<<< Date Index >>>     <<< Thread Index >>>

[IP] bank privacy policy vs reality




Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 22 Jan 2004 18:41:12 -0800
From: mis@xxxxxxxxxx
Subject: bank privacy policy vs reality
To: rburnett@xxxxxxxxxxxxxxxxxxx

(dave, you can use for IP if you consider suitable)

your piece reporting on the crg survey was interesting but didn't go
at all far enough.

from my perspective as an information security assessor and auditor,
the problem is often that the financial services companies don't
practice quite what they preach, and leak customer private information
because of poor implementation and reliance on third parties
(outsourcers) who have implementation untested by the banks themselves.

luckily there are legal protections in the US for consumers against
fraudulent funds transfers and charges, but this means the cost of
fraud is hidden in the cost of every banking and retail credit
activity (the money has to come from somewhere...), creating a corrupt
system which hides the costs of poor security from consumers.

moreover, these days banking seems to be mostly a business that brands
a bunch of services, assumes and manages some financial risk (laying
off as much as possible on third parties), and then outsources
operations to fourth parties as much as possible.

i agree with the citibank guy that the real problem with some of these
surveys is it's unclear what they measure, but doubtless they measure
different things.  makes me wonder do they pay to be surveyed, are the
surveys blind or with their knowledge and cooperation, is there actual
testing of whether they walk the walk or just talk the talk, or are
the surveys based mostly on representations from web browsing, etc.

looking at the CRG survey, i don't think there's a "consumer reports"
here:

for example, looking the CRG web site (customerrespect.com), under
products/services, then methodology, i see what appears they've done
is a checklist-based usability test of the web site according to five
core elements of usability, a close reading of the privacy policy (but
not how well it's actually implemented). two of the core elements
(responsiveness and attitude) seem to include testing of actual
performance by sending email asking a question (i wonder what question
they asked).  CRG say they include 50+ attributes in the Customer
Respect Index, the CRI, so we know the size of the checklist.

what they don't seem to say is whether they actually opened accounts
at the banks, online or otherwise.  they don't say what personal
information was requested or collected by the bank *prior* to opening
an account or due to the US Patriot Act, which seems to have had the
main effect of giving the banks a blank check to collect way more
information than they need to identify a customer.

there is a big focus on whether the site uses cookies, which is a
tip-off that they a bit confused.  (if you don't understand the issue,
this would be superficially like making big deal about whether a
supermarket simply *has* an affinity card, rather than *how they use
it*.  for banks this is particularly nonsensical, since banks MUST
know their customers, or at least that customer X is the same as the
person who opened (or logged into) account Y, and that's what cookies
are used for.)

also, as a factual error, it appears from this page that the CRI does
*not* include the privacy evaluation as a component, but only the
other 5 "core elements".  you say it includes "all of the criteria".
it would be interesting to know how they weight the components,
i suspect 2 points for each element adds up to 10.

i applaud their desire to assess usability, but there is a big
question whether it's possible to compare usability across different
industries where the functional and compliance requirements (hence the
privacy requirements) are much different.  (at least they recognize
the privacy component differs, so exclude it from the CRI.)

i use a couple dozen online banking and financial services, among all
the banks, credit cards, brokerage, insurance, and retirement accounts
i've ended up with over the years due to mergers and acquisitions,
changes of employment, etc.  they have quite different qualities of
technical service, functionality, and customer service.  some of them
are so bad they're cryable, and it's almost impossible to find the
right person to talk to at the institution through the gardol shield
of customer "service" (who always asks "have you rebooted your
machine?").

for example, there was the bank where i noticed that by simply typing
a URL at a web browser you could retrieve someone else's partially
completed credit application...  i'll bet that wasn't covered in their
privacy policy! but it was like pulling teeth to get them to fix it,
until i finally faxed the bank chief counsel and president about it.

then there was the financial services company that retained your tax
returns ONLINE FOREVER, "just in case" they were needed by the IRS.
retention is also often not covered in the privacy policy.

etc. etc.

--
mark seiden, cissp, cisa
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/