[staunch]

The bank you use is in actual control of your money. They let you access your money on their terms. They reserve the right to revoke access to your money in many circumstances. You don't get to opt out of having a bank account in modern society. You get to choose from multiple banks that act almost identically. All of them record every thing you pay for. All of them store your data and make it available to thousands of employees and any two-bit hacker that ever breaches their security.

A massive increase in personal freedom and personal privacy is all it took to convince me. I doubt it's an American thing, but maybe it's an easier sell here.

[pjc50]

All of them record every thing you pay for

Unlike bitcoin, which records all of your transactions in a globally readable log?

Bitcoin pseudonymity is weak unless you're very careful, and if people work out your wallet address(es) then you actually lose a lot of privacy.

any two-bit hacker that ever breaches their security

The personal data is somewhat vulnerable, but the actual money is more secure. For almost everyone, the bank computer is going to be more secure than their home PC.

[nhaehnle]

The personal data is somewhat vulnerable, but the actual money is more secure.

This is very important. It is nice that a purely distributed system can essentially achieve non-reversible transaction, but that's not something that most people need. Most people need reversible transactions, where the reversibility is controlled by adaptable laws and regulations that are ultimately interpreted by other people.

[pjc50]

Exactly.

Distance selling is very hard, as money and purchase change hands asynchronously at a distance and the purchaser can't inspect beforehand. The potential for error and fraud (on both sides!) is high, and realistically this requires the intervention of third parties to investigate and arbitrate disputes.

[staunch]

> Bitcoin pseudonymity is weak unless you're very careful...

Compared with banks logging it all?

> The personal data is somewhat vulnerable...

That's the valuable thing! Money is a commodity that can be replaced. You can't undo a breach of privacy.

[aspidistra]

You might get a massive increase in personal freedom and privacy from using bitcoin. But there is a difference between Pure Bitcoin, so-to-speak -- everyone is their own bank -- and a bitcoin-based service.

On Circle's website, it states: "Keeping your money safe is our top priority." That suggests Circle, too, is in actual control of your money -- like the retail bank service they aim to improve.

So how do you know the things you write -- recording transactions, storing your data, restricting access, hacker susceptibility -- won't apply here?

My point is that faced between two choices where a consumer gives someone else control of their money, the traditional system in many places is so far ahead in terms of reach, convenience and regulation compliance that a startup has a lot of work to do.

[ZenPro]

I am not aware of many "two-bit hackers" compromising bank security.

Bank security systems are designed and administered by people of the same calibre who design and administer many startups, including crypto-currency products.

Do you think that an elite hacker cadre exists and those working in corporate environments suddenly are less effective?

Nonsense.

[staunch]

http://articles.latimes.com/2013/jun/13/business/la-fi-mo-ba...

"Hackers allegedly targeted 15 financial institutions, including JPMorgan Chase & Co., Citigroup Inc. and E-Trade...The other compromised banks and financial services providers were Aon Hewitt, Automated Data Processing Inc., Electronic Payments Inc., Fundtech Holdings, iPayment Inc., Nordstrom Bank, PayPal, TD Ameritrade Corp., the U.S. Defense Department’s Defense Finance and Accounting Service, TIAA-CREF, USAA and Veracity Payment Solutions Inc."

They're absolute shit at security and any suggestion to the contrary is pure ignorance.

[ZenPro]

I think you need to learn to read. None of these banks were hacked as the editorial misleads. The victims were actually part of a huge phishing and identity theft campaign.

>> In a criminal complaint, authorities allege that the defendants transferred money from victims' bank accounts to pre-paid debit cards. They took the debit cards to ATMs to cash them out or used them to make purchases across the country. Much of the money that was cashed out was wired to the two leaders.

>> Some of those debit cards were secured in the names of individuals who had their identities stolen by the defendants, the complaint says That allowed the group to file fraudulent tax returns in an attempt to obtain undeserved refunds.

Can you direct me to the part of the incident whereby the financial institution had it's integrity compromised due to superior penetration techniques circumventing internal bank security measures?

The compromise came about through bank customers disclosing personal information.

This is Hacker News - not Reddit. Claiming that banking institutions, who are in direct compliance with worldwide security standards are "absolute shit at security" is just juvenile ranting.

Post genuine case studies and security insights if you have them.

[staunch]

> This is Hacker News - not Reddit.

In the past on HN (I've been here slightly longer than you) I doubt anyone would even consider challenging the idea that banks can't secure their user's data. It used to be a bunch of very technical people who have seen inside the various sausage factories.

The fact that you think banks being "...in direct compliance with worldwide security standards" means they are able to secure their customer's data is truly laughable. I mean that literally, if you said it to any credible security expert they would probably think it was sarcasm and laugh with you.

