Hacker News new | past | comments | ask | show | jobs | submit login
How could online banking stop sucking (micho.biz)
29 points by michokest on Jan 2, 2012 | hide | past | favorite | 37 comments



Sorry, but I have to disagree with many of your suggestions.

1. Log in from the home page: This would require the bank to serve its home page from https, including a redirect from http for every visitor, in case he or she wants to log in.

2. 4-digit passcodes: You're missing the key point about your ATM login -- it's only secure because it combines something you have (your ATM card) with something you know (your PIN). If everyone's login is a 4-digit number, then if I have a list of 10,000 users of your system, it would be trivial for me to compromise at least one account (not of my choosing) without even resorting to multiple login attempts.

3. Setting all login ID's to users' email addresses: This just removes more entropy from the login security process, since I now know that logins come from the set of valid email addresses. For any individual user, I now know their login with a high degree of certainty.

4. API: Do you think that banks really want to circumvent their security measures by allowing third parties to hold keys to the front door, even if the proverbial vault is locked?

All that said, I do agree that there are things that could be improved: making the login button front-and-center, so I don't have to guess where to find it; giving better choices for exporting financial data. But, you've got to realize that banks (online and offline) are prime targets for criminals, and that in some ways user experience has to take a back seat to protecting assets.


> This would require the bank to serve its home page from https, including a redirect from http for every visitor

And that's a bad idea why exactly?...

> Setting all login ID's to users' email addresses: This just removes more entropy from the login security process, since I now know that logins come from the set of valid email addresses.

Currently the username in my bank is a 9-digit number and they've got "over 30 million customers" I'm pretty sure I can guess a valid username in under 10 tries ;) Meanwhile, emails are almost an unlimited search space. The only thing that changes is that you're more likely to know who does the email belong to.


1. All email providers do the HTTPS thing. Have you noticed any problem with them? Almost every user who visits the bank's website will want to log in.

3. You might get some tiny fraction of additional security (through obscurity) by obfuscating people's logins, but this is ridiculous, unnecessary, and at great expense to the user experience when a decent password provides all the security you need.


On 1, I doubt that "almost every user who visits the bank's website will want to log in," at least not on every visit. I'm guessing that it's not even the majority -- many others will be looking for branch addresses, seeking info on loan or credit card terms, etc.

Yes, email providers allow you to log in from their front page, but even then only from their gateway page. As a good example, www.yahoo.com does NOT have a login for their webmail client -- you have to click through to a separate screen. You only see the login if you go directly to mail.yahoo.com.


Forced SSL isn't a bad idea, nor is it hard. Many banks already do this.

Most banks already offer an API, in the form of OFX. The security measures (like challenge questions) are already circumvented, and I've seen some really bad security flaws in OFX implementations when I last played around. e.g., inter-customer money transfers without requiring anything but the password, no auth lockout making brute-forcing possible, ability to crash the OFX gateway, &c.

(Yes, the newer OFX standards support multi-factor authentication, but I don't know of a single bank that uses the newer version.)

Also, most FIs hate the idea of financial aggregation, being worried about other companies cross-selling to their customers.

A sane REST API would be a wonderful step in the right direction, but I doubt it'll happen in the next ten years on a large-scale. Getting OFX to where it stands now took the combined market forces of Intuit and Microsoft many years, and didn't turn out well.


They have far more to lose through bad publicity, and even punitive damages levied by governments, than to gain from making things easier for customers.

The idea of a weak password so you can have more easily a nose around someone else's private details is frankly laughable. This is personal financial information, not Facebook, FFS.

A moment's reflection, and you can imagine the headlines.


Agreed. While some of the opinions are valid and useful, the idea of intentionally setting up weak authentication for an online bank account seems absurd. (Did he really suggest accepting an e-mail address in lieu of a password?)

Banks often have you confirm recent transactions on your account to verify your identity (over the phone, for example), making this data pretty sensitive. But even setting that aside, I think most people would like their balances and transaction histories to be pretty private. It only seems reasonable to me.


It's not "intentionally weak authentication" – it's optionally weak authentication, so users can choose how hard it is to see their data.

Something completely different is securing sending out money


I think you've missed the point.

It's not sufficient to let the user decide how much security they should have. It won't protect the banks from the expectations of security placed on them by others, however unreasonable that might seem.


Give me a freaking API and all the other issues go away.

Also, stop restricting the data I can download to the most recent 30-90 days.

Paypal and Amazon both let me download my entire purchase history (>5 years for both) with a ton more detail than the bank.

If security is an issue give me a client SSL cert and force me to do 2 factor login (SSL cert + password) to grab a feed of data. This isn't rocket science - it's me wanting a simple "select * from checkingaccount" from your database on the other end of a HTTP request.


