> Most of the online banks are pretty secure for non-oblivious person.
Ok, granted, I spent the last 23 years of my life working in IT security across consulting, government, finance, and tech companies, but this is just garbage. Banks only invest in security to the degree that:
- they are legally required to
- they have contractual obligations to
- that the risk of loss for a specific class of incident exceeds their self-insurance threshold
That's not a hypothetical comment, that is something that was explained to me as an AppSec lead when running into walls trying to get some issues fixed at one of the largest banks in the world. For the record, the issues that I was trying to have remediated would have had to exceeded an annualized loss expectancy for the region I was operating in of 10 million dollars per year to be considered risky.
Your definition of a bank being pretty secure and mine are probably radically different.
> Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
Sure, users should choose strong passwords. Banks should also require multi-factor authentication (real 2fa, not the SMS based weaksauce that a bunch use). But, that increases support and transaction costs. So, instead, blame the user! Beyond password selection, there is also the issue of how passwords are hashed, salted, stored, and brokered into a more reliable back-end credential that can be used, absolutely none of which the user has input into or control over, but sure, blame the user.
> User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
sigh you really like banging that drum.
> These people need life lesson to learn how to operate technology safely.
> Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
There is absolutely no way to train average users to operate modern internet technologies safely because the average user has no effective control over the software and hardware they use (yes, Linux is a thing, and so is open source hardware, but users of those OS and hardware are not average users)
The primary reason the incidence of fraud is so high in the finance sector is because business has chosen to optimize for high transaction volume, and has accepted the risks of doing so. Stop trying to blame end users.
Ok, granted, I spent the last 23 years of my life working in IT security across consulting, government, finance, and tech companies, but this is just garbage. Banks only invest in security to the degree that: - they are legally required to - they have contractual obligations to - that the risk of loss for a specific class of incident exceeds their self-insurance threshold
That's not a hypothetical comment, that is something that was explained to me as an AppSec lead when running into walls trying to get some issues fixed at one of the largest banks in the world. For the record, the issues that I was trying to have remediated would have had to exceeded an annualized loss expectancy for the region I was operating in of 10 million dollars per year to be considered risky.
Your definition of a bank being pretty secure and mine are probably radically different.
> Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
Sure, users should choose strong passwords. Banks should also require multi-factor authentication (real 2fa, not the SMS based weaksauce that a bunch use). But, that increases support and transaction costs. So, instead, blame the user! Beyond password selection, there is also the issue of how passwords are hashed, salted, stored, and brokered into a more reliable back-end credential that can be used, absolutely none of which the user has input into or control over, but sure, blame the user.
> User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
sigh you really like banging that drum.
> These people need life lesson to learn how to operate technology safely. > Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
There is absolutely no way to train average users to operate modern internet technologies safely because the average user has no effective control over the software and hardware they use (yes, Linux is a thing, and so is open source hardware, but users of those OS and hardware are not average users)
The primary reason the incidence of fraud is so high in the finance sector is because business has chosen to optimize for high transaction volume, and has accepted the risks of doing so. Stop trying to blame end users.