Loud ramblings of a Software Artisan

Monday 21 March 2005

Are bank stupid with IT security ?

I'm really scared, but bank are stupid with IT security.

Example 1: they build paper walls to tighten security, for the customer inconveniance. Let's explain. My French bank has an online banking system. Pretty much convenient as I can do everything from there: wiring money, buy stocks, etc. But recently, in order to improve security, to record a bank account number to wire money, you have to call a phone number. The gets annoying because that phone number does not work from outside france and it cost money off course, because this is the french mentality. I finally went thru to get a regular phone number I can call from Canada. I called them, and all the information they ask is public, or easy to obtain; the hardest part is just the login for the banking system, but as an attacker, it is likely you already have it. So the security improvement is just pure decoy. Thank you for hiring competent people.

Example 2: still with the same bank. Last time I went to my branch in France, the teller had a brand new client software to access account information and perform all the operations. It is based on the biggest security treat, the software with which most spyware, virii and trojan horses gets installed on Windows: Internet Explorer. Yes, you read. They replaced all the terminal emulation software with a highly dangerous treat to security. And they manage your money with that. At least their web server seems to be Apache.

Example 3: there are still lot of online banking service that require Internet Explorer. How do you want to protect yourself if your bank ask you to use that security hole ? At least all the banks I use the banking service works with Mozilla / FireFox.

Sunday 13 March 2005

IM and privacy

This has been already the case for MSN Messenger, which I never used for some reasons, including this one. But now AOL is raising privacy issues on AIM as the new term of service: they reserve the right to eavesdrop your conversation, hence use any information that goes thru their IM network for the purpose they want. This come at the same time as they start offering commercial service to other companies.

That remind me when I had that discussion with some people. They were saying how awesome product XYZ interface to MSN Messenger. Then another came and said that company ACME (not the real name), specilizing in games, did disallow all IM but MSN Messenger, for internal use beetween the employees (sic). I then raised the point of privacy for the MSN Messenger term of service that basically allow Microsoft to pretend they own all the information the goes thru their service, and said that ACME's lawyers should have a look at that. Then another person said that Microsoft would never use it... Does people really believe that and trust them ? I personnally don't. Even more when that company is know to not respect competition rules.

Looks like I'll stop using AIM then (that include Apple .Mac since it is just that Apple is a early customer of AOL commercial service). That probably include ICQ that use the same network (at least when using GAIM. I wonder if Yahoo! has the same term of service.... If they do, then I'll only have Jabber left, no regrets.