We are a bit puzzled at why our online banking services are not as secure, at least in our opinion, as we think they should be.
We just finished configuring a new online account at Scotiabank that is based here in Canada.
This is their suggested online password recommendation:
And, one we have finished our sign-up process we see:
But, Scotiabank, if security is important then why are we not allowed to use a pass phrase _with_ special characters?
Not only that, why are the number fields already populated in the online sign-in page?
The “Online Security Guarantee” is kind of cute. :)
“We will fully reimburse you . . . provided that you have met your security responsibilities.”
Okay, so we click the Safe Computing Practices link to find out what our responsibilities are and:
We pretty much follow all of the above with the exception of number 2. We have encountered enough problems with Trusteer’s Rapport Security Software (one example we have blogged) that we will not be trusting any of our systems to their software.
Now, one plus on Scotiabank’s side is that their online portal’s password request actually _is_ case sensitive. We work with other banks that do not pay attention to case in the password field.
Now, obviously the above critique is based on _our_ experience working in I.T. and all of the good, bad, and ugly that we encounter in the way of security situations.
The reality is that the banks have a business decision to make when it comes to reaching the average user.
Thus, in the end we have a good understanding of the _why_ the banks are closer to the lowest common denominator when it comes to online “security”.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book