Stupidity Over Security

I just read this Information Week article (found via Help Net Security), and I’m shocked.

At a time where banks and other institutions whom we trust with our personal and financial data should be doing all they can to ensure said information stays safe, they’re more worried about convenience and commercialism. In this case, they’re going for easy domain names and faster page response times and are dropping the encrypted/secure login pages. As the article mentions, this runs counter to what security folks keep telling the average user: look for https:// in the address bar and the little locked padlock in the status bar.

Security consultant Bruce Schneier often discusses the tradeoffs in security, of convenience and cost vs. the actual security. In this case, I think a few milliseconds of response time is tolerable in exchange for encryption. The remainder of the customer’s transactions following login is encrypted, so they’re goin to have the same response time issues throughout the rest of the process anyway.

Now, the next gripe from the company may be that the extra processing costs them more in terms of CPU cycles. Boo fucking hoo. Way that costs against the costs of identity theft, fraud, and loss of customer trust and get back to me.

Do it right, train users. That’s the only way any of these problems will ever be managed. Shortcuts don’t help anyone.