Banking on the Internet has been around for quite some time now with many new security features available that help protect the consumer. Although I do not agree with the ‘multiple instances of the same factor’ as opposed to what the FFIEC requires (multi-factor/two-factor authentication), they are moving in the right direction for the most part in this country. As an aside to this blog, the second instance of something you know and the additional data required about yourself that is needed to perform an online password reset can easily be mined be enterprising young minds from your Facebook, LinkedIn and other such sites.Volksbank CZ has been around the Czech market since 1993 and is largely owned by an Austrian banking group with German and French concerns owning the remaining 24.5% of the company. Volksbank CZ has grown from 122 branches in 2003 to 609 as of 2008. Quite a rapid level of growth that is matched by the growth of €2.5B in 2003 to €14.7B in 2008. They also employ nearly 6,000 people. At first blush, everything looks pretty solid for a full service bank.Volksbank CZ also offers Internet banking that is ‘not just innovated look and handling … but advanced functionality and expanded setting options…’ Everything still looks good up to this point! Until we get to the technical specifications of the Internet Banking application. Many home users may not even pay attention to this page much less go to it. But there are many telling things here that should instill significant fear with certainty and without a doubt.First of all, some of the required software is MS Windows 98 and ME (all the way up to XP). Internet Explorer 6 or higher. Okay so we are allowing some very obsolete software on the user side but this is not the worst. There are configuration settings that the user must allow for within the IE browser. These are instructions directly from the bank and since it is the bank and they maintain my money in all their standard, conservative ways, all should be well. So here are some of the require IE configuration settings:Download unsigned ActiveX components In Internet Explorer, go to the Tools menu. Select: Internet options > Security. Choose the Internet icon and then click the Custom Level button. Under “Download unsigned control ActiveX controls” tick either “Enable” or “Prompt.” Click the OK button to confirm. Is accepting an unsigned ActivesX control like taking a wooden nickel that also has a keystroke logger hidden within it?File downloadIn Internet Explorer, go to the Tools menu. Select: Internet options > Security. Choose the Internet icon and then click the Custom Level button. Under “File download” tick “Enable.” Click the OK button to confirm. What was it that Alfred E. Newman said? What me worry?Java permissionsIn Internet Explorer, go to the Tools menu. Select: Internet options > Security. Choose the Internet icon and then click the Custom Level button. Under “Java Permissions” select any safety level that you can see (Low Safety, Medium Safety, High Safety, or Custom).If you select “Custom,” then you must additionally set up the following: When the “Custom” option under Java Permissions is ticked, click on the button “Java Custom Settings” that appears. Choose Edit Permissions. Under “Run Unsigned Content” select either “Run in sandbox” or “Enable.” Click the OK button to confirm. Not much different than the ActiveX issue. Enable Java Plug-In in Internet ExplorerIn Internet Explorer, go to the Tools menu. Select: Internet options > Advanced. The item “Use Java 2 v1.3.x for ” must be marked. Click the OK button to confirm.Another old version from 2005. All right you get the picture.Enable active scripting In Internet Explorer, go to the Tools menu. Select: Internet options > Security. Choose the Internet icon and then click the Custom Level button. Under “Active scripting” tick “Enable.” Click the OK button to confirm. Enable scripting of Java appletsIn Internet Explorer, go to the Tools menu. Select: Internet options > Security. Choose the Internet icon and then click the Custom Level button. Under “Scripting of Java applet” tick Enable.” Click the OK button to confirm.I don’t know ‘bout you but I won’t be moving my dollars to this bank. The revenues at this bank should be enough to drive information security to an acceptable level of compliance. They also should have enough money to fund technology updates that keep the software from becoming obsolete. And if they want their customer’s data to be secure when stored at home, they should not allow Windows 98 or ME amongst other assorted Swiss cheese. Makes me want to check the tech specs on the banks I do use though. The final piece is in the area of liability. Volksbank CZ is clear in the ‘Terms of Use’ that:The visitors to the Website understand that the Website may become partly or entirely nonfunctional. Volksbank is not liable for any damage that may be incurred in connection with using this Website.So even if their software causes you harm, loss of identity, money to be stolen, etc., they are not liable. Sign me up now!!Thanks to Skeptikal for the tip Related content opinion The Sandbox - RSA Conference 2014 - San Francisco By Jeff Bardin Feb 24, 2014 3 mins Technology Industry IT Leadership opinion NY Times Story on Snowden Way Off the Mark Snowden story worthless - Basic IT protocols ignored - By Jeff Bardin Jul 05, 2013 2 mins Data and Information Security Network Security opinion Maskirovka – Tactical, Operational, Strategic Deception "The Op is in Motion" By Jeff Bardin Apr 29, 2013 4 mins Physical Security IT Leadership opinion Is this gun smoking? Certified Unethical Training http://attrition.org/errata/charlatan/ec-council/eccouncil_emails.html By Jeff Bardin Mar 15, 2013 14 mins Social Engineering IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe