undefined | Better HN

0 pointsseryoiupfurds4y ago0 comments

Interac E-Transfers are great, except that I wish they didn't train people to click a link from their email and type in their bank password. Sure, it redirects to a login page on your own bank's web site, but how does a non-technical user know it's not a phishing lookalike?

Really, the existing autodeposit feature would be perfect if it let you log in to your online banking and confirm pending transactions before autodepositing them. For that matter it would be nice if the email gave me a string I could paste into my online banking to get to the existing confirmation page.

It's all much better than having to link your bank account to some third party or give away your credentials though.

0 comments

lstamour4y ago

I suggested to a big bank back in 2011 that they should have an iPhone app that sends a push notification to alert me to debit or point-of-sale transactions so I could approve them as they happened, and they only recently did so. But in their defense, security can be cumbersome and hardware-integrated tokens like Apple Pay are just as good and simpler to explain, assuming we can get rid of legacy plastic at some date in the future.

Similarly, we won't be able to get rid of email but if clicking a link in an email opened an app instead of a webpage, it would be a lot harder for phishing websites to pretend to be my bank. (Assuming I'm expecting a mobile app, of course. A second line of defense is that my password manager might not prompt me to fill in the password because the URL doesn't match. But even that's not foolproof.) Even better would be if Interac E-Transfer itself was an app I could sign up for, then it could send me a push notification and I could skip my inbox entirely for these sort of transactions.

Of course, the only reason I trust apps more than websites is that I went to download them previously, rather than clicking a link that just showed up in my inbox. To that end, Gmail and other email providers have immense power if they created a design which could highlight emails from senders I've seen before as "trusted" and those from unknown senders as unknown.

Things get more gray-area though when the system itself fails: You can request money from anyone using Interac E-Transfers, and that means spammers could hijack a bank account and request money from friends and relatives you've recently sent e-transfers to, for example. Those emails would then appear as "trusted" and there's not much you can do to stop that, it's the cost of making money transfer "easy".

tialaramex4y ago

Yeah, the technical security in all these systems is a bit half-hearted†. However, in my opinion the key is to legislate that the banks (who built or in some cases purchased said half-hearted system) eat the cost of that. Maybe they're comfortable with say $10Mpa of fraud in the system, if they really can't build a safer one for less than $10M you can see they'd have a point.

The problem comes when banks are able to argue that their half-hearted security means they aren't liable to pay for the consequences. Consumers need protecting against that.

† In the UK we have a lot of 3-D Secure, developed by Arcot. But of course the average consumer has no idea who "Arcot" are, and so no reason why they should distinguish an arcot.com site (legitimate, you're supposed to give them credentials if necessary to authenticate you) versus say badguy.example (a hypothetical phishing fraud). Both of them can show you branded imagery from your bank, both have a padlock, both claim they're keeping you safe. How should an ordinary person know?

j / k navigate · click thread line to collapse