Rational, but unrealistic in today's threatscape. According to the Times :
"Customers using their credit or debit cards online have been advised that high street banks are likely to become increasingly reluctant to help victims of internet fraud as new rules added to the Banking Code signal less willingness to cover losses. The updated code, which covers the banks' treatment of customers, came into effect last month and states that victims of online fraud must have up-to-date antivirus and antispyware software installed, plus a personal firewall, to claim redress from their banks. If you fail to have the correct protection in place, the banks are increasingly likely to refuse any claim for a refund."
The E-banking users are advised to have firewalls, antivirus software and protection from spam and phishing emails, to visit the sites of their software vendors and look for updates, and check for security certificates at the E-banking pages. There's also a realistic case study basically describing the real-life situation that having a perimeter defense in place is only decreasing the risk, not eliminating it entirely the way it's getting marketed :
"Andrew Omoshebi, a design engineer from North London, had £1,500 of fraudulent transactions on his credit card recently. The 43-year-old, left, uses his credit card only for online purchases and has all the necessary antivirus, antispyware and firewall protection installed on his computer. Even so, he was alarmed to discover three consecutive transactions on his statement that were not his."
Surprisingly, Apacs, the UK payments authority isn't mentioning anything about blocking vulnerable browsers from participating in any form of transaction with them, perhaps among the most strategic moves courtesy of PayPal compared to the marketable, but totally bypassed in real-life situations PayPal's Security Key. Why having an antivirus software and a firewall doesn't mean anything from a malicious attacker's perspective?
- Cross-site scripting vulnerabilities within banking sites are nothing new, in fact, in the past there were initiatives tracking down such vulnerabilities and how long it took for the bank to fix them. Barclays is an example with XSS vulnerabilities unfixed for over a year despite notification. Why aren't they taking XSS seriously at the first place? Because the people responsible for their anti-fraud activities aren't aware of the potential to abuse the vulnerabilities and user the bank site as a redirector to malicious software, or a phishing page with a decent SSL certificate in place. Phishers are indeed using XSS vulnerabilities to scam a bank's customers, thanks to the bank's vulnerable web applications, here's the most recent incident
- A lot of spam and phishing emails make it through antispam and phishing filters, what a lot of customers aren't getting educated about is that spam and phishing emails can sometimes become a blended threat, and include drive-by downloads that would automatically install on a vulnerable machine upon visiting the pages. From a psychological perspective, a lot of users are naturally interested in calculating the ROI of their antispam/antiphishing product, and therefore may visit a scam pages just to see whether or not their solution will pick it up, a practice which leaves a lot of opportunities for the bad guys to take advantage of
- In 2007 and early 2008, client-side vulnerabilities continue dominating the infection vector of choice, not only because of their integration within popular web malware exploitation kits, but because diversifying the exploits set used increases the chances for a successful penetration from a malicious attacker's perspective. Whereas the article is suggesting that users update their Microsoft software, it ignores the fact that the majority of software used on an average PC is far more diverse than IE and Microsoft Office only, consequently, the rest of the software used would remain unpatched
- Keylogging for E-banking data is so dead, I cannot believe that customers are still educated about the trojan horse that would record their random number valid for a single session only. In reality, there's a specific segment of malware defined as bankers malware, whose features, sophistication, and targeted nature in the sense of having researched the web applications of all the major banks, are going way beyond simple keylogging
Perimeter defense is marketable, yet irrelevant from an attacker's perspective, an attacker that would ensure his malware releases make it through the most popular firewalls before releasing the malware for instance. Would you be so naive to do E-banking from the local Internet cafe? The way you wouldn't do this, you also wouldn't' want your PC to turn into an Internet cafe one, where everyone does pretty much whatever they want to, then leave. Emphasize on protecting against client-side vulnerabilities by using handy tools such as Secunia's Personal Software Inspector, and sacrifice some of your E-banking mobility by not doing it whenever you see a PC with Internet connection on it - else you're crying to claim fraudulent activities on your bank account.