

How could online banking stop sucking - michokest
http://micho.biz/online-banking-sucks/

======
URSpider94
Sorry, but I have to disagree with many of your suggestions.

1\. Log in from the home page: This would require the bank to serve its home
page from https, including a redirect from http for every visitor, in case he
or she wants to log in.

2\. 4-digit passcodes: You're missing the key point about your ATM login --
it's only secure because it combines something you have (your ATM card) with
something you know (your PIN). If everyone's login is a 4-digit number, then
if I have a list of 10,000 users of your system, it would be trivial for me to
compromise at least one account (not of my choosing) without even resorting to
multiple login attempts.

3\. Setting all login ID's to users' email addresses: This just removes more
entropy from the login security process, since I now know that logins come
from the set of valid email addresses. For any individual user, I now know
their login with a high degree of certainty.

4\. API: Do you think that banks really want to circumvent their security
measures by allowing third parties to hold keys to the front door, even if the
proverbial vault is locked?

All that said, I do agree that there are things that could be improved: making
the login button front-and-center, so I don't have to guess where to find it;
giving better choices for exporting financial data. But, you've got to realize
that banks (online and offline) are prime targets for criminals, and that in
some ways user experience has to take a back seat to protecting assets.

~~~
fragsworth
1\. All email providers do the HTTPS thing. Have you noticed any problem with
them? Almost every user who visits the bank's website will want to log in.

3\. You might get some tiny fraction of additional security (through
obscurity) by obfuscating people's logins, but this is ridiculous,
unnecessary, and at great expense to the user experience when a decent
password provides all the security you need.

~~~
URSpider94
On 1, I doubt that "almost every user who visits the bank's website will want
to log in," at least not on every visit. I'm guessing that it's not even the
majority -- many others will be looking for branch addresses, seeking info on
loan or credit card terms, etc.

Yes, email providers allow you to log in from their front page, but even then
only from their gateway page. As a good example, www.yahoo.com does NOT have a
login for their webmail client -- you have to click through to a separate
screen. You only see the login if you go directly to mail.yahoo.com.

------
zwischenzug
They have far more to lose through bad publicity, and even punitive damages
levied by governments, than to gain from making things easier for customers.

The idea of a weak password so you can have more easily a nose around someone
else's private details is frankly laughable. This is personal financial
information, not Facebook, FFS.

A moment's reflection, and you can imagine the headlines.

~~~
georgefox
Agreed. While some of the opinions are valid and useful, the idea of
intentionally setting up weak authentication for an online bank account seems
absurd. (Did he really suggest accepting an e-mail address in lieu of a
password?)

Banks often have you confirm recent transactions on your account to verify
your identity (over the phone, for example), making this data pretty
sensitive. But even setting that aside, I think most people would like their
balances and transaction histories to be pretty private. It only seems
reasonable to me.

~~~
michokest
It's not "intentionally weak authentication" – it's optionally weak
authentication, so users can choose how hard it is to see their data.

Something completely different is securing sending out money

~~~
zwischenzug
I think you've missed the point.

It's not sufficient to let the user decide how much security they should have.
It won't protect the banks from the expectations of security placed on them by
others, however unreasonable that might seem.

------
zdw
Give me a freaking API and all the other issues go away.

Also, stop restricting the data I can download to the most recent 30-90 days.

Paypal and Amazon both let me download my entire purchase history (>5 years
for both) with a ton more detail than the bank.

If security is an issue give me a client SSL cert and force me to do 2 factor
login (SSL cert + password) to grab a feed of data. This isn't rocket science
- it's me wanting a simple "select * from checkingaccount" from your database
on the other end of a HTTP request.

------
jdietrich
Most British banks require two-factor authentication. My bank (Barclays)
allows me to login without sending a password over the wire. I insert my debit
card into a reader and enter my normal PIN, which generates a one-time
password. The scheme is remarkably well-designed and defeats all of the usual
attacks[1].

Crucially, I must generate a different one-time password using a different
procedure if I wish to transfer money to someone I haven't previously paid.
This essentially puts paid to phishing and man-in-the-middle, as an
authenticated session isn't enough to do anything malicious; To steal my
money, you would have to either completely break the cryptosystem, or convince
me to enter your account number into my card reader to generate the necessary
one-time password.

[1]
[http://www.barclays.co.uk/Helpsupport/IntroducingPINsentryfo...](http://www.barclays.co.uk/Helpsupport/IntroducingPINsentryforOnlineBanking/P1242559314766)

~~~
squirrel
Sorry to tell you that there are valid attacks against the PINSentry used by
Barclays - see
[http://www.theregister.co.uk/2009/02/26/bank_reader_insecuri...](http://www.theregister.co.uk/2009/02/26/bank_reader_insecurity/print.html).
I don't know of any actual breaches though.

