From the Open-Publishing Calendar
From the Open-Publishing Newswire
Indybay Feature
Related Categories: South Bay | Global Justice and Anti-Capitalism
Inherently Secure Online Banking: The Time Has Come For This. The Time Is Now!
by John Thielking
Tuesday Apr 15th, 2014 7:33 AM
The following is an open letter that I have sent to local Congressional Reps Mike Honda and Zoe Lofgren following up on my comments that I made at the SEIU Retired Labor BBQ on 4-12-14 regarding the Heartbleed bug and what steps can be taken by consumers and lawmakers to make their online banking experiences "inherently secure" instead of continuing to be "inherently insecure" as things are now.
Inherently Secure Online Banking: The Time Has Come For This. The Time Is Now!

I attended a retired union worker's BBQ on Saturday 4-12-14 where reps from various legislators' offices were available to answer questions. I mentioned the Heartbleed bug a couple of times in my comments (once before and once after the legislators' assistants and some legislators themselves showed up late). I mentioned that the Heartbleed bug affects the security of credit card numbers and PINs as well as the passwords to your favorite web sites. I mentioned that to find out if your favorite web site has been patched to fix the Heartbleed bug, you can simply Google for “Heartbleed” and find an article that has a link to one of the sites that allows you to test the web sites that you use to see if they have fixed the bug. I also urged the legislators to come up with rules requiring banks to take various additional security measures and to allow online account feature choices that would tend to thwart any similar future bug. Such security features and selections include: Any two factor security for transferring funds online should include an offline component such as mailing the customer a new debit card upon their request with new card numbers and a new security code on the back. The new security code should only need to be used if the customer transfers money online or uses the online bill pay features, so that if the customer does not use those features, the new security code would not be entered into the user interface of the bank's web site by the customer. Another user selection would include the ability to let the customer select (through a secure method) to either disable the online money transfer features such as bank account money transfers and online bill pay at some point after the creation of the account or to sign up for a secure online account at the start that has those online features permanently disabled. The “secure method” for changing (enabling or disabling) these features could include, in the case of Direct Express where there are not always Comerica bank branches available in every town, a network of banks such as Chase and Wells Fargo, who do tend to have branches in more places, who could securely transfer such requests to Comerica upon the customer visiting the local branch and presenting a photo ID. It is possible to implement part of these features without making any changes to existing procedures by simply using an online bank account that requires you to enter your current 3 or 4 digit security code on the back of your debit card before making any online money transfers or before using online bill pay features. Then if you want to be secure in this way, order a new debit or credit card with all new numbers and simply never use those online money transfer features so that you never enter the new security code into your bank's web site user interface. If you really want to be secure, you can tell your bank to disable online access to your account(s). That way if someone hacks your security code when you use it on a third party web site, they won't be able to use your bank's web site to steal any funds from you (especially from your other accounts such as your savings accounts), at least not through the front door anyhow. As for legislation or not, it may be best to simply present these ideas to the experts and legislators and have them lobby the banks, rather than casting new sections of law into stone, as the banks may need to adapt quickly to future security threats that may circumvent these new ideas and because of that they should not have their hands tied by legislation. The next opportunity to do this type of lobbying in the San Jose area will be at the Senior Scam Stopper Seminar, Friday, April 18th, 2014 from 2PM-4PM at the Campbell Community Center Orchard City Banquet Hall, 1 W Campbell Avenue, Campbell, CA 95008. CA State Assembly member Paul Fong is putting on this event in conjunction with the Contractors State License Board. The event will include a panel of experts on preventing seniors from being scammed. It is recommended to RSVP for this event as seating will be limited. To RSVP, call 408-371-2802 or visit Thanks.


John Thielking

I followed up on this discussion by posting this notice to the Santa Clara County Green Party e-mail list and by having related discussions with Green Party members about this and related topics such as moving your money from major banks to credit unions. From this discussion and my searches of various bank and credit union web sites online, I found out that there is basically one and only one credit union that offers what I would refer to as an “inherently secure” online banking option that would allow people to have their funds remain secure in the face of a repeat of the Heartbleed bug if that bug compromises people's log ins and passwords on banking sites. That credit union is Meriwest (, which has branches in San Jose, CA. They have 4 options for their customers' accounts: 1) Disable all online access for all of that customer's accounts and send them a paper statement in the mail. 2) Enable access only to a special e-statement log in for all of that customer's accounts. 3) Enable access to full online account access for a full set of features that include money transfer and online bill pay for all of that customer's accounts. 4) There is also an option to enable or disable telephone banking for all of a customer's accounts. I signed up for a checking account with Meriwest, and requested that only option 2 be enabled, but I have not yet been able to first create a log in to the e-statement section of the web site while simultaneously verifying that I am unable to create a valid log in to the full featured online account access (option 3) even with valid information entered in the online registration form for option 3. My goal is to verify that option 3 has in fact been securely and completely disabled through my conversation with customer service and is unable to be activated by any of my efforts accessing only the web site.

