Fri, 05 Sep 2008
My wife and I got our tax done today. We went to a branch of one of the many well known firms specialising in tax, just like we have for the past several years. The consultant who handled our affairs was the same one who did our tax last year. He's a really nice fellow and we even got around to talking about free audio codecs like Ogg/Vorbis and FLAC.
During the consultation we were talking about an account for our daughter that is currently in my wife's name. We were not sure of the interest that had accrued in the account and the consultant suggested that we log onto our internet banking account using the consultant's computer.
Despite huge alarm bells going of in my head, neither my wife nor the tax accountant thought anything of it. I hesitated for a moment and then said "Sorry, I don't think thats a good idea. I simply don't trust a windows machine." As an alternative, my wife used a telephone in another office to retrieve the information using the telephone banking system and that was the end of it.
Thinking about this further I came to the conclusion that this is potentially really dangerous. If some BadPerson was able to install a keystroke logger on all the computers of all the consultants in a company like this and if accessing client internet banking accounts was common in this company, the BadPerson could potentially retrieve the user name and passwords of a huge number of the company's clients. The BadPerson would then be able to either skim or even empty all the accounts at will.
Just to be clear, the BadPerson in the above senario would not the tax accountant. It could possibly be a tachnical person within that company, or, thanks to the woeful security inadequacies of windows, organised criminals somewhere outside Australia who are able to install the key logger via a vulnerability in Internet Explorer.
After leaving the tax accountant I explained the dangers to my wife. I strongly suggested that she never access internet banking other than from our computers at home or when travelling together, from my computer. In particular I suggested that she stop accessing internet banking from her work machine (a managed and supposedly locked down windows machine) and to change the passwords on her account.
Rule number one for internet banking, never access your account from a machine you don't trust unless you immediately change the password via some other, separate, secure method. I'm actually rather surpised that the tax consultants for companies like this don't have at least a little computer security awareness training.