Most British banks require two-factor authentication. My bank (Barclays) allows me to login without sending a password over the wire. I insert my debit card into a reader and enter my normal PIN, which generates a one-time password. The scheme is remarkably well-designed and defeats all of the usual attacks[1].

Crucially, I must generate a different one-time password using a different procedure if I wish to transfer money to someone I haven't previously paid. This essentially puts paid to phishing and man-in-the-middle, as an authenticated session isn't enough to do anything malicious; To steal my money, you would have to either completely break the cryptosystem, or convince me to enter your account number into my card reader to generate the necessary one-time password.

[1] http://www.barclays.co.uk/Helpsupport/IntroducingPINsentryfo...


Sorry to tell you that there are valid attacks against the PINSentry used by Barclays - see http://www.theregister.co.uk/2009/02/26/bank_reader_insecuri.... I don't know of any actual breaches though.


Rabobank has a similar system.

Account access requires a keypad widget, an account number, the widget's serial number, a pin and the generated one-time pass.

Any transactions require a second one-time pass derived from a different algo.


Systems exist (just not in the US).

My provider (ABN Amro in Holland) works like this:

1. Login is your account number and card number (1234567 + 004, located on card)

2. Password is generated by putting your 'smart' card into a little device, typing a PIN in, and typing in the resulting one-time pass. Other banks do this by sending the code via SMS, which is also good (though a bit less secure).

3. Interface is not mind-blowingly web 2.0, but works pretty well.

4. Transfers to other bank accounts are free, happen within one business day, and are confirmed by performing step 2 for each batch of transfers.

5. There is an iPhone app, which you do a one-time authorization with step 2, and create a 6 digit pin code. This code let's you check your balance. Performing transactions requires step 2 again, unless you are transferring to someone in your address book (there is a limit which you can set).

To be honest, it's pretty good. It's first priority is clearly security, and given that it's pretty damn usable.

US banks should take note.


I've used the same bank since 1999, and their internet bank has always been stellar. In the beginning you logged in with your id and a PIN and you had to have a personal browser certificate. Since then they've added an additional one-time code, and you can also log in with something called BankID which is a national electronic id system.

So it's secure, works in all browsers, and gives you choice in how you want to log on. And on top of that, the actual service is great, paying bills is easy and free, opening accounts and moving money between accounts is instant and free, transferring to other banks or other people is free (but takes time), automatic bill payment is easy and free.

And the other banks in my country aren't bad either, competition forces all of them to be secure, free to use, and easy to use.


I really disagree about making it 'easier' to login to your online banking. Those who are savvy enough know what they are doing and can handle complex password / authorization combos. Until we have better solutions leave it complex and let customer service handle the cases where the odd person can't manage their login info. With banking, security is a far better requirement than usability. Having said that, my online bank has what I perceive to be a fairly secure 3-step auth system and if I don't have my info physically in front of me I can't get access. Emergency and can't login? I'll call them.


3-step authentication? Which bank offers that?


my bank uses:

1. 12 digit pin / complex password

2. Physical reference card (like a puzzle game to answer on login)

3. Must reply to SMS to transfer funds / configure payments


Which bank?


This article has several ideas that are fundamentally flawed - but here's the most easily falsifiable one:

"What’s worse, a weak password, or a password that sits on your desk?"

Contrary to what is said in the article, a weak password is worse - no question. A password that sits on my desk is only available to people who break into my home. If they do that, they probably have access to other documents of some importance.

A password that is weak can allow anyone access to my account, from anywhere.


He mentioned login attempts in the article. Someone tries the wrong password more then a few times and the account gets locked. That should thwart any and all dictionary/brute force/you name it attacks. So which is more secure, an impossible to accomplish remote attack, or a password sitting on your desk?

Bank password polices are retarded. I currently have one that requires 6 characters. No more, no less. This may be the worst offense I've seen but it doesn't excuse the other bullshit that passes as secure or acceptable in the banking arena. These guys need help.


I'm not trying to say that bank password policies make sense. They do need help.

"Allow weaker passwords and limit login attempts" is not the solution either, because it gives an attacker who has discovered my user id but not my password the ability to lock my account.


How many times do people talk about their bank in glowing terms? How many people love their bank? How many people rave about their bank? I have never met anyone that would meet those descriptions. I think those are telltale signs that there is room for a Zappos of banks. I hope www.simple.com can be it. I wish www.mint.com had gone for it.


