Skip to main content

Small Banks Online – An Example

Here’s an example of the online presence for a small credit union (bank). It’s so advanced it’s featured on thedailywtf.com. My guess is that maintaining a robust, secure online presence is difficult for small credit unions and banks. They might be as small as a single branch office and a few dozen employees. Outsourcing to service providers is pretty much the only option, and it is unlikely that they have the resources to perform a technical evaluation of their service providers. The service provider that this credit union (bank) uses seems to be used by many small credit unions, so there is no reason to name the specific credit union.

The initial login requires a captcha that they call a ‘Security Code’. I’m not sure what the purpose of the captcha might be, other than slowing down bots a bit.

Captcha 

They care enough about their clients to recommend a current browser.

Browser-2

Wait – isn’t one of those browsers dead? Let me check.

Netscape-EOL

That must be a mistake. Look around a bit. There is another link with browser requirements:

Browser-3

Which clarifies things just a bit.

Browser-Req

Mozilla 1.0, IE 5.0 or Netscape 6.2. The official recommendation is not one, not two, but THREE end of life browsers. Interesting. Perhaps they believe in security by obscurity? The good news is that unlike many popular sites, they don’t balk at using too new of a browser. IE 8 beta’s & the various daily builds of Minefield seem to work just fine.

Authentication is by user id, password and security questions.  They let customers create their own questions. This is a step up from forcing fixed questions. They still allow selection of pre-determined questions though.

Security-Questions

I prefer being allowed to create my own questions, but only because it annoys me less, not because I think that it adds significantly to the security of the system. I can’t imagine ordinary people creating challenging question/response pairs.

When you get logged in, you see:

Bank-UI

Classic frame based HTML, the kind of old fashioned goodness that rarely is seen today. I’d be worried if they let the code go stale. The threats from the Internet change so rapidly that code can go stale pretty quickly. The good news is that each year they update the copyright notice at the bottom of the page.

This is the 90’s 21st century, so we should be able to get statements electronically. The credit union (bank) outsources on line statements to a different third party provider, accessible from the credit unions site. But only if you have a decent, state of the art browser:

 Browser-req-Stmts

The statement provider raises the bar significantly, requiring any of IE 5.5, AOL 5, Netscape 7.

When you change your password, your new password is effective immediately. The password change function uses postal mail to notify the user of the change. The new password also gets mailed to you a couple days after you’ve changed it. It is not possible to change a home address online, so postal mail is reasonably effective out-of-band notification. There is no e-mail based notification of any on line transaction activity.

The user facing parts of the system appear to be minimally maintained and rarely upgraded. I have no way of knowing if the back end of the system is well designed and reasonably secure or not.

I really, really hate banking with large mega-banks. I did that once a couple of decades ago. It was such a bad experience that I’m loath to repeat it. For loans and major transactions, I much prefer dealing in person with a small bank or credit union, and if there ever is a problem with an account or a loan, having the ability to talk to real people in person is invaluable. Unfortunately, when using the small players, you probably are giving up a certain amount of online security.

Comments

Popular posts from this blog

Cargo Cult System Administration

“imitate the superficial exterior of a process or system without having any understanding of the underlying substance” --Wikipedia During and after WWII, some native south pacific islanders erroneously associated the presence of war related technology with the delivery of highly desirable cargo. When the war ended and the cargo stopped showing up, they built crude facsimiles of runways, control towers, and airplanes in the belief that the presence of war technology caused the delivery of desirable cargo. From our point of view, it looks pretty amusing to see people build fake airplanes, runways and control towers  and wait for cargo to fall from the sky.The question is, how amusing are we?We have cargo cult science[1], cargo cult management[2], cargo cult programming[3], how about cargo cult system management?Here’s some common system administration failures that might be ‘cargo cult’:Failing to understand the difference between necessary and sufficient. A daily backup is necessary, b…

Ad-Hoc Verses Structured System Management

Structured system management is a concept that covers the fundamentals of building, securing, deploying, monitoring, logging, alerting, and documenting networks, servers and applications. Structured system management implies that you have those fundamentals in place, you execute them consistently, and you know all cases where you are inconsistent. The converse of structured system management is what I call ad hoc system management, where every system has it own plan, undocumented and inconsistent, and you don't know how inconsistent they are, because you've never looked.

In previous posts (here and here) I implied that structured system management was an integral part of improving system availability. Having inherited several platforms that had, at best, ad hoc system management, and having moved the platforms to something resembling structured system management, I've concluded that implementing basic structure around system management will be the best and fastest path to …

The Cloud – Provider Failure Modes

In The Cloud - Outsourcing Moved up the Stack[1] I compared the outsourcing that we do routinely (wide area networks) with the outsourcing of the higher layers of the application stack (processor, memory, storage). Conceptually they are similar:
In both cases you’ve entrusted your bits to someone else, you’ve shared physical and logical resources with others, you’ve disassociated physical devices (circuits or servers) from logical devices (virtual circuits, virtual severs), and in exchange for what is hopefully better, faster, cheaper service, you give up visibility, manageability and control to a provider. There are differences though. In the case of networking, your cloud provider is only entrusted with your bits for the time it takes for those bits to cross the providers network, and the loss of a few bits is not catastrophic. For providers of higher layer services, the bits are entrusted to the provider for the life of the bits, and the loss of a few bits is a major problem. The…