Showing posts with label banks. Show all posts
Showing posts with label banks. Show all posts

10 February 2013

Banking Equipment Vendor Tries To Censor Security Research With DMCA Notice -- Then Backs Down When Called Out For It

Abuse of the DMCA takedown process to remove material that is awkward or embarrassing for a company is a common enough topic on Techdirt. But here's one with a slight twist. It concerns hardware security modules (HSMs), which manage the cryptographic keys and PINs used to authenticate bank card transactions. These were generally regarded as pretty secure -- until researchers started analyzing them, as Ross Anderson, head of the Security Research Laboratory at Cambridge University, explains: 

On Techdirt.

05 October 2011

New UK Banknote Celebrates James Watt, Patent Bully and Monopolist

As do many nations, England likes to put images of its great and good on banknotes. In a somewhat quixotic attempt to stem the decline of what little manufacturing remains in the country, the governor of the Bank of England has come up with the following idea

On Techdirt.

28 March 2009

Phished by Visa

This is utterly scandalous:

Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders - by training them to expect a process in which there’s absolutely no way to know whether you are being phished or not. Even more astonishing is that this seen as a benefit!

...

Craziness. But it gets better - obviously not everyone is pre-enrolled in this stupid scheme, so they also allow for enrolment using the same inline scheme. Now the phishers have the opportunity to also get information that will allow them to identify themselves to the bank as you. Yes, Visa have provided a very nicely tailored and packaged identity theft scheme. But, best of all, rather like Chip and PIN, they push all blame for their failures on to the customer

I've instinctively hated these "Verified by Visa" ever since they came out, and tried not to use them. The fact that they are not just inherently insecure, but encouraging merchants to use this in the most insecure way possible, is astonishing even for an industry as rank and rotten as banking.

The one consolation has to be that Verified by Visa is so demonstrably insecure that it should be easy to challenge in court any attempts to make customers pay for the banks' own stupidity.

Follow me on Twitter @glynmoody

22 March 2009

Why Barclays Are Barking

The little brouhaha concerning the Guardian and Barclays Bank is a wonderful object lesson in how the Internet changes everything. Once those super-secret documents were put up for even a few seconds, the game was over: taking them down from the Guardian afterwards really is the proverbial closing of the stable door after the horse has bolted.

Inevitably, a copy has made its way to Wikileaks; inevitably that link is being exposed all over the place, which has led to the site being overloaded (do make a donation if you can: I've given my widow's mite). Barclays Bank can apply for as many injunctions as they like, the judge can - and probably will - huff and puff as much as he/she likes, but the game's over: this stuff is out.

And quite right too: these documents either show the bank engaged in something dodgy, in which case they should be published, or they don't, in which case there's no problem in them being public anyway, since the bank is asking for serious scads of public dosh, and is effectively being part-nationalised.

But even if it weren't, it would be folly to try to keep them secret now: it would only ensure that even more people write about them, and point to them, and maybe even read them. The rules have changed.

04 November 2008

Banking on Imaginary Assets

Haven't banks learned *anything*?

In 2006, the Bank of Communications Beijing Branch began offering loans to Chinese SMEs secured against IP assets. Since then 37 companies have borrowed a total of over 400 million yuan (around $58.5 million) in 44 separate deals. And not one has defaulted.

Yet.

When banks start lending money against IP assets, it has to be a pretty positive sign. I know that banks have a pretty poor reputation these days, but they are not going to make cash available to companies if they do not think that they have a very good chance of getting it back; or, if they do not, that they can recover the money in other ways.

Er, because banks never make mistakes, and are never motivated by blind greed? "A pretty positive sign"? I don't think so....

24 October 2008

Verified by Visa - As Valueless

I, too, have noticed the insidious spread of Verified by Visa (VbyV), and thought it looked well dodgy, but I couldn't quite put my finger on it. Here's the problem:

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

The easiest way will be for a compromised site to push you to a false login and obtain your magic password. You won't be able to prove it, of course, and so the danger is that you will end up the bill for fraud.

This is a disaster waiting to happen, and lots of people are going to get burned if we don't manage to get some sense into the banks soon. The only way to do that is to get the story out - please pass it on.... (Via Kim Cameron's Identity Weblog.)

07 October 2008

You Can Bank on It

Interesting:

The ease with which technology allows customers to move their money around by internet or phone has introduced a new financial phenomenon – the "silent run" on a bank.

Within hours, telephone and internet banking customers can remove huge amounts of money from a bank rumoured to be in trouble, without telltale queues, or any other outward sign of the flood of cash.

The shape of things to come.

25 February 2008

Madness: ATMs Running Windows XP?

How stupid can banks get?

A white paper by security services company Network Box has said ATM's are less secure because of changes to the way they operate. It said that 70 per cent of current ATMs are essentially PCs running PC operating systems like Windows XP. This makes them more susceptible than when ATMs were mainly built with proprietary software and communication protocols.

...

"If [the banks] have got Windows XP-based ATM's then this is obviously something which is a concern. We don't want our details sent in plain text. The current firewall protection is not sufficient and they need to look seriously in how to rectify this so there isn't a breach," said Heron.

So *that's* why the collective noun for bankers is a wunch.

17 May 2006

P2P Pence

A clever idea: using P2P networks to connect borrowers and lenders, spreading the costs and risks across a distributed, people-based banking pool. What's interesting, of course, is that if this ever took off it would reduce the power of established banks - and the financial system based on them - considerably. There are, though, clearly lots of risks and uncertainties in the approach which may stifle its growth.

Two companies are mentioned in the article: Zopa, which is British, and Prosper, which is American. (Via Slashdot.)