Jul
10
2006

Online Banking Security Liability

I just read through the “Web Safety Guarantee” of everbank. The guarantee covers 100% of any losses due to “A computer crime that EverBank security system fails to prevent”.

That seems awefully generous, given the poor web safety standard of US banks in general and EverBank in particular compared e.g. to their German counterparts.

I have used online bank accounts in Germany for years. To ensure security those banks use two layers of authentication: A password to gain access to the account in the first place and a one-time transaction authorization number (TAN) for each transaction. Those TANs come in a long list by mail and are worthless once used. In a new twist bank are going one step further and sending the transaction number via SMS right when needed – further increasing security against stolen TANs or certain man-in-the-middle attacks.
In case that anyone obtains my passwort (e.g. due to a security breach within Microsoft Windows) a hacker would still not be able to transfer any money out of my German bank account without valid TAN numbers. In most US banks the hacker would gain access to the account and be able to transfer money. It seems pretty clear to me: Everbank and other US banks security system would fail to prevent an attack that every German bank would have stopped – hence the liability for such an attack should rest with EverBank.

One question I have never been able to answer though: Why is it, that US banks just don’t care? Are US customers really that lazy that typing in a TAN to increase the security of their bank account is too much? Or do US banks believe their customers can’t handle the complexity of password and TAN?

2 Responses to “Online Banking Security Liability”

  1. I think that the TAN list is just not an attractive step for US users. It was pretty difficult, and still is, to get US users to even try banking online becuase of the security risks.

    Online banking in the US was made so simple so that they could attract users. Adding a paper list that you need to carry with you every where you go, so that if you need to conduct a transaction kind of makes it a hassle. Why not just call the bank up and speak to a customer rep and do it that way?

    If someone breaks into your home and steals your “secret” TAN list… which most moron users would have there username and password on it or nearby would be lost anyway. I mean we cannot even get people to remember the pin for their ATM cards let alone get them to stop writting the pin on the card or the card’s sleeve.

    Every person knows that banks do not send messages like this. Everyone knows that there is no forgein national in Africa that cannot collect a settlement without your help and startup money. Why do they keep falling victim to these moronic scams?

    Bottom line, having a TAN would not stop this kind of attack. Because the fake site can just impersonate the real site long enough to get your TAN and use it from there. People just need to stop being stupid. Not that the people taken by these cheap scams are stupid, they are just complacent and don’t want to be bothered with it. They fall victim to an obvious scam and cry about it.

  2. I don´t no how the TAN list use can be so difficult. In Finland where I live the Nordea Bank plc uses a TAN list and on the same piece of paper a code to confirm your payment. That means they need to know your customernumber (5-7 digits), TAN code and confirmationcode. The paper is big as three creditcards in one piece. And there is a note on the code list that Nordea never contacts customers by mail or phone asking about the codes. I have been using Nordea (previously Merita Bank) first using phone, later the Internet since 1992-93.