Answer is simple: if you cant use technology safely - dont use it! Problem is nobody is teaching effective fraud defense for consumers at scale.
Disable online banking, use checkbook and write checks everywhere or carry cash. I still see older people use checkbooks from time to time, even shopping groceries.
Problem solved.
We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.
So that you cannot blame the bank for your own fault.
Or migrate to something Apple Pay, but that also does not guarantee 100% fraud prevention
Oh if the world could just be so simple. Can't protect yourself from getting mugged, stop going outside. Problem solved.
The reality of any non-trivial issue is that we have to consider potential improvements from all angles. I want to improve tech for grandma and for the bank, doesn't that seem like a goal worth working towards? And let's please not pretend that banks are infallible in all of this, they also have opportunities to improve.
the actual protection from getting mugged is moving to a safe neighbourhood.
People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.
same with fraud - user will continue getting defrauded and scammed until user learns the lesson and either abandons tech he.she is unable to use securely, or adapt and learn how to use it
> the actual protection from getting mugged is moving to a safe neighbourhood. People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.
It's almost cute how you think people living in places with high crime rates wouldn't jump at the chance to move to a nicer neighborhood with lower crime rates, and that the reason they don't is because they haven't "learned their lesson".
Everyone buying guns and then going around shooting criminals is not a solution to crime, but if you're convinced it's a good idea, why not try it for yourself and "learn your lesson"
So you are advocating for the vast majority of the internet population to stop using online banking.
Let's flip the omelette: no one forces banks to do business online; if a bank can't build secure online banking, they can default to checkbooks and cash. They have the means and motive to build solutions that are actually secure and usable, so they should bear the burden of dealing with fraud when their solutions fail to be secure.
Most of the online banks are pretty secure for non-oblivious person.
I always used online banking and never got scammed. It is pretty secure for me.
Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
These people need life lesson to learn how to operate technology safely.
Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
> Most of the online banks are pretty secure for non-oblivious person.
Ok, granted, I spent the last 23 years of my life working in IT security across consulting, government, finance, and tech companies, but this is just garbage. Banks only invest in security to the degree that:
- they are legally required to
- they have contractual obligations to
- that the risk of loss for a specific class of incident exceeds their self-insurance threshold
That's not a hypothetical comment, that is something that was explained to me as an AppSec lead when running into walls trying to get some issues fixed at one of the largest banks in the world. For the record, the issues that I was trying to have remediated would have had to exceeded an annualized loss expectancy for the region I was operating in of 10 million dollars per year to be considered risky.
Your definition of a bank being pretty secure and mine are probably radically different.
> Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
Sure, users should choose strong passwords. Banks should also require multi-factor authentication (real 2fa, not the SMS based weaksauce that a bunch use). But, that increases support and transaction costs. So, instead, blame the user! Beyond password selection, there is also the issue of how passwords are hashed, salted, stored, and brokered into a more reliable back-end credential that can be used, absolutely none of which the user has input into or control over, but sure, blame the user.
> User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
sigh you really like banging that drum.
> These people need life lesson to learn how to operate technology safely.
> Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
There is absolutely no way to train average users to operate modern internet technologies safely because the average user has no effective control over the software and hardware they use (yes, Linux is a thing, and so is open source hardware, but users of those OS and hardware are not average users)
The primary reason the incidence of fraud is so high in the finance sector is because business has chosen to optimize for high transaction volume, and has accepted the risks of doing so. Stop trying to blame end users.
> We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.
Sure. Why not start with an outline for what infosec101 should look like. Include estimates for how long the training should take, what the cadence for testing should be, and which agency should be responsible for validating that training. Do be sure to accurately communicate the degree to which an end user with a chip enabled bank or credit card has the ability to distinguish and disambiguate what constitutes a 'safe' or 'legitimate' online business. Also, include some details about how individuals who have been certified as completing this class and/or licensing scheme should procure insurance to protect themselves in case of an accidental data breach (for example, they leak their card info), and outline the process by which that same licensee can file an insurance claim against the insured party downstream of the physical point of payment or online payment portal that allowed a breach to happen. After all - if we are going to require online safety training, and licensing, then we should create another insurance scheme to facilitate resolution of those claims and resolve the costs.
It is really easy to point the fingers at a customer and say "problem exists between chair and keyboard", but the reality is that in the modern economy, the end user has almost no control over the security of their transactions, and little ability to influence how their purchase is handled beyond the question of "cash or card".
The only incentive that retailers, online stores, payment processors, and financial institutions have to resolve this is the simple fact that they own the liability for this, and it's only through the myth of the idiot user that they have been able to shift that liability, to varying degrees, back to the consumer.
Sure all of us can learn to be more careful with tech, but the way banks frame fraud against them as identity theft against you is slimy doublespeak.