One of the beauties of the less discussed, "consumer" side of capitalism is the existence of the consumer advocate. Consumer advocates are one of few barriers between healthy commerce and parasitic fraud. The ugly side of capitalism is when doing it now is more important than doing it responsibly. The potential for secure online transactions is definitely there but what is being offered today is a whole lot of marketing and a disgusting lack of respect for the individual consumer. It is my belief that consumers are being misled in both subtle and obvious ways about the extent of the "security" in online banking. In fact, I argue that there is NO security in online banking as it exists today.

Impact of application is another good reason to pick on banking. Nobody doubts that the bank will straighten out whatever mess arises from fraud against online banking and nobody thinks that they will be liable for fraudulent charges against their account. Of these things we can be fairly certain. If one looks however, at a more traditional banking product, checking accounts, one may be able to ascertain what the experience of a fraud victim could be.

A story run on Dateline NBC, Sunday, October 3, 1999 called most banks (all but Citibank) on their poor level of control over the way they handled check processing. One consumer was interviewed and relayed her experience in having her checking account emptied by someone who had captured her account information. She got all of her money back, but it took a month. Unless you’re rich and have a couple bank accounts or a bunch of dough tucked under the mattress, that means a month of borrowing money (from friends and family, not the bank) for food, gas, parking and whatever other financial obligations you may need to meet.

Dateline says that the banks are positioning online banking as "more secure" than checks and this is where things get interesting. The premise of this essay is that online banking is "not secure". The banks will tell you "its more secure", "its secure" or "the bank is secure" but these are carefully chosen words. These words are carefully chosen because the banks are very interested in expanding the number of ways they offer the customer to do business and feel that they need to be either the leader or in the top 10 when it comes to online banking. Therefore, they actually encourage people to use their online banking application and will go so far as to admit that the Internet shouldn’t be trusted so they use some really whiz-bang encryption like SSL.

The questions the customer needs to ask are "Is the transaction secure?" and "Is my account secure if I use online banking?". Chances are that the sales representative won’t realize what you’re asking them because they’re just working off a script but the real answer is definitely no. When they say "the bank is secure" that may or may not be correct. The basic problem is a design issue with ALL the online banking applications that doesn’t affect the bank as a whole but rather the individual transactions and the accounts associated with those transactions. That’s not to say that the bank’s computers aren’t vulnerable to a number of attacks, but the financial industry does tend to make a relatively good effort hardening the security of their central computers.

The problem is related to the extension of trust that leaves such a gap between the new online design and the established and relatively secure model of using Financial Transaction Cards (FTCs) in Automated Teller Machines (ATMs). This essay will argue that the current move to "Internet" based systems is a step down from a system with security to a system with no security.

The same could be said for email, Online Trading, and Online Filing (of taxes, claims, and other personally sensitive information). When it comes down to it, Internet based transactions will be cheaper than the systems of the past. Online transactions are 4, 5, even 10 times cheaper than traditional transactions - quite possibly because proper controls have not been implemented into the system. Why pay for these controls when you can write off the losses? All the problems will occur to one individual at a time which means that your customer base will have to face you individually. Damage control on the bad press from fraud is subsequentially easy enough; that is if fraud is the only motive your threat model addresses.

Any part of this nation’s "critical infrastructure" must also consider itself a target for online terrorism against the citizens, commerce and government of the United States. If coordinated such that masses of customers were "defrauded" simultaneously, the system itself would definitely be impacted. Since this is "online" banking, this type of coordinated attack could be automated. Those offering financial transactions would not be able to rely on their books as to the business which occurred from the time of the attack, until the bank or the brokerage implements a system with proper controls.

To think that the customer’s PC would in any way be secure is surely negligence or even fraud in itself. Yet the banks will never be so bold to tell the customer that the security of their account is tied to the customer’s PC which is almost without exception, running an operating system with no security model. Windows 9x has no security and Mac is no better. One reason the bank won’t go into this when they’re selling online banking to you is that they assume you won’t understand about PC, OS and Windows 9x; so if you don’t understand computers, how exactly is your home computer going to provide a platform for secure online transactions? And how secure will that terminal and the trade show you just checked your email on be?

The irony of the situation is that when your account is defrauded via online banking, the banks will call it a "user education problem" and say it’s the consumer’s fault; I guess you’ll still get your balance back; in a month or so.

There are two components to banking as a business, assets and trust. Trust leads to customers which lead to assets. To grow assets under management, you must establish and maintain a level of trust with the customer. Trust is based on the ethics and rules of those who run the bank and their ability to enforce those ethics and rules. The ability to enforce ethics and rules comes from security whether it be locking up assets in a vault, providing video surveillance in branch offices and at ATMs, doing background checks on employees or placing other controls in place. Without control of a system, the system can not be said to be secure and does not deserve trust.

In accounting, controls are used to provide reliable data. In marketing, words like "acceptable risk" are used when "everybody else is doing it" and "we’re going to miss the boat on this one if we don’t do it". Is it an acceptable risk however, to not only incur the cost of fraud, put the consumer at risk, and risk your customers’ trust in you, but to deploy systems without adequate controls from an accounting perspective?