Considerations if using Institute equipment to conduct your personal financial affairs

Here are a few points that should make you think twice before considering using Institute computing equipment as a medium over which to conduct your personal financial affairs. Many of these points are equally applicable to using public computing locations such as Internet cafés or public libraries.

System uptime

We make every effort to maintain a 24x7 working system. However, in a time of crisis this may not be possible. If your sole means of access to your bank account is through the use of Institute facilities you may suffer financial loss or legal liability if we are unable to provide service at a time when you need to make essential transactions.

Endpoint security

Banks make a big show of requiring encrypted access to their servers. This does not automatically make banking services `secure'. The security of the endpoints is a critical factor in determining overall security of an encrypted transaction. For example, if I can read the keystrokes of your (reusable) password as you type them it matters not one jot how large the encryption key is used to subsequently encrypt it.

Similarly the endpoint security of the bank servers is critical in preserving the secrecy of your financial details. Unfortunately banks and commerce sites have been demonstrated not to be entirely competent. For example the Barclays incident. It has been reported that poor server endpoint security at some commerce sites have allowed wholesale harvesting of customer credit card details. This sort of concern is independent of the strength of encryption used to merely transfer those details to the intended recipient.

Banks model of a private customer

The bank will have based its Internet banking service around a particular model of a typical private customer. It is highly probable that the model assumes that for the most part the customer will be using a home PC, modem and private residential phone line to access their services. You can be almost certain that model did not assume the customer would be using public machines connected to a building wide ethernet network connected to a University WAN. This discrepancy makes it all the more likely that the security model used by the bank may not be completely appropriate. cf Endpoint Security.

Compromise of your account

If your account is compromised, say because you accidently left yourself logged in, then your bank account may also be compromised as a matter of course. The bank may store information (most likely in the form of browser cookies) in your computer account that would make it easier for someone else to gain access to your bank account. cf Endpoint Security and public NT machines.

System compromise

If the system is compromised, say via an unpatched bug in a network service, then your account is automatically compromised. see above.

Admin privilege

The system administrators have access to everything on the system. For this reason the University has a statement of IT security privacy policy. You may not however be comfortable with the simple possibility that a system admin could obtain access to your personal financial details. Such activity would of course be highly unethical.

Internet Bank contract

You should check the details of any internet banking contract. Such a contract may explicitly disallow using the account from unsecured or unsecurable facilities. The Institute facilities may fall under such a definition.