Today, marketing has figured out how to address the issue of the "Internet" not being secure enough. They’ve put up firewalls and locked down their servers and (hopefully) done a good job protecting the bank’s computers. Using SSL, an encrypted "tunnel" is established from the bank’s computers out across the Internet right up to the computer being used by the customer (or criminal) on the other end. Authentication occurs through what would be considered a "single facetted" mechanism (just a string of letters and numbers) - no different than a single password.

That single password may be covertly harvested through a variety of means and is not beyond the capability of a high-school student let alone a terrorist organization, a nation-state, organized crime or even just that person you cut-off in traffic this morning. Once harvested, it may be retained to be used in the future from any computer connected to the Internet.

Under this model, not only does the consumer have to worry about their home computer, they have to worry about the security of any computer they use to do their online banking. When the consumer asks, "Is it secure?", they’re not expecting the answer to assume that they have secured their home computer. A consumer who thinks online banking is "secure" thinks, "Its secure, the bank is handling the security and they know about security cause they’re a bank". When the consumer becomes a victim of fraud, the bank will call this an "education problem" and I would agree; marketing people should not be driving systems architecture OR should not be advertising their systems as secure.

I'm not suggesting that the consumer ever thinks that the bank will secure their home PCs. I am suggesting that the customer is not being lead to understand that the security of their home PC is a serious matter and that just because they don't know they have been hacked doesn't mean they haven't been hacked. They haven't educated the consumer to understand that there are issues surrounding the harvesting of their passwords and PINs and that each time they use their online banking credentials, they are putting those credentials at risk.

This flaw is found in the model used by all traditional banks expanding their channels to include the Internet. First Union Bank for instance has suggested eliminating cached pages before leaving a shared or public computer, not sharing your PIN and codeword, selecting a PIN and codeword that are hard to guess, and not leaving your computer in the middle of a session. There are no requirements for use of a secure operating system on the client or for the consumer to maintain a certain level of system integrity. The home PC is simply ignored.

Fleet bank is even worse stating that "With Fleet Web Banking you can bank with the same confidence you have when using Fleet Telephone Banking, our branches, and our ATMs."; yet these are relatively single-purpose, limited functionality devices as opposed to your home PC which is an open system with no security model. Citibank makes a very similarly stupid statement which is surprising for a bank that really has done more stuff right in security than any other bank. Only BankOne makes a reasonable statement which is, ""THE BANK DOES NOT MAKE ANY WARRANTIES CONCERNING THE HARDWARE, THE SOFTWARE OR ANY PART THEREOF, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OF FITNESS FOR A PARTICULAR PURPOSE."