[patio11]

Banks losing $1 million to hackers are not exactly science fiction. Typical outcomes including authorities not catching the thief, insurance paying out or the bank self-insuring, reiterating NDAs to employees who became aware of the theft, and absolutely no media coverage.

[Edit to add: For avoidance of ambiguity, I'm really, really, REALLY not suggesting that "Since banks are equally insecure, bitcoins are a great idea." Of greatest interest to HN readers, if your bank has a security fumble and your account is debited $25,000 as a result of this, you will almost certainly be reimbursed for every penny of that post-haste.]

[rodgerd]

> I'm really, really, REALLY not suggesting that "Since banks are equally insecure

That's just as well, because otherwise I'd have to mock you. Banks are not equally insecure. I work for one, and we typically spend 10-20% of the cost of development for apps on security reviews and testing, and not from numptys from accounting firms, but actual, well-known, well-respected white hats who review our designs and run hacks against us.

We aren't perfect, of course. But these monkeys are barely on the same planet, never mind in the ballpark.

[lmm]

Serious question, not trying to be rude.

If banks are full of competent programmers, why are their customer-facing online banking websites so utterly, utterly terrible?

[wikwocket]

I suspect this because, every time there is competition between innovative features that are nice for users, and ensuring security/limiting exposure and attack surface, the latter concern wins with little discussion.

What I mean is, if they implement a new whiz-bang feature, the best case is that people complain a bit less. But if their new feature opens up an attack vector or social engineering opportunity, they may suffer serious financial loss and very bad press.

[lmm]

I'm not asking for whizz-bang features, just a lack of the busy, overengineered sort we tend to see.

Heck, First Direct is one of the better banks in this country, but their website popups deliberately hide browser chrome including the address bar, which is just obviously terrible for security. But that's something that must have been deliberately added.

[rodgerd]

I have had poo-flinging contests (in banking) with external "security experts" (i.e. grads with a 3 ring binder from accountancy firms) who think ripping out the chrome is a todo on the required security checklist.

[rodgerd]

Programmers don't decide the UX. And any decent-sized bank will be pulled in different directions by:

1. The standard "enterprise problems": strategic partnerships dictating toolsets and so on.

2. The standard "big company problems": many business units acting as fiefdoms who will be arguing over how much real estate they need on customer-facing channels.

3. Tensions between customers who are scared of "money" and "online" and want everything locked down vs customers who want the latest whizz-bang everything.

4. Regulations.

5. Customers spanning a range from high-value rural farmers with vast sums of agribusiness who are stranded on dialup (yes, they exist), customers who do their banking on whatever their work PC is (XP and IE6 is still a thing - out biggest surge of the day is the 9 am rush when people log in from work to do their banking), through to customers who want the latest and greatest HTML5 webbery.

Saying, "fuck it we only support WebKit and high speed internet" is not really an option.

[VengefulCynic]

http://www.codinghorror.com/blog/2006/11/this-is-what-happen...

[TimJRobinson]

Usually because they have to support IE6