Hacker News new | ask | show | jobs
by rodgerd 4606 days ago
> I'm really, really, REALLY not suggesting that "Since banks are equally insecure

That's just as well, because otherwise I'd have to mock you. Banks are not equally insecure. I work for one, and we typically spend 10-20% of the cost of development for apps on security reviews and testing, and not from numptys from accounting firms, but actual, well-known, well-respected white hats who review our designs and run hacks against us.

We aren't perfect, of course. But these monkeys are barely on the same planet, never mind in the ballpark.
1 comments
lmm 4606 days ago
Serious question, not trying to be rude.

If banks are full of competent programmers, why are their customer-facing online banking websites so utterly, utterly terrible?

link
wikwocket 4606 days ago
I suspect this because, every time there is competition between innovative features that are nice for users, and ensuring security/limiting exposure and attack surface, the latter concern wins with little discussion.

What I mean is, if they implement a new whiz-bang feature, the best case is that people complain a bit less. But if their new feature opens up an attack vector or social engineering opportunity, they may suffer serious financial loss and very bad press.

link
lmm 4606 days ago
I'm not asking for whizz-bang features, just a lack of the busy, overengineered sort we tend to see.

Heck, First Direct is one of the better banks in this country, but their website popups deliberately hide browser chrome including the address bar, which is just obviously terrible for security. But that's something that must have been deliberately added.

link
rodgerd 4605 days ago
I have had poo-flinging contests (in banking) with external "security experts" (i.e. grads with a 3 ring binder from accountancy firms) who think ripping out the chrome is a todo on the required security checklist.
link
rodgerd 4605 days ago
Programmers don't decide the UX. And any decent-sized bank will be pulled in different directions by:

1. The standard "enterprise problems": strategic partnerships dictating toolsets and so on.

2. The standard "big company problems": many business units acting as fiefdoms who will be arguing over how much real estate they need on customer-facing channels.

3. Tensions between customers who are scared of "money" and "online" and want everything locked down vs customers who want the latest whizz-bang everything.

4. Regulations.

5. Customers spanning a range from high-value rural farmers with vast sums of agribusiness who are stranded on dialup (yes, they exist), customers who do their banking on whatever their work PC is (XP and IE6 is still a thing - out biggest surge of the day is the 9 am rush when people log in from work to do their banking), through to customers who want the latest and greatest HTML5 webbery.

Saying, "fuck it we only support WebKit and high speed internet" is not really an option.

link
VengefulCynic 4606 days ago
http://www.codinghorror.com/blog/2006/11/this-is-what-happen...
link
TimJRobinson 4606 days ago
Usually because they have to support IE6
link