Tuesday, October 24, 2006

Well, I had been mulling over what to start this with and every time I turned around, HSBC were getting were getting a kicking. Today, they got another one, which I have, of course, lost the link to, accusing them of being so secure, some of their far eastern (resident, the guy is actually a Canadian) users have problems. (Why? Just who have HSBC irritated?)

Heise have also been pushing their latest comment on frameset issues, which, as they quite rightly point out, have been public for some time. (And, you can engineer their exploit to work on the HSBC site, at least with IE6. Sorry, my error, Firefox 1.5)

Well, Bank security is a complicated thing. Part of the problem is that technical solutions often aren't possible and lots of this is not visible to the users. This, of course, causes other problems when the invisible stuff goes wrong, 'cause the bank can lie about it, but just read Ross's stuff on this. A lot of the fundamental security is built into fraud monitoring processes and back-office systems and the sort of inter-bank co-operation that would scare the conspiracy theorists.

The core processes are not technological therefore are driven by people and people make errors (deliberate or otherwise.) And, irritatingly, banks tend to be large organisations and the customer-facing people (suffering in the call centre) will not have the detailed knowledge of how / why the risk management decisions were taken or the compensating controls already or now in place.

Oh, and now please explain this to your on-call media relations person, without using any technical terms, so that they can sound suitably convincing in front of the MSM.

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2013.