More Evidence:  Keep Your Banking and Finances Away From The Internet!

December 12, 1995, from Clifford L. Brody, in Washington, D.C...

Less than two months ago, I posted a short advisory notice on CompuServe, questioning whether
consumers and businesses could safely use the Internet for banking.  I said at the time that if they
did do their banking on the Internet, they would run a major risk that their account information --
and money -- could fall into the wrong hands.  

I then advised bank customers to avoid the Internet entirely for home banking, and instead use on-
line banking services that bypassed the Internet completely, which most home banking systems
already do.

Almost a thousand people have pulled down that notice to read it.  Over 100,000 more received
the more thorough analysis about Internet home banking that I authored for the November 1
"American Banker", the daily banking industry newspaper.  I pulled no punches there, either,
reiterating instead that the Internet was neither safe for home banking nor cost effective for
servicing bank customers.

Several Internet security experts and the few banks actually planning or offering Internet home
banking disagreed strongly.  They held out despite the growing number of newspaper, TV, and
National Public Radio reports in November and early December about the breakdown of Internet
security systems, and the growing potential for terrible new computer viruses following Internet-
based data right into your home computer.

Now, there is more evidence -- ominous evidence -- that I am correct, and that you must keep
your banking off the Internet.

On December 11, 1995, citing careful research by industry experts, the New York Times
confirmed in a front page article that the highly-touted "public key encryption" system, the most
widely advertised security system supposedly making the Internet safe for banking, is really not
very safe at all.  It apparently can be broken open by anyone bright and motivated enough to do it,
with just one personal computer.

For that matter, the new JAVA programming language, widely heralded for making it easier to
use the Internet for superb research, impressive on-line window shopping, and other genuinely
worthwhile personal reasons, could also make Internet-based home banking even more
dangerous.  On-line muggers might use this special Internet programming to plant a small "applet"
right inside your personal computer, gather up your private financial data, and use it later on to
invade any supposedly secure Interent site -- including your Internet bank account.  

The result? If someone does what the New York Times now says is indeed possible, the same
public-key encryption now used by Internet-based banks will allow any on-line thief to clone your
computer, raid your bank account, and hide the fact until it is too late for you to do much about it. 

There will be no trail for you or the authorities to follow.  There will be no electronic, paper or
voice evidence showing that anyone other than you yourself signed on to your own bank account
from your own computer and spent your own money.   Even though you didn't.

You would not have access to any of your money.  Your credit rating could suffer dramatically --
and very swiftly.  You would not even have much protection under federal or state law.  Instead
of the federally-mandated rules that limit credit card losses to $50 in most cases, you would be
totally on your own to prove to the bank and to law enforcement agencies alike that a thief from
you-don't-know-where used a computer from a place you don't know, mimicked you at your
computer keyboard, and took your money.

Can you protect yourself against this?  Yes indeed, and it is very easy to do.  

As I said last October, if you want to do your banking on-line, you can and you should.  For your
own protection and peace-of-mind, though, find out BEFORE you sign on whether the home
banking service you plan to use offers a secure dial-up connection, or whether any part of it is
Internet based.  

Just by asking, you can get the answers you need from the very bank offering the service.  If you
are not sure what the answer means, you can send it to me via email (on the Internet:
73513.2625@compuserve.com, or on CompuServe itself: 73513,2625) and I'll tell you what I
believe.

Whatever else you do, choose a home banking service only from banks wise enough to stay away
from the Internet and offer their home banking through secure "dial-up" access.  

Major banks, like Citibank and several of its regional competitors, are already offering secure,
dial-up home banking with reduced monthly service charges and lower "per check" fees for using
electronic payment instead of paper checks.  

Yet other banks offer secure dial-up home banking through Intuit's Quicken and Checkfree,
through the Microsoft Network, soon through America Online, and -- hopefully some day --
through CompuServe itself.  

You will pay no more, and perhaps much less, in bank service charges.  A few even offer a
complete home banking package for free.  Check the fees carefully, though, since they vary
greatly from bank to bank and service to service.

What should you do about Internet-based banking and transactions if you are a business that
wants the consumer to make "on-line" purchases from your "on-line" store?

Perhaps some people will indeed make the occasional one-time purchase through the Internet,
despite the risks.  However, I believe it is a fundamental strategic mistake to gear your company's
Internet-based marketing or on-line selling either to Internet banking or even to Internet
cybercash.  

Why?  As sure as the sun rises in the morning, more and more instances of on-line diversion of
cybercash and on-line bank theft will become public.  Equally as certain, the very upscale
consumers attracted to on-line banking in the first place will become very smart, very fast about
whether your on-line store is handling their credit cards, bank information, or cybercash carefully.  

They'll avoid like the plague any on-line shopping that forces them to put their finances onto a
public system.  Instead, they will opt for on-line stores explicitly confirming that transaction
information furnished by the customer at the moment of purchase is being handled securely -- off
the Internet. 

Can this be done?  We are no more than a year away from technology that will allow it, in ways
that will appear transparent and seamless to the customer.  Even now, if you want to sell on-line
through the Internet and still give your customer complete security, you can use discreet
(separate) payment methods that consumers already like and use every day, and that still offer
your company complete flexibility to shift more and more commerce to the Internet.  

Better still, they offer your company an exceptional marketing boost, by confirming to your
upscale, Internet-oriented customers how much you care about the security and privacy of their
cash, credit cards and bank accounts.

Demographics show that nothing less will do -- or do more to cement customer loyalty.  

-------

Copyright 1995, Clifford Brody, with attribution, may be copied and distributed freely. 
tel: 202-337-4006; fax: 202-337-4010
Internet: 73513.2625@compuserve.com
CompuServe: 73513,2625
