On Nov 22, 2006, at 3:55 AM, Christian Stimming wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > on gnucash-devel someone posted a link to some disturbing news: > >> Btw, I heard that US banks are soon going to drop OFX >> because of new federal regulations that require >> stronger authentication. >> >> http://www.mcse.ms/message2309357.html > > Quote from there: > >> Case in point: HSBC just notified customers that Direct Connect will >> not be supported after December 10. When I called customer service >> for Online >> Banking they said they have no plans to reinstate the feature, it is >> suspended indefinitely. MBNA also recently suspended Direct Connect.
MBNA is now part of Bank of America. I think their information systems switchover happened this fall. I don't think BofA turned off DirectConnect. I think they just turned off all the old MBNA servers. > > *cough*. What are these banks thinking? Are these banks thinking at > all? These banks are thinking that federal regulators may be knocking at their door soon. (As an aside, I claim that US banks have a long history of not caring about their customers' convenience. The bigger the bank, the less they care. Citibank has repeatedly proven that they really don't want my business. Astonishing.) In October 2005 the FFIEC issued "Guidance" on security in authentication for online banking: http://www.ffiec.gov/pdf/authentication_guidance.pdf In August 2006, they issued a FAQ on the "Guidance": http://www.ffiec.gov/pdf/authentication_faq.pdf The deadline for compliance appears to be 31 December 2006. Basically, what the board of governors said was "Hey! Banks! You idiots are making it easy for criminals to engage in identity theft and bank fraud. Stop it!" While the FAQ specifically states that the board is NOT requiring multifactor authentication, they also state that single factor authentication alone is clearly inadequate for high-risk situations. High risk situations are: access to nonpublic customer information (can you say "account balance" and "transaction list"? I knew you could.) and transfer of funds to outside parties (bill pay, anyone?). Interestingly, the FAQ also specifically states that a second password entered at a different time during the interaction does not count as more than single-factor. What HSBC has done is institute a second password that must be entered by clicking with a mouse on an on-screen keypad. The only way this strategy will pass the board's scrutiny is if HSBC's risk analysis identified keystroke loggers as the most important near-term security risk. In any event, HSBC's solution is also clearly incompatible with ofxdirectconnect as implemented by Intuit. I also find it curious that they haven't instituted the second password for general account access (their online docs mention the second security key only for bill pay, not general account access. But the general access demo is down today, so who knows...). Clearly, almost any online transaction that does anything useful for customers will be classified as high-risk by the regulators. > > I just *hope* the German banks still know about their advantages with > HBCI and won't drop this in the near future... I think the German banks have been way ahead of US banks with respect to security. At least several of them have secondary authentication tokens that are partially or fully accessible from open source software. I have been hoping for some event to motivate the banks to pursue better security, but it looks like the banks are responding by telling customers that "the feds changed the regulations, and that service is no longer available" (or..., "Yippee, we get to blame the regulators for saving us money on customer systems..."). My biggest fear is that Intuit will use the new guidance as leverage to create a closed two-factor authentication system that they'll bolt onto the front end of the existing ofxdc process, locking everybody else out without changing the data stream at all. And for this favor, they'll only double the banks' current bills from Intuit. So far, I haven't found any documentation at Intuit's site that they have changed anything with respect to authentication in Quicken 2007. I see babbling about multilayer security (another 'good thing' mentioned in the FFIEC guidance), but that's all protecting the transport, not the authentication. If Intuit/Quicken isn't ready (capable) of complying by the beginning of 2007, an extension for the banks might happen, even when the FAQ (issued a couple months ago) says the board of governors has no intention of offering a general extension. Maybe I should be optimistic instead of cynical... Ha. > > Christian > Dave -- David Reiser [EMAIL PROTECTED] ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Aqbanking-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/aqbanking-devel
