overdrawn without agreement or they want exception services.
Our original author here is in a pickly because he or she has lost all documented record of monies paid in and has a dispute from some time in the previous 12 months.
I would suggest that since the amount is for $1300, then pay the $100 to clarify the situation. If you win then you have made $1200. If you are wrong then you have only lost $100.
It is a small small cost for a great opportunity to learn. Money is a complete pain in the arse if you let it control you. If you keep on top of it, then even if you have very little, you can manage it and you are the one in control.
Save those payslips and statements. Check they are right. If they are wrong then do something about it right away - its much easier to fix now than in 6 months time.
Best of luck !

My Bank: Secure or Stupid? | 26 comments (22 topical, 4 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!