Peter Gutmann wrote:
Banks like Bank of America have taken some flak in the past for their awful
online banking security practices. [...]
For an example of how you can do it well and still have a well-designed
user interface, consider SaarLB (http://www.saarlb.de). The homepage is
unencrypted. In the lower right-hand corner there is a box
"Online-Banking" that even has a demo account so that you can try online
banking before getting an account with them (I consider this a great
idea). That leads to an encrypted page containing the login text boxes.
The banking pages have an online glossary where you can enter words that
you don't understand, such as "Zertifikat", "Schlüssel" (key) etc. and
get them explained to you.
The login page also has this hint:
"Derzeit sind betrügerische Mails im Umlauf! Folgen Sie nicht dem Link.
Geben Sie dort keine Daten ein. Bitte beachten Sie unsere
Sicherheitshinweise und wenden sich im Zweifelsfall persönlich an Ihren
Kundenberater."
(Translation: "We know of fraudulent emails being sent! Do not follow
the link. Don't enter any data. Please follow our security notices;
when in doubt, contact your customer consultant personally.")
The security notice has well-written sections on how PIN/TAN
authentication/authorization works (including how to set a limit on
remittances in order to limit any damage), how to configure your browser
(including how to turn off java and java script, a recommendation not to
let the browser save your password, how to clear the cache, and how,
why, and when to enable cookies), how to check the certificate
fingerprint(!), how to recognize phishing, why traffic analysis is still
possible, even with encryption, etc. In particular, it contains the
following hint:
"Sollte Ihr Browser bei einem Verbindungsaufbau mit dem
Online-Banking-Server in einer Warnmeldung darauf hinweisen, dass ein
Schlüssel nicht erfolgreich überprüft werden konnte, wählen Sie
unbedingt "Abbrechen", denn ein sicherer Verbindungsaufbau zu dem
Rechner unseres Institutes ist in diesem Fall nicht mehr gewährleistet.
Nehmen Sie in diesem Fall bitte Kontakt mit uns auf."
(Translation: "Should your browser warn you that the key couldn't be
certified, always choose "Cancel", because in this case, a secure
connection to one of our servers couldn't be established. In this case,
please contact us.")
This has a picture of a security warning with the mouse on "Abbrechen"
("Cancel").
Once you log out, you get a window containing this message:
"Sicherheitshinweis:
Aus Sicherheitsgründen empfehlen wir Ihnen, das Browserfenster zum Ende
der Nutzung unserer Internetseiten zu schließen und nicht für den Besuch
weiterer Seiten im Internet zu verwenden.
Dieser Hinweis gilt insbesondere dann, wenn Sie das Online-Banking nicht
von zu Hause, sondern von einem öffentlichen Ort aus nutzen (z.B.
Arbeitsplatz, Internet-Café)."
(Translation: "Security Notice: For security reasons, we recommend that
you close your browser window once you have finished using our internet
pages. Please don't re-use this browser window for further browsing.
This hint is applicable especially if you use our online banking not
from your home, but from a public place, such as your workplace or an
internet cafe.")
All in all, I think this is just about as good as you can do it.
Technically, customers are as secure as they can be using https,
PIN/TAN, and current browser technology, while still having a reasonably
hassle-free UI. And the bank at least makes an attempt to educate its
customers as to best security practices.
Fun,
Stephan
PS: Since I'm usually bitching about things, you might legitimately
wonder if I had something to do with the bank's web site. The answer is
no, I had nothing to do with it. I don't even know who did it. But
perhaps I should find out.
begin:vcard
fn:Stephan Neuhaus
n:Neuhaus;Stephan
org;quoted-printable:Universit=C3=A4t des Saarlandes;Department of Informatics
adr;quoted-printable:;;Postfach 15 11 50;Saarbr=C3=BCcken;;66041;Germany
email;internet:[EMAIL PROTECTED]
title:Researcher
tel;work:+49-681/302-64018
tel;fax:+49-681/302-64012
x-mozilla-html:FALSE
url:http://www.st.cs.uni-sb.de/~neuhaus
version:2.1
end:vcard
