Monday, February 16, 2009

Small Banks Online – An Example

Here’s an example of the online presence for a small credit union (bank). It’s so advanced it’s featured on thedailywtf.com. My guess is that maintaining a robust, secure online presence is difficult for small credit unions and banks. They might be as small as a single branch office and a few dozen employees. Outsourcing to service providers is pretty much the only option, and it is unlikely that they have the resources to perform a technical evaluation of their service providers. The service provider that this credit union (bank) uses seems to be used by many small credit unions, so there is no reason to name the specific credit union.

The initial login requires a captcha that they call a ‘Security Code’. I’m not sure what the purpose of the captcha might be, other than slowing down bots a bit.

Captcha 

They care enough about their clients to recommend a current browser.

Browser-2

Wait – isn’t one of those browsers dead? Let me check.

Netscape-EOL

That must be a mistake. Look around a bit. There is another link with browser requirements:

Browser-3

Which clarifies things just a bit.

Browser-Req

Mozilla 1.0, IE 5.0 or Netscape 6.2. The official recommendation is not one, not two, but THREE end of life browsers. Interesting. Perhaps they believe in security by obscurity? The good news is that unlike many popular sites, they don’t balk at using too new of a browser. IE 8 beta’s & the various daily builds of Minefield seem to work just fine.

Authentication is by user id, password and security questions.  They let customers create their own questions. This is a step up from forcing fixed questions. They still allow selection of pre-determined questions though.

Security-Questions

I prefer being allowed to create my own questions, but only because it annoys me less, not because I think that it adds significantly to the security of the system. I can’t imagine ordinary people creating challenging question/response pairs.

When you get logged in, you see:

Bank-UI

Classic frame based HTML, the kind of old fashioned goodness that rarely is seen today. I’d be worried if they let the code go stale. The threats from the Internet change so rapidly that code can go stale pretty quickly. The good news is that each year they update the copyright notice at the bottom of the page.

This is the 90’s 21st century, so we should be able to get statements electronically. The credit union (bank) outsources on line statements to a different third party provider, accessible from the credit unions site. But only if you have a decent, state of the art browser:

 Browser-req-Stmts

The statement provider raises the bar significantly, requiring any of IE 5.5, AOL 5, Netscape 7.

When you change your password, your new password is effective immediately. The password change function uses postal mail to notify the user of the change. The new password also gets mailed to you a couple days after you’ve changed it. It is not possible to change a home address online, so postal mail is reasonably effective out-of-band notification. There is no e-mail based notification of any on line transaction activity.

The user facing parts of the system appear to be minimally maintained and rarely upgraded. I have no way of knowing if the back end of the system is well designed and reasonably secure or not.

I really, really hate banking with large mega-banks. I did that once a couple of decades ago. It was such a bad experience that I’m loath to repeat it. For loans and major transactions, I much prefer dealing in person with a small bank or credit union, and if there ever is a problem with an account or a loan, having the ability to talk to real people in person is invaluable. Unfortunately, when using the small players, you probably are giving up a certain amount of online security.

No comments:

Post a Comment