If all of the statements in the last paragraph above are true, then Meriwest has an online banking system that we can hold up as a model for other banks and credit unions to follow. There are a few improvements that need to be made to Meriwest's system to make it be ideal: 1)E-statements should be updated daily instead of monthly (or an equivalent set of features should be the only ones allowed in special set ups of full account access, such as by disabling online bill pay and money transfers in full account access log ins) 2) Meriwest should have 2-factor security for online money transfers and bill pay under option 3 (an example of adequate security is the Direct Express debit card for Social Security recipients that requires entering the 3 digit code on the back of the card before money transfers or online bill payments will go through) and 3) Meriwest should offer various account activity alerts to customers who have not signed up for full online account access (Chase does this for people who don't necessarily have online banking set up).

Two factor security for online money transfers and bill pay could probably be legislated as a new requirement without running a risk of insurmountable security flaws that could only be fixed by undoing the legislation. Other fixes to the User Interfaces of online banking could be more problematic if you get too specific in the requirements mentioned in the legislation. Please work with other legislators and industry experts to help improve the security of online banking. I've heard that major portions of the population continue to use the phrases “PASSWORD” and/or “123456789” as their passwords. I'm not sure that this will be changing anytime soon. Plus, many Seniors may remember a password that they created 20 years ago, but not a new one created for them by a relative last week. And Seniors also have special vulnerabilities in that they may write down their passwords and leave them where ill-intentioned caregivers may have access to them. If a Senior only has online access to their accounts in the form of the Meriwest e-statement (option 2 mentioned above), then they can be alerted immediately by e-mail if their account(s) get(s) attacked by some other means while remaining completely secure online. I have found that there really is no need for online bill pay or money transfer through a log in interface that exposes all of your money to thieves. Keeping track of your daily account activity is not currently possible at most banks and credit unions without exposing all your money to this needless risk. All bills can be paid by credit or debit card on individual creditors' web sites instead of transferring money from your bank or credit union and it is not necessary for those creditors' web site log ins to be secure to keep your money safe. It is necessary for the https and SSL programs used on creditors' sites to be secure to keep your credit card numbers used on creditors' sites from being stolen, but the passwords and log in names for those sites are not as important. The log in and password for your bank or credit union site, however, must be guarded with your life under the present system. That is what I call “inherently insecure.” Please let the people have the option of keeping the front doors permanently locked on their bank accounts. Please allow them, and if practical, mandate that they be allowed to, bank in a way that is “inherently secure”.Thank you.


John Thielking
San Jose, CA, USA

PS Another issue is overdrafts. All banks and credit unions should be required to offer (and to CLEARLY STATE that such an option is available) an option to have your account reject ALL overdrafts. Chase does not currently offer this and Meriwest may offer this but failed miserably to explain this option.
by John Thielking
Sunday Apr 20th, 2014 4:40 PM
I can complain all I want about how online banking could be more secure if it didn't matter so much if someone got a hold of your online banking log in info. All of that stuff won't stop the real problem which is that too often seniors fall victim to con artists and scammers. Sometimes you pay a contractor the maximum $1000 down payment to redo your driveway and they either never show up or they abandon the project halfway through. If that happens, call the State Contractors License Board and have them take the $1000 out of the contractor's $12000 bond.

Another bit of advice that was given at the Senior Scam Stoppers event is that you should always get a minimum of 3 bids on a project and verify that the contractors are actually licensed by calling the State Contractors Licensing Board. In one case a lady got 13 bids and only a few of the bidders turned out to be actually licensed. Be sure to check the license status of any sub contractors too. These names and contractor license numbers are required to be listed on your contract. Be sure that each contractor and sub contractor carries workman's comp. If they don't and someone gets hurt on your property, you could be liable. Also, the maximum down payment in CA is $1000 or 10% of the total contract amount, whichever is less. Also, you have 3 days to cancel after signing a contract.

That isn't so bad compared to some of the other scams such as that nice gentleman you met on an online dating site who seems to have endless money problems. Being sympathetic and possibly head over heals in love, you end up giving him all of your money. Probably not all at once, but before you know it you are borrowing money from family and friends to cover your new boyfriends alleged needs. Then he dumps you and you could end up homeless if you are unable to pay your bills.

Or maybe you get a phone message asking you to call area code 809. If you call that number you will be billed some $300 per minute. Always enter the area code into a search engine and see if there are any warnings about it or at least verify that it is going to a specific city in the US before calling an unfamiliar area code. You may be able to disable such possible calls on your phone if you have a fixed rate plan with unlimited minutes that likely won't let you complete such toll calls. That would be good to have if there are minors in the house who make calls. Also, scammers can rig caller ID to read anything they want. You might think that you are getting a phone call from your local police dept because "SJ PD" shows on the caller ID. They might be calling you for real if you previously filed a police report. But if you want to be safe, just screen the call on your answering machine and if you think it is for real, just call the non emergency number later when you have time.

Sometimes you may get an emergency call or e-mail saying that a relative is in trouble and needs you to send them money right away or bail them out of jail. You may be able to independently verify such claims. Don't take the caller's word for it.

Even younger people with sound judgement fall for this next scam. A guy I was renting a room from fell for it twice. I bailed him out with a year's worth of free rent for myself the first time. But not the second time. He fell for the scam where someone sent him a money order for $5000. He was supposed to deposit the money order in his bank account and then wire the scammer $4500. He was supposed to keep $500 for doing the transaction. Of course the money order turned out to be fraudulent. The scam went undiscovered by his bank long enough for him to send the $4500. But when the bank discovered the fraud, he ended up with a big overdraft on his account. The second time this happened there was no way to get bailed out. Even loan sharks such as payday advance people who can do high interest loans for $5000 wouldn't help him because his credit file was locked. He ended up defaulting on the money that he owed to the bank and after that the only way he could get a bank account was to share an account with someone with a good Chex Systems report. This situation of not being able to have his own bank account was supposed to last for 7 years. My advice is don't give people "change" for money orders, even if you are renting out a room to them and they owe you money for rent. Also, don't participate in schemes involving trans-shipping items or money. Often the items or money are "hot" and if the police catch you participating in such schemes you could be in big trouble.

Door to door solicitors: San Jose does not require any permit other than a business license before a salesperson can go soliciting door to door. I was considering doing door to door sales to sell my 2011 and 2012 booklets and also to sell solar power for a formerly legit company called Citizenre. Note that Citizenre is as far as I know is not paying their door to door salespeople the commissions they are owed so effectively they are out of business. Not every door to door salesman who asks you for your PG&E bill so they can start an energy audit for a solar installation is a scammer. Citizenre asked for this. But they also required their door to door people to go through training to insure they knew their stuff and then after the training they required them to wear a photo ID badge with the company name on it, in addition to wearing any ID badge that may be required by the city that you live in. Santa Clara City for example requires that all door to door salespeople go through a background check with the police dept which includes getting fingerprinted and having the company they are doing business for verified. Then the door to door salesperson is required to wear the photo ID badge they are issued while they are soliciting.

Because door to door soliciting scammers can often be doing a set up for a home invasion, either right then or sometime later after they have "cased" the interior of your house, the best procedure is to get an intercom at the door or just talk to the solicitor through the door without opening the door. If the person is from a utility company, ask them to identify themselves and then call the utility company to verify their identity before letting them in.

Even legit utility companies may try to sell you products that you don't need. Check with your homeowners' insurance company before agreeing to sign up for water service insurance in San Jose, for example. Your homeowners' insurance may cover your water main, so buying the extra insurance from the city of San Jose may be unnecessary.

Then there are the scams which are just inconvenient. You get a spam e-mail with a file attachment with the subject heading "Notice To Appear in Court" or "Eviction Notice". Whatever you do, do not open or download the attachment. If you really want to penalize these types of scammers, call your local police dept non-emergency line and find out the procedure for printing out the entire e-mail. There is a way to view the complete header information which can tell the police where the e-mail came from. Print that out and give it to the police. Forwarding the e-mail to them will erase this header information. The other option is to be sure the e-mail is marked as spam and then delete it. Your e-mail provider often keeps track of spam and may report that spam to the authorities.

Another thing which is a common scam that I have seen a few times is that the Better Business Bureau does not allow their ratings of a business or their BBB accredited logo to be used in any advertising. So if you see an envelope in the mail with the BBB name and rating on it or you see a TV commercial saying that XYZ business has such and such BBB rating, just ignore the pitch and move on. Or if you remember the business name you can even file a complaint with the BBB. The exception to this rule is that if you have a place of business you can display the plaque that the BBB may give you stating that you are a BBB accredited business.

Good luck and stay safe. And keep your relatives safe too. Sometimes the only sign that there is serious trouble is that the relative is acting differently or asking you for money. Pay attention.

There are supposed to be additional Senior Scam Stopper events happening soon. Google for Paul Fong to see if there are any scheduled yet.