|
Thanks for being here and your responsiveness in this thread. A small team is actually itself something of a concern for a core life financial product, but the flexibility and responsiveness is a much appreciated strength as well. Regarding mapgrep's post, I also have one of my accounts with Bank of America, and I have used the virtual card generation feature (in BoA branding it's "SafeShop") constantly for years (and regretted it wasn't more widespread). Nevertheless your implementation looks significant superior, and I think implementation improvements are usually far more significant in the context of a product like a credit card then "genuinely new". BoA's feature is clunky, available only through a tiny (and I mean that literally, it's a 467x300 fixed size window) Flash-based tool with a mediocre UI and poor virtual CC management. It has zero presence on mobile (despite that being the obvious way to use it, particularly combined with Touch ID), no notifications, etc. Despite that the advantages of a fixed limit virtual CC are great enough to make it worth it, but you doing a better job (and one that folks less paranoid then me might be willing to use more often) is a very strong feature for your product in my opinion. One thing I may have missed on your site that I'd like to see for financial interactions in general: do you cryptographically sign your email communications (or at least allow customers to have that be a preference in their accounts)? I do see you list PGP keys for people to communicate with your security team specifically as is good practice, but I'd love to see more general use of at least signing email, which could dramatically reduce the ability of spammers, phishers and other malevolent actors to spoof legitimate sources. S/MIME at least has widespread native support without anyone needing to do anything else. PGP would probably need to be a selected option as it requires the installation of additional tools, but would be a nice bonus. You could even allow the customer to supply/request you fetch their own PGP key, thus allowing email to be encrypted as well as signed. While PGP support on mobile unfortunately looks to remain poor, since you have your own app for securely communicating in that area it shouldn't be as much of a problem. Someday hardware mediated scheme's like Apple Pay or Google Wallet or whatever will hopefully make some of this redundant, but I suspect the old CC system will stick around as legacy for a long, long time, and better ways to securely make use of it will remain valuable. Best of luck to you! |