I'm feel pretty good with Lloyds (UK). While they're not perfect, they:

- don't have silly password restrictions (login is username + password 1 + 3* n'th letter from password 2, transfers need password 1 again, large transfers to unknown destination needs phone confirmation (automatic service))

- have website working well in pretty much any browser

- provide instant SMS notification about low balance and an account summary every week

- have pretty low waiting times (whenever I call, it's rarely more than a minute before my call is picked up)

- process my statement and split known records into groups showing me money spent/earned from various sources (car, house, food expenses, etc.); they find recurring payments and put them into a calendar which gives a good idea of how much money I need and when; effectively they killed the need of using local app for keeping track of my account

- they provide exports into csv and other formats (although they've got a "known issue" for years where the export range is approximate - it can add or miss a couple of days randomly)

- they do watch my account - when my employer missed the payday by 1 day, I got a call to check if that's expected; when I got a larger incoming transfer, I also got a call to notify me about it and check if it's expected (did not request that before)

I do recommend them to other people, because they're better than other banks I had to deal with.


Great to know. Thanks! I will check them out :)


I love USAA. Great customer service, great web access, and I can always get someone on the phone no matter the time.


I don't mind the crappy web interfaces because I have bigger complaints about modern consumer banking. I really don't understand how loose sloppy a lot of it feels to me, and how old school other parts feel. Here are a few of examples from my very recent past:

1) I had a check stolen. The thief was able to write themselves (or someone they know) a check for $100, sign it with my name, and deposit or cash it. I only discovered this after seeing the transaction in my history and notifying the bank. The forged signature was looked completely different from my own. What's the point of a signature if it's not used for authentication?

2) Because of the above, during the fraud claim process I had to close my account. This disrupted my direct deposit and my employer attempted to deposit my paycheck into a closed account. I didn't realize this until the payment was being returned. I was told that I would have to wait 5 business days for the payment to be resolved. Why isn't this instantaneous? Why do high frequency firms enjoy millisecond trading while consumers have to wait what is basically the equivalent of postal mail delays for electronic transactions? I'm sure this is vastly simplified (HFT firms colocate with exchanges, consumer banks must have to comply with regulations that necessitate these delays) but it does seem that the ordinary consumer is being screwed out of some innovation here.

3) Finally, just this past week, someone accidentally deposited over $1000 into my account. They must have made a mistake with the account number. I told the bank about it, and it still hasn't been resolved. How is this even possible? From what I understand, all you need to withdraw and deposit money from an account is the combination of routing number and account number, and this seems so crazy in the way it opens up for mistakes or abuse.

Of course, I'm likely underestimating the complexities and histories here so I would be very happy to have my naivete corrected.


I do all my banking from home by physically mailing stamped envelopes with checks, deposit slips, and signed letters ordering transfers. These envelopes are then opened by a teller who processes the transaction and mails a receipt of the transaction back.

It's considerably faster than trying to use their web site.


This is a space that will likely never be "disrupted" because the people capable of doing it don't have the huge capital required and the people who do have the capital don't really give a shit.


However, there are companies who care.

Two of the banks I use share the same web engine. They've both bought it from some company that I don't know. Both banks are of the smaller ones so they don't do internal development, hence outsourcing: big banks would probably exhibit a loud NIH syndrome.

Now, one of the banks I use has had it for at least over ten years, having been a customer there, and the user interface hasn't essentially changed much. I remember a couple of cosmetic updates but the pages still look pretty minimal and clean. This is a sign of caring about users because web user interfaces tend to get replaced every few years for the sake of getting renewed. Somebody has clearly had an opinion on how an online banking interface should work, and that somebody has stuck to it. For years.

The login, as is typical in Finland, is a username + password, plus a ever-changing PIN code from a printed table. You need one PIN code for login and another if you issue wire transfers. I've had the same username since 90's and I've changed the password maybe twice. I don't have them on paper. I get a new PIN code table by mail a couple of times a year as soon as the old one is about to run out of codes. Pretty secure and convenient: set of credentials that don't change and another set of simpler credentials that change every time.

Too bad their demo logins are in Finnish and Swedish only, not English. From what I read, this company has awaiting sales in the U.S. :)


I agree. The hard part is starting the actual bank. That's 99.9% of it. Creating an usable website is .1% of the work. Let's see an entrepreneur do both rather than go after the low hanging fruit.


Maybe https://simple.com/ is the best chance to start pushing the banks to improve their online interfaces.


It's a stupid situation: the interface is so unclear and messy that you're afraid to do something wrong(and nobody wants mistakes with the money), so you just use the online banking for small amounts of money.

Also in my bank the password need to be shorter than 15 characters, I will never understand this.

https://simple.com/ is the way to go.


ING has a pretty great banking interface. Simple, easy to use, powerful enough to do anything I've needed so far.


Mint.com is a good dashboard to watch your finances. I check my balances and trends etc from Mint and only log into my bank when I need to do a transaction. They are probably stealing all my personal information however.


tnx, michokest, fully understand your pain


Great!




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: