People occasionally ask me if I can help them figure out if the online
banking site they use is secure. I tell them not unless the bank hires me
to
do so.
Agreed.
Is there *anything* that an end user can do in the way of checking for the
Top 10 type of problems, that would be considered "fair use" (I know..
copyright law term, not really applicable here) or "self-defense" rather
than malicious?
That depends on what the Judge/Jury says. I wouldn't chance it. The good
news is that banks want online transactions to take off so they'll continue
to eat the losses for a while (until it becomes a bigger problem or they
figure out a way to shift the cost to customers without causing to much bad
publicity).
This isn't really self-defense either since the bank's servers have not
attacked you. This is more along the lines of due diligence, i.e. I'm
entrusting you with X, I want to make sure you are actually capable of
handling X properly and safely. The one method that comes to mind is legal,
for example
http://www.computerworld.com/printthis/2005/0,4814,105638,00.html
This is a fundementally economic problem, banks could design systems and
processes that would result in the customer having a near 100% secure
experience with online banking, but it would be very very costly. Like
Schneier says, shift the cost of phishing to financial institutions and
they'll find a way to address it pretty quickly, leave the cost with
consumers and.. well.. we'll have the situation we're currently in.
For purposes of simplicity and relevance to my current location, lets
assume
that both the user, the website, and the company that owns the site are
all
in the U.S.
I would especially not even think about it in that case.
-Kurt