If you want to set a standard of proof we can actually debate this. What would it take to convince you that banks don't do a good job of protecting the privacy of their customer's data? I can generate like 3 links every 10 seconds on Google.

http://www.computerweekly.com/news/2240208933/More-than-half...

http://www.huffingtonpost.com/2013/09/20/barclays-bank-cyber...

http://www.nytimes.com/2011/06/14/technology/14security.html...

[ZenPro]

Well if you can find links to content on Google your hypothesis must be sound. Your comment is exactly the kind of elitist, generalised nonsense that should have no place on HN.

A few clarifications to help you out and keep you from ranting -

[1] Your current username has been slightly longer than my current username. Whether one or the other of us has been here longer is unknown.

[2] If being compliant with ISO 27001 is laughable to you then I await your superior system for the baseline of Information technology; Security techniques; Information security management systems and their Requirements, accredited by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

[3] If you have empirical data to back up your assertions post it. Huffington Post articles and LA Times articles which are technically illiterate are not empirical evidence.

[4] The majority of all technical accreditation and training programs including SANS, EC-Council, CISSP, CISA et al all utilise the ISO suite as a baseline.

[5] Your entire post reads as if you hate banks, you hate 27001 and you know of better established security practices than are currently in use by the worldwide banking industry.

A few facts for consideration -

[a] Assets of the largest 1,000 banks in 2008/2009 financial year were US$96.4 trillion. 96 Trillion.

[b] The United States alone has an estimated 82,000 banking branches spread across 7085 institutions.

[c] As of Nov 2009, China's top 4 banks have in excess of 67,000 branches (ICBC:18000+, BOC:12000+, CCB:13000+, ABC:24000+) with an additional 140 smaller banks with an undetermined number of branches.

[d] Japan had 129 banks and 12,000 branches.

[e] In 2004, Germany, France, and Italy each had more than 30,000 branches—more than double the 15,000 branches in the UK.

Is your hypothesis really that banks have laughable security? Not a specific bank or a specific department of a specific bank but banks?

An industry worth a 96 thousand billion dollars (96,000,000,000,000) does not know how to secure customer data?

Interesting viewpoint you have and ludicrous. It is right up there with the sort of people that say things like "I hate all wines from California" or "All Microsoft products suck."

IE - Juvenile comments submitted to HN with no regard for accuracy, clarity or discernment.

[staunch]

Virtually every major bank has let hackers steal their customer's data. You lose, chump, now fuck off.

[jnbiche]

>Bank security systems are designed and administered by people of the same calibre who design and administer many startups, including crypto-currency products.

Then why is it that I have frequently run across banks requiring a maximum 6- or 8-character password, and have never run across a startup -- Bitcoin or not -- with such poor security requirements?

[ZenPro]

Which banks specifically secure online data only using a 6 character password?

Most banks, if not all, have BSI ISO27001 security certification and are accredited and administered by the pinnacle companies of the security industry.

For comparison; HN has a multitude of threads listing the outrageous security practices of many crypto-currency related companies, some beyond start-up.

You seem to think banking security is simply a bunch of guys in suits simply having a crack with a copy of ZoneAlarm and Kaspersky. Classic them v us ideas with a touch of Dunning-Kruger thrown in.

[pjc50]

Yes and no; while the banks have avoided widespread compromise they often have weird password requirements or ham-fisted attempts to secure user's PCs with crapware like Trusteer Rapport: http://www.pcpro.co.uk/realworld/359617/is-hsbcs-security-so...

For a while Santander's login system redirected my wife's account to a page with an expired HTTPS certificate.

Then there's fun things like playing tetris or MITM attacks on the Chip and Pin terminals: http://www.saardrimer.com/sd410/pres/showandtell08.pdf

(Obviously mtgox is worse, but my point is that banks tend to a proceduralist cargo-culty approach to security).

[ZenPro]

That is a nice link to the chip and pin compromise although APACS did cover it

>> We believe that the risk remains very low. [This attack] is significantly difficult to industrialise to the numbers of devices that would gain criminals the return they would expect and, therefore, not economically viable to criminals.

I am not saying banks are perfect, no organisation is, but they are certainly not just old men in conference rooms wondering what the little 1's and 0's mean. Some bank security consultants are the best penetration testers in the world.

[jnbiche]

Where did I say anything about bankers sitting around with a copy of Zone Alarm? That comes entirely from your own imagination, as did your ad hominem attack.

The only thing I mentioned was the verifiable fact that some banks limit passwords to 6-8 characters, also detailed in a multitude of HN threads.

[icebraining]

Often the problem is legacy systems. Startups usually don't have big and old mainframes dealing with huge volumes of transactions, they can just build the authentication system from scratch or use a modern library.

[nhaehnle]

A 6-character password is only insecure if you have unlimited attempts to guess it. If an attacker is blocked after something like 10 attempts, a 6-character password really provides all the security you need.