------
furyg3
Systems exist (just not in the US).

My provider (ABN Amro in Holland) works like this:

1\. Login is your account number and card number (1234567 + 004, located on
card)

2\. Password is generated by putting your 'smart' card into a little device,
typing a PIN in, and typing in the resulting one-time pass. Other banks do
this by sending the code via SMS, which is also good (though a bit less
secure).

3\. Interface is not mind-blowingly web 2.0, but works pretty well.

4\. Transfers to other bank accounts are free, happen within one business day,
and are confirmed by performing step 2 for each batch of transfers.

5\. There is an iPhone app, which you do a one-time authorization with step 2,
and create a 6 digit pin code. This code let's you check your balance.
Performing transactions requires step 2 again, unless you are transferring to
someone in your address book (there is a limit which you can set).

To be honest, it's pretty good. It's first priority is clearly security, and
given that it's pretty damn usable.

US banks should take note.

~~~
henrikschroder
I've used the same bank since 1999, and their internet bank has always been
stellar. In the beginning you logged in with your id and a PIN and you had to
have a personal browser certificate. Since then they've added an additional
one-time code, and you can also log in with something called BankID which is a
national electronic id system.

So it's secure, works in all browsers, and gives you choice in how you want to
log on. And on top of that, the actual service is great, paying bills is easy
and free, opening accounts and moving money between accounts is instant and
free, transferring to other banks or other people is free (but takes time),
automatic bill payment is easy and free.

And the other banks in my country aren't bad either, competition forces all of
them to be secure, free to use, and easy to use.

------
spacemanaki
I don't mind the crappy web interfaces because I have bigger complaints about
modern consumer banking. I really don't understand how loose sloppy a lot of
it feels to me, and how old school other parts feel. Here are a few of
examples from my very recent past:

1) I had a check stolen. The thief was able to write themselves (or someone
they know) a check for $100, sign it with my name, and deposit or cash it. I
only discovered this after seeing the transaction in my history and notifying
the bank. The forged signature was looked completely different from my own.
What's the point of a signature if it's not used for authentication?

2) Because of the above, during the fraud claim process I had to close my
account. This disrupted my direct deposit and my employer attempted to deposit
my paycheck into a closed account. I didn't realize this until the payment was
being returned. I was told that I would have to wait 5 business days for the
payment to be resolved. Why isn't this instantaneous? Why do high frequency
firms enjoy millisecond trading while consumers have to wait what is basically
the equivalent of postal mail delays for electronic transactions? I'm sure
this is vastly simplified (HFT firms colocate with exchanges, consumer banks
must have to comply with regulations that necessitate these delays) but it
does seem that the ordinary consumer is being screwed out of some innovation
here.

3) Finally, just this past week, someone accidentally deposited over $1000
into my account. They must have made a mistake with the account number. I told
the bank about it, and it still hasn't been resolved. How is this even
possible? From what I understand, all you need to withdraw and deposit money
from an account is the combination of routing number and account number, and
this seems so crazy in the way it opens up for mistakes or abuse.

Of course, I'm likely underestimating the complexities and histories here so I
would be very happy to have my naivete corrected.

------
marquis
I really disagree about making it 'easier' to login to your online banking.
Those who are savvy enough know what they are doing and can handle complex
password / authorization combos. Until we have better solutions leave it
complex and let customer service handle the cases where the odd person can't
manage their login info. With banking, security is a far better requirement
than usability. Having said that, my online bank has what I perceive to be a
fairly secure 3-step auth system and if I don't have my info physically in
front of me I can't get access. Emergency and can't login? I'll call them.

~~~
rkudeshi
3-step authentication? Which bank offers that?

~~~
marquis
my bank uses:

1\. 12 digit pin / complex password

2\. Physical reference card (like a puzzle game to answer on login)

3\. Must reply to SMS to transfer funds / configure payments

~~~
rkudeshi
Which bank?

------
rmcclellan
This article has several ideas that are fundamentally flawed - but here's the
most easily falsifiable one:

"What’s worse, a weak password, or a password that sits on your desk?"

Contrary to what is said in the article, a weak password is worse - no
question. A password that sits on my desk is only available to people who
break into my home. If they do that, they probably have access to other
documents of some importance.

