Bank Security Overdrive

Some banks demonstrate behaviour that I find very odd. These are peculiar security measures that some creative security bright sparks must have thought of.

I think there is an important role for information security professionals to play, but sometimes they overdo it, or don’t seem to think through practical consquences thoroughly.

Its when banks do unique things in their process, is probably when common sense alarm bells should go off. Here are soem examples.

1. Standard chartered PH requires a mobile pin (which they call an eTAC code) even for internal transfers. And its a very long code. 10 digits

2. Metrobank PH – on most pages, copy pasting is disallowed. Even for enrolling credit card numbers for payments.

3. HSBC US blocks online internet transactions on debit cards and requires the customer to call back customer service/security department.
– customer service is only available to receive calls 9am to 5pm
– if you happen to be elsewhere around the world at the time, calling customer service may require an international call.
– HSBC US claim they have a collect call service but it doesn’t work 99% of the time
– the combination of having to call during working hours of customer service, and having to make an international call probably should have set off usability/practicality alarm bells

3. Citibank’s internet banking messaging system disallows most symbols and punctuations.
– the reply function will include original text, but the system will complain if you hit send because the system crafted original text portion has characters that it does not like
– the message is limited to only a certain number of characters, so often a message trail cannot be maintained
– the system does not store sent messages
– the system does not help the user with an indication of what the invalid character(s) are

pdf passwords on bank emails are in use by: citibank, BDO.

These are just some fails I have encountered in bank security policy/processes. Have you had similar experiences?