06 August 2005

Australian banks and half-hearted security advice

Scorecard for 5 major Australian banks:






























































BankPhishingKeyloggersViruses
& Worms
Instant
Solution
Free Perm
Solutions
BrowsersW3C’s
Validator
AlternativesNotes
AGoodAverageGoodNoneNoneRecommends MSIE only, supports NS4.7Error cityNoneHad to lie about browser ID to even read security info, info itself was very clear, with pictures and examples
CPoorAverageGoodNoneAdAwareRecommends MSIE, NS4.7; supports Mozilla, Firefox, SafariClaims to be XHTML 1.0 but is not, 16 errorsNoneFAQ was detailed and informative in general, but blipped over some important issues
MAveragePoorAverageNoneNoneDiscusses MSIE, NS; does not say what it supportsError cityNoneFAQ was very short
NAveragePoorAverageNoneNoneRecommends MSIE, NS; works with Mozilla but gives a monthly nag pageError city despite a valid DOCTYPENoneSecurity instructions very vague
WAveragePoorAverageSymantecNoneStrongly recommends MSIE, NS; works with Mozilla20 errors, mostly carelessness, few seriousNoneSecurity instructions very brief and not glossaried

It’s notable that none of these banks recommend the very simple step of not using software that has regular security issues and that none of these large, monied corporations could be bothered making their website standards-compliant.

I’ve had a go at asking two of them about other browsers and about standards, the response in one case was ”maybe one day” and “we have our own validator”; in the other it was “yes, thanks for your suggestion” followed by silence and inaction.

If you’re a bank reading this and wish to improve your online IQ, here are some free tips:

  • Make all of your HTML standard; the tests above were run on your home page and it is doubtful that your internet banking pages would do better. Standard is simple and with very few exceptions works everywhere (thus eliminating 99% of browser compatibility issues).

  • Go and visit Bank A’s site to see clear explanations and pretty pictures in bite-sized pieces (but be sure to tell the site you’re using MSIE; they failed their browser support check there) and Bank C’s site to see a generous quantity of information. Then ask some grandparents (at least four) to make head or tail of it. Take careful notes, write careful explanations for every single word or concept that they fail to comprehend, and link these words to popups with the explanations and mouseovers (title="text", not complicated scripts) with one-liner hints.

  • Recommend at least two free online virus scanner sites for your MS-Windows-using visitors.

  • Recommend at least AdAware and SpyBot spyware scanners for the same people.

  • Recommend avoiding software which is scam-prone. Specifically, it is very simple to link to Firefox and Thunderbird, which are far safer than their most popular commercial competition and run on almost anything. Bonus points for offering some choices there. Of course, standard HTML is a prerequisite for this.

  • Bite the bullet. Recommend that they use something other than MS-Windows (Macintosh and Linux being the obvious places to start) even though the vast majority will not take this advice. Likewise, the absence of ActiveX and other unportable nonsense in your banking applications is a prerequisite for this, too.

  • Recommend the ClamAV virus scanner, which is not only genuinely free but also picks out many phishing scams. Bonus points again for offering choices rather than just one “option”.

No comments: