$83.00 donated in past month
Inherently Secure Online Banking: The Time Has Come For This. The Time Is Now!
The following is an open letter that I have sent to local Congressional Reps Mike Honda and Zoe Lofgren following up on my comments that I made at the SEIU Retired Labor BBQ on 4-12-14 regarding the Heartbleed bug and what steps can be taken by consumers and lawmakers to make their online banking experiences "inherently secure" instead of continuing to be "inherently insecure" as things are now.
Inherently Secure Online Banking: The Time Has Come For This. The Time Is Now!
I attended a retired union worker's BBQ on Saturday 4-12-14 where reps from various legislators' offices were available to answer questions. I mentioned the Heartbleed bug a couple of times in my comments (once before and once after the legislators' assistants and some legislators themselves showed up late). I mentioned that the Heartbleed bug affects the security of credit card numbers and PINs as well as the passwords to your favorite web sites. I mentioned that to find out if your favorite web site has been patched to fix the Heartbleed bug, you can simply Google for “Heartbleed” and find an article that has a link to one of the sites that allows you to test the web sites that you use to see if they have fixed the bug. I also urged the legislators to come up with rules requiring banks to take various additional security measures and to allow online account feature choices that would tend to thwart any similar future bug. Such security features and selections include: Any two factor security for transferring funds online should include an offline component such as mailing the customer a new debit card upon their request with new card numbers and a new security code on the back. The new security code should only need to be used if the customer transfers money online or uses the online bill pay features, so that if the customer does not use those features, the new security code would not be entered into the user interface of the bank's web site by the customer. Another user selection would include the ability to let the customer select (through a secure method) to either disable the online money transfer features such as bank account money transfers and online bill pay at some point after the creation of the account or to sign up for a secure online account at the start that has those online features permanently disabled. The “secure method” for changing (enabling or disabling) these features could include, in the case of Direct Express where there are not always Comerica bank branches available in every town, a network of banks such as Chase and Wells Fargo, who do tend to have branches in more places, who could securely transfer such requests to Comerica upon the customer visiting the local branch and presenting a photo ID. It is possible to implement part of these features without making any changes to existing procedures by simply using an online bank account that requires you to enter your current 3 or 4 digit security code on the back of your debit card before making any online money transfers or before using online bill pay features. Then if you want to be secure in this way, order a new debit or credit card with all new numbers and simply never use those online money transfer features so that you never enter the new security code into your bank's web site user interface. If you really want to be secure, you can tell your bank to disable online access to your account(s). That way if someone hacks your security code when you use it on a third party web site, they won't be able to use your bank's web site to steal any funds from you (especially from your other accounts such as your savings accounts), at least not through the front door anyhow. As for legislation or not, it may be best to simply present these ideas to the experts and legislators and have them lobby the banks, rather than casting new sections of law into stone, as the banks may need to adapt quickly to future security threats that may circumvent these new ideas and because of that they should not have their hands tied by legislation. The next opportunity to do this type of lobbying in the San Jose area will be at the Senior Scam Stopper Seminar, Friday, April 18th, 2014 from 2PM-4PM at the Campbell Community Center Orchard City Banquet Hall, 1 W Campbell Avenue, Campbell, CA 95008. CA State Assembly member Paul Fong is putting on this event in conjunction with the Contractors State License Board. The event will include a panel of experts on preventing seniors from being scammed. It is recommended to RSVP for this event as seating will be limited. To RSVP, call 408-371-2802 or visit http://www.asmdc.org/yh. Thanks.
I followed up on this discussion by posting this notice to the Santa Clara County Green Party e-mail list and by having related discussions with Green Party members about this and related topics such as moving your money from major banks to credit unions. From this discussion and my searches of various bank and credit union web sites online, I found out that there is basically one and only one credit union that offers what I would refer to as an “inherently secure” online banking option that would allow people to have their funds remain secure in the face of a repeat of the Heartbleed bug if that bug compromises people's log ins and passwords on banking sites. That credit union is Meriwest (http://www.meriwest.com), which has branches in San Jose, CA. They have 4 options for their customers' accounts: 1) Disable all online access for all of that customer's accounts and send them a paper statement in the mail. 2) Enable access only to a special e-statement log in for all of that customer's accounts. 3) Enable access to full online account access for a full set of features that include money transfer and online bill pay for all of that customer's accounts. 4) There is also an option to enable or disable telephone banking for all of a customer's accounts. I signed up for a checking account with Meriwest, and requested that only option 2 be enabled, but I have not yet been able to first create a log in to the e-statement section of the web site while simultaneously verifying that I am unable to create a valid log in to the full featured online account access (option 3) even with valid information entered in the online registration form for option 3. My goal is to verify that option 3 has in fact been securely and completely disabled through my conversation with customer service and is unable to be activated by any of my efforts accessing only the web site.
If all of the statements in the last paragraph above are true, then Meriwest has an online banking system that we can hold up as a model for other banks and credit unions to follow. There are a few improvements that need to be made to Meriwest's system to make it be ideal: 1)E-statements should be updated daily instead of monthly (or an equivalent set of features should be the only ones allowed in special set ups of full account access, such as by disabling online bill pay and money transfers in full account access log ins) 2) Meriwest should have 2-factor security for online money transfers and bill pay under option 3 (an example of adequate security is the Direct Express debit card for Social Security recipients that requires entering the 3 digit code on the back of the card before money transfers or online bill payments will go through) and 3) Meriwest should offer various account activity alerts to customers who have not signed up for full online account access (Chase does this for people who don't necessarily have online banking set up).
Two factor security for online money transfers and bill pay could probably be legislated as a new requirement without running a risk of insurmountable security flaws that could only be fixed by undoing the legislation. Other fixes to the User Interfaces of online banking could be more problematic if you get too specific in the requirements mentioned in the legislation. Please work with other legislators and industry experts to help improve the security of online banking. I've heard that major portions of the population continue to use the phrases “PASSWORD” and/or “123456789” as their passwords. I'm not sure that this will be changing anytime soon. Plus, many Seniors may remember a password that they created 20 years ago, but not a new one created for them by a relative last week. And Seniors also have special vulnerabilities in that they may write down their passwords and leave them where ill-intentioned caregivers may have access to them. If a Senior only has online access to their accounts in the form of the Meriwest e-statement (option 2 mentioned above), then they can be alerted immediately by e-mail if their account(s) get(s) attacked by some other means while remaining completely secure online. I have found that there really is no need for online bill pay or money transfer through a log in interface that exposes all of your money to thieves. Keeping track of your daily account activity is not currently possible at most banks and credit unions without exposing all your money to this needless risk. All bills can be paid by credit or debit card on individual creditors' web sites instead of transferring money from your bank or credit union and it is not necessary for those creditors' web site log ins to be secure to keep your money safe. It is necessary for the https and SSL programs used on creditors' sites to be secure to keep your credit card numbers used on creditors' sites from being stolen, but the passwords and log in names for those sites are not as important. The log in and password for your bank or credit union site, however, must be guarded with your life under the present system. That is what I call “inherently insecure.” Please let the people have the option of keeping the front doors permanently locked on their bank accounts. Please allow them, and if practical, mandate that they be allowed to, bank in a way that is “inherently secure”.Thank you.
San Jose, CA, USA
PS Another issue is overdrafts. All banks and credit unions should be required to offer (and to CLEARLY STATE that such an option is available) an option to have your account reject ALL overdrafts. Chase does not currently offer this and Meriwest may offer this but failed miserably to explain this option.