[jacquesm]

That always was a stupid strategy. Trusting stuff on one side of the firewall just because it is on the other side is not good enough, that means that after any breach at all your whole network is wide open.

Security should be applied at the lowest possible level, just like you would in a physical installation.

It's not like when you work in a bank once you are allowed 'backstage' that that automatically gives you the right to visit the tellers cage or the vault.

[jhancock]

My bank takes a different approach, an old one, to security. Here are three things that happened to me at their main bank office over the last 6 months.

1 - I sat down with a mid-level manager asking about a debit card in my wife's name for one of my accounts. The manager pulled up my account and says "I see you were in Wilmington last week. My family is from there." And we chatted about Wilmington for a bit.

2 - I walked up to the teller desk and said "Please move $500 from account A to account B." I filled out no forms, showed no id, didn't even know the account numbers. The teller said "No problem Mr. Hancock, have a nice day."

3 - I needed to change my phone number linked to all my accounts. I walked into the teller and told her I have 5 accounts and wanted to change the phone number on all of them but didn't have my account numbers at hand. She handed me a post-it note and asked me to write down the new phone number: "No problem Mr. Hancock, we'll see it gets done."

The approach this bank takes is oriented around trust and liability, not IT security. Some may be upset that a bank manager would/could scan my transactions and openly acknowledge they see where I was last week. But I see this as openness in acknowledging that they can see the data. All banks can see this data and many credit data warehouses have this data. My bank simply doesn't pretend they can't see it.

In response to your post, jacquesm, I completely agree with your point of view from an IT perspective. However, I do not expect a bank, large or small, to get things perfect internally. So I choose to do business with one I trust to uphold their end of liability. I take this approach with most business partners, as I'm sure many do. When I buy a $50 item on ebay, I expect less of the supplier and pay accordingly.

[jacquesm]

Yes, but that works at your branch.

If you were to walk in to say the New York city branch of a major bank that you have an account with in the countryside then you'd be looking at a completely different situation.

I once borrowed E100K from my bank just on my promise that I would pay it back within 7 days. That would have been a lot harder if I had not been a very good customer of theirs for more than a decade.

But I still doubt they'd let me past the 'no customers beyond this sign', simply because they have a duty to safeguard the privacy of their other customers, even if we'd have a higher than normal level of trust between ourselves as people.

[jhancock]

Your right; that's why I don't do much business with large banks ;).

I have one account with a large bank. I have not had any problems, but I limit my transactions with them to well documented transfers and have standing orders to not allow any other type of transactions.

I have no expectation that a large bank will cover my liability better than they cover theirs. I engage with them accordingly.

[jacquesm]

The best way to spread your risk with banks is to make sure you never have more than your federally insured cap with any one bank. (that's a luxury problem though). Over that and you're up the creek without a paddle if anything should happen to that bank.

The funny thing here is that the people that the bank owes money over that amount are ruthlessly culled, but the people that owe the bank are not.

I think that should cut both ways, in other words if a bank folds then both the debts and the deposits should be capped or none. But it seems to be completely asymmetrical to keep the people that owe the bank on the hook while capping those with whom the bank is in debt.