Devil is in the fine print, experts warn
Sarah Schmidt
Province
OTTAWA — Canadian banks mislead their customers about the safety of online banking in their marketing materials and give users a false sense of security with a refund guarantee if hackers raid their accounts, a leading software-security expert concludes in a new study.
Paul Van Oorschot, Canada Research Chair in Network and Software Security at Carleton University, and Ph.D student Mohammad Mannan, a specialist in Internet security, tested the standard banking claim of a “100-per-cent online-security guarantee” against the fine print that makes it conditional on fulfilling complicated security requirements.
The researchers opened up bank accounts at Canada‘s five major banks and one online bank, and surveyed 123 technically advanced users, mainly computer-science students and security researchers.
Most in the survey are more security-aware than average customers, and still failed to satisfy common security requirements. Expecting average people to meet them is “extremely naive,” they write.
“We conclude that most average users are ineligible for the 100-per-cent reimbursement guarantee banks assert, and doing online banking with ‘confidence’ and ‘peace of mind’ is no more than a marketing slogan which misleads users.”
They found that despite strong recommendations about password uniqueness, in one case, RBC listed “iwthyh,” an acronym for the Beatles’ song I Want to Hold Your Hand, as an example of a “rock-solid” password.
Meanwhile, most banks’ customer agreements require users to maintain up to date copies of anti-virus, firewall and anti-spyware programs. The survey of 123 tech-savvy users found fewer than half reported using anti-spyware on computers used for banking, and more than a quarter do not use anti-virus software. Ten per cent do not use any firewall.
