Community

Trying to get my head around this 'logic'. A owns some property. B steals it. A & B get to an understanding that it's ok for B to keep the stolen property. B in turn sells part of the property to X, Y & Z. A sues X, Y & Z because he can't sue B. Fantastic 'logic'!

Fully agree with the views in the article. In the rush to develop technological solutions to solve different problems, many banks have not taken care of end to end solutions but build solutions in silos. If its a simple transaction, technology handles it smoothly. Bring in a bit of complexity and the cracks in the whole system start showing up. If the people in the branches can't solve problems of their customers when they do visit the branches - something that's getting less frequent - they are sure to be turned off, not just from the branches but from the banks themselves! Here is my own experience from a recent branch visit:

Wondering why they assume that what went wrong with the pepper spray "solution" will not happen in this case?

Ketharaman,

We certainly need innovation but not at the cost of basic security. How many people really appreciate the risk involved in being "always logged in" to their bank accounts?

A system that does not provide the feature of automatic logoff will never get through system security audit. All major banks recommend that their customers logoff once they are through with what they want to do in their mobile banking application. They also log you out automatically if you don’t use the application for more than a few minutes.

It is not just what the security professionals recommend. Let me quote two specific regulations.

The FFIEC guidelines clearly say that “. . . an institution’s layered security program will contain the following two elements at a minimum (emphasis mine) . . . . Initial login and authentication of customers requesting access to the institution’s electronic banking system and initiation of electronic transactions involving transfer of funds to other parties”

Information Security Guidelines of RBI says “An online session would need to be automatically terminated after a fixed period of time unless the customer is re-authenticated for the existing session to be maintained”

HIPAA, ISACA, Sarbanes Oxley all recommend automatic logoff as an essential security policy.

If you think all this is over reaction by regulators and security professionals, I would merely say that you are entitled to your views. But when something is regulatory, ones views don’t really count in the courtroom.

And you make a curious comment on “innocuous information”. Volumes have been written about what a social engineer can do with seemingly trivial information and so I don’t want to say much here. But I recommend that you read The art of deception by Kevin Mitnick, an excellent book on the ways of social engineers. There is even a chapter titled When Innocuous Information Isn’t.

A better innovation in my view is to make login much easier and safer than typing one’s password rather than ask people to be logged in all the time.

I would rather spend a few seconds to open the lock rather than keep the front door open all the time and allow a stranger to walk in and take a look, even if there is nothing much that he can steal. Ditto for my bank account.