Recently, I have been thinking about security systems in general. My bank counselor tried to sell me online banking. Something, I have been reluctant to use for years since I have a deep mistrust in internet security. As far as this blog post is concerned, the counseling interview produced two interesting points:
- I was told that online banking is secure unless you do something extremely stupid. As an example for "something extremely stupid", I was told the story of another bank customer who had answered a phishing mail by entering 20 TANs into a form on an obscure website. Naturally, the bank refused to make up for the resulting damage.
- My counselor was using the internet explorer (from the looks of it, an older version) to demonstrate online banking and had trouble explaining half of the security concepts on the bank's website (captcha, onscreen keypad,...), let alone the underlying technology. Fun fact: did you know that HTTPS does not offer any real protection? The point of HTTPS is mistrusting is your network operator. Curiously, the larger Telcos are also certificate authorities, your browser trusts. This allows them to hand you fake certificates as well as redirect traffic. Your session will be encrypted, all right, but encryption alone does not help at all if you are talking to an impostor.
Both points are reason for concern. In regard to the "stupid customer", the system was obviously over engineered. TANs offer a great deal of security, but the person in question was either not properly briefed or unable to fully understand the mechanism. Hence, a meta security hole was created.
The bank counselor, on the other hand, praised online banking as safe, but did not fully understanding the underlying technology either. He can't be blamed for this, though. IT was/is not his line of business and he merely relayed what the experts told him:
- Log out after finishing
- Use a firewall
- Use a virus scanner
And this brings me to my point about security: we have become too fearful. Ever since 9/11, we have been afraid of something bad happening to us. Mainstream media, as well as cunning snake oil salesman have been catering to our fear and making tons of money from it over the last decade. Nowadays, everything is expected to be at least 100% percent safe and ironically this is exactly what produces the next generation of security holes.
Trying to come up with an airtight security concept inevitably means implementing complex systems. Increased system complexity results in people not understanding them any longer and therefore makes them prone to human error and unforeseen side effects.
I am still skeptical about online banking...