The bank is as secure as the user
Posted in Technology on 2006-12-20 20:43
In the post office today I learned something unexpected about how people use their internet bank accounts. I was going to post some cards and letters, and this being just before Christmas there was quite a queue. I spotted a computer in the office that was obviously set up for customers to use, and started fiddling around with it.
The computer was running Internet Explorer in some kind of kiosk mode, so the only thing you could do was open links from a start menu defined by the Norwegian Post. Being the sort of person I am I just had to explore a bit. You can't type in URLs, there is no toolbar and no menu, you can't right-click, and you can't access the Windows start menu (not even with keyboard shortcuts). In other words, you can pretty much only follow links and fill in forms online. There's a menu page that gives you access to various services related to the Post, including the internet bank of the Post Bank. And this is where it starts to get interesting.
I tried the alt+tab keyboard shortcut to see what happened, and it turned out there were something like 20 windows open, all of them Internet Explorer windows. I flicked through 6-7 of them. Two or three were information pages about services offered by the Post Bank. The remaining four showed people logged into the internet bank service of the Post Bank. All four showed the start page of the internet bank, which listed their names, the account number of their main account, and the amount of money in that account.
What's really bad is that all of these were live. That is, they'd done what they wanted in the internet bank, and then just walked away from the computer, still logged in. Of course, their sessions time out after a given interval (as far as I can tell, somewhere between 5 and 30 minutes). Still, it means that if you try it a few times you should be able to find one that's live, and dig into the account log, and even transfer some money to yourself (if you remember your own account number).
Of course, if you did this you'd leave a pretty clear trail in the account log, but it would be up to the owner of the account to prove that it wasn't them who did the transfer. Judging by recent news stories about a Norwegian woman who transferred NOK 550,000 to the wrong account (mistyped account number with one digit too many, which was ignored by the internet bank service) and received nothing back from the bank, I think they might find this an uphill battle.
I guess what really shocks me about this is the idea that someone would log into their internet bank from a public-use computer in a post office, and then just walk away from it. There were about 20 windows there, so if the ones I checked were representative about 13 people did that today, in a single post office.
I tried telling the woman who eventually sold me some stamps that this was a problem. To judge by her reaction she was more worried that I thought this was the bank's fault than really interested in doing anything about it. Ah well...
Anyway, the conclusion is that a theoretically theft-proof car isn't really that difficult to steal if you leave the car keys on the ground next to the car. And it seems that a lot of internet bank users do the electronic equivalent without hesitation. Protecting users against themselves is hard.
Imagine an alternative digital currency based on cryptographic principles, designed and launched by persons unknown, running as an uncontrolled and uncontrollable peer-to-peer network
Read | 2013-06-12 17:03
Following on from my explanation of how Bitcoin works I wanted to go deeper into to what degree it works as promised, and what its future is likely to be
Read | 2013-06-23 17:18
Quintin Siebers - 2006-12-21 08:57:37
Security, not only with banks, always seems te be user dependant. One can never know for sure if the person using an application is the person who he sais he is. Furthermore, I think most people using such a public pc are completely ignorant to the fact that there is an open connection to some server. And even more to the fact that this connection will remain open until they close it or it times out. Fortunately for those that do care and do understand the risks, banks aren't completely stupid. They usually have some protection on transfers requiring the user's bankcard and code.
PS: I tried to post this comment straight from my rss-reader, and got an error along with a peak into your python script...
Lars Marius - 2006-12-21 09:32:02
I don't think there's any stupidity from the bank here, but the Post Bank only requires a code when you log in. Once you are logged in you can freely pay bills and make other money transfers without having to go through any further authentication. So I'm certain I could transfer money to myself if I made, say, 4-5 visits to post offices that have a similar computer station.
Arnoud Haak - 2006-12-21 09:56:42
A chain is only as strong as its weakest link. Most people just don't know what they are doing. In the Netherlands banks use a two-way verification. You have to confirm your transactions with a code that you obtain from a device or a SMS-message on your mobile phone (I don't like the last solution). I wonder why the Post Bank in Norway don't use a similair system. It would make the risk a lot smaller.
Lars Marius - 2006-12-21 10:01:56
I agree that having to confirm each transaction would remove this particular problem. It would definitely offer naive users better protection against themselves, and it seems the number of naive users is very large.
None of the Norwegian internet banking services do this, as far as I am aware. I guess they judged the added security against the extra complexity for themselves and the hassle for the users, and decided against it. Or, quite possibly, it was just never considered.
Svein - 2006-12-30 21:31:55
In fact, there are banks in Norway demanding confirmation of each transaction. I'm the proud owner of no less than 4 net banks (!) and one of them is build like this. But of course, it feels like a hassle. There's always a trade off between usability and security.
The interesting point in your story, at least to me, is that when it comes to security and Internet we are too much occupied with digital signatures, PKI, strong cryptation and forgetting as Arnoud is pointing out, the weakest link in the chain - the human factor. In view of this it really is bad that the Post Bank/the post offices don't realise this potentially huge security problem.