US banks that can send PGP/MIME e-mail

Mark H. Wood mwood at IUPUI.Edu
Tue Feb 26 15:29:43 CET 2013


On Mon, Feb 25, 2013 at 05:10:01PM -0500, Anonymous wrote:
[snip]
> In the states, the trend of banks offering proprietary apps for
> smartphones is snowballing.  Banks what users to take their software
> so bad they're offering free miles and contests to get customers to
> take the bait.  Such an app could embed an email client that does
> everything the advanced users would do, and hide everything possible.
> Such an app could even hide the email address, and hide the fact that
> email is used at all, if they wanted.

Heh, exactly why I won't take those app.s.

[snip]
> > Security doesn't directly generate revenue -- at best it indirectly
> >facilitates it, but that's difficult to quantify and plug into a
> >spreadsheet.  That means security gets viewed as an overhead expense:
> >something to be minimized at all costs.
> 
> The cost of securing their webserver and all the flashy shit that they
> compulsively upgrade on a regular basis cannot be cheap.
> 
> A bank forward-thinking enough to cater to nerds with ssh for
> transactions and openpgp for statements would spend the least amount
> on security, and simultaneously achieve a more secure infrastructure
> than the other banks who try to keep up with the latest web animation
> tricks, and all the holes that this emerging junkware continues to
> open.

I imagine that there is another class of security at work here which,
at some point, is still cheaper:  buy insurance and just pay off the
affected customers when something occasionally goes wrong.  I can't
point to any evidence, but it would seem to be the way that
businesspeople think about security.  Remember, from their viewpoint,
they are securing *their business*, not ours.

[snip]
> >OpenPGP users account for probably less than a thousandth of all
> >computer users.  99.9% of all banking users have no real desire to see
> >OpenPGP used for their statement delivery.
> 
> The average American has ~14 bank/credit card accounts.  I shit you
> not.  So it's not just one account they must "go pickup" their
> statement from.  You could not make a convincing claim that only 0.01%
> of Americans would appreciate their statements *delivered*
> automatically.

Careful:  "would like their statements delivered automatically" vs. "have
a desire to see OpenPGP used for statement delivery".

> Many customers cannot cope with the manual effort of downloading all
> their statements, so they simply don't.  They see their balance and
> send a payment, and let the statements rot online, and ultimately get
> archived and cleaned off the server.

That sounds like human nature, but I would be interested to see
measurements if there are any.

> Others resort to giving all their bank usernames and passwords to a
> 3rd party whome they must trust, which downloads the statements for
> them, and then offers yet another "pickup" service (yes, these users
> must still login to a website, but at least it's 1 site and not 14).

As above.

We also have to consider the question of what the banks' lawyers will
let them do, once they pick their jaws up off the floor.  This is
probably the origin of the closed, private email system locked away
inside each bank's site.  That is, perhaps, where one should work on
acceptance of suitable encryption and signing.  ("Suitable" including
what will actually be used more or less correctly by a sufficient
percentage of customers.)

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
There's an app for that:  your browser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20130226/83c3e363/attachment.pgp>


More information about the Gnupg-users mailing list