A password that is weak can allow anyone access to my account, from anywhere.

~~~
blakefrost
He mentioned login attempts in the article. Someone tries the wrong password
more then a few times and the account gets locked. That should thwart any and
all dictionary/brute force/you name it attacks. So which is more secure, an
impossible to accomplish remote attack, or a password sitting on your desk?

Bank password polices are retarded. I currently have one that requires 6
characters. No more, no less. This may be the worst offense I've seen but it
doesn't excuse the other bullshit that passes as secure or acceptable in the
banking arena. These guys need help.

~~~
rmcclellan
I'm not trying to say that bank password policies make sense. They do need
help.

"Allow weaker passwords and limit login attempts" is not the solution either,
because it gives an attacker who has discovered my user id but not my password
the ability to lock my account.

------
richardburton
How many times do people talk about their bank in glowing terms? How many
people _love_ their bank? How many people rave about their bank? I have never
met anyone that would meet those descriptions. I think those are telltale
signs that there is room for a Zappos of banks. I hope www.simple.com can be
it. I wish www.mint.com had gone for it.

~~~
viraptor
I'm feel pretty good with Lloyds (UK). While they're not perfect, they:

\- don't have silly password restrictions (login is username + password 1 + 3*
n'th letter from password 2, transfers need password 1 again, large transfers
to unknown destination needs phone confirmation (automatic service))

\- have website working well in pretty much any browser

\- provide instant SMS notification about low balance and an account summary
every week

\- have pretty low waiting times (whenever I call, it's rarely more than a
minute before my call is picked up)

\- process my statement and split known records into groups showing me money
spent/earned from various sources (car, house, food expenses, etc.); they find
recurring payments and put them into a calendar which gives a good idea of how
much money I need and when; effectively they killed the need of using local
app for keeping track of my account

\- they provide exports into csv and other formats (although they've got a
"known issue" for years where the export range is approximate - it can add or
miss a couple of days randomly)

\- they do watch my account - when my employer missed the payday by 1 day, I
got a call to check if that's expected; when I got a larger incoming transfer,
I also got a call to notify me about it and check if it's expected (did not
request that before)

I do recommend them to other people, because they're better than other banks I
had to deal with.

~~~
richardburton
Great to know. Thanks! I will check them out :)

------
droithomme
I do all my banking from home by physically mailing stamped envelopes with
checks, deposit slips, and signed letters ordering transfers. These envelopes
are then opened by a teller who processes the transaction and mails a receipt
of the transaction back.

It's considerably faster than trying to use their web site.

------
asto
This is a space that will likely never be "disrupted" because the people
capable of doing it don't have the huge capital required and the people who do
have the capital don't really give a shit.

~~~
yason
However, there are companies who care.

Two of the banks I use share the same web engine. They've both bought it from
some company that I don't know. Both banks are of the smaller ones so they
don't do internal development, hence outsourcing: big banks would probably
exhibit a loud NIH syndrome.

Now, one of the banks I use has had it for at least over ten years, having
been a customer there, and the user interface hasn't essentially changed much.
I remember a couple of cosmetic updates but the pages still look pretty
minimal and clean. This is a sign of caring about users because web user
interfaces tend to get replaced every few years for the sake of getting
renewed. Somebody has clearly had an opinion on how an online banking
interface should work, and that somebody has stuck to it. For years.

The login, as is typical in Finland, is a username + password, plus a ever-
changing PIN code from a printed table. You need one PIN code for login and
another if you issue wire transfers. I've had the same username since 90's and
I've changed the password maybe twice. I don't have them on paper. I get a new
PIN code table by mail a couple of times a year as soon as the old one is
about to run out of codes. Pretty secure and convenient: set of credentials
that don't change and another set of simpler credentials that change every
time.

Too bad their demo logins are in Finnish and Swedish only, not English. From
what I read, this company has awaiting sales in the U.S. :)

------
jrom
Maybe <https://simple.com/> is the best chance to start pushing the banks to
improve their online interfaces.

------
fasouto
It's a stupid situation: the interface is so unclear and messy that you're
afraid to do something wrong(and nobody wants mistakes with the money), so you
just use the online banking for small amounts of money.

Also in my bank the password need to be shorter than 15 characters, I will
never understand this.

<https://simple.com/> is the way to go.

------
polyfractal
ING has a pretty great banking interface. Simple, easy to use, powerful enough
to do anything I've needed so far.

------
FigBug
Mint.com is a good dashboard to watch your finances. I check my balances and
trends etc from Mint and only log into my bank when I need to do a
transaction. They are probably stealing all my personal information however.

------
lenka-penka
tnx, michokest, fully understand your pain

------
justaguest
Great!

