Working with Weboob has confirmed my suspicions that banks’ IT departments are clueless (at least the French ones).
It’s not only that they have terrible websites with snake-oil security (i.e. keypads are easily logged, they only bother regular users).
It’s that their approach to security is from another world. When I was working with a client that was a bank a few years ago, they forced on us a lot of stupid things in the name of security, but to make things work the chosen solutions were worse from every point of view, including actual security.
This is not a technical problem; the problem is a lack of technical people where they should be.
The cherry on the cake is the BNP Paribas bank. They have been historically terrible at configuring their DNS server (with a tendency to return a different IP depending on yours, and of course those two IPs gave two different versions of the site… unless one of them was out of commission).
And now, for over a year, they have been forcing SSL connections to RC4 128 bits, which is a known weak cipher. If you try to force something better, the server will reject you!
Banks try hard to be taken seriously, and they usually are. I just can’t help laughing at them.
One Trackback