Thursday, May 18, 2006

Showing up for war in your pajamas

A friend of mine had a terrible experience recently. Her Windows computer was compromised, and a lot of her financial information was stolen. She got to know of it when the system administrator at the Computer Science department asked her about suspicious activity at her University account. Then she found out that her machine was compromised.

She had a lot of financial information on the computer, and with the threat of identity fraud, she was forced to cancel all credit cards. (And change all her passwords) Even though no financial damage has been done, now she doesn't know if her SSN is out there or not. Even if she used Firefox for financial transactions, her browser cache could have sensitive data.

Fraud prevention websites always say, "Keep your computer secure". This person was a Computer Science Grad student, and quite smart. Despite her best efforts to keep her machine secure, it was compromised.

Contrast this with silly, stupid financial websites that only work in Internet Explorer. In essence, HDFC securities and Geojit are saying: we want you to run a browser that only works on a software whose security is a joke. Oh, and by the way, do large transactions with this insecure browser, ok? Every time I have to interact with their support staff, I have to search for words that will express my level of frustration with this stupid requirement.

Microsoft's Internet Explorer 6 is a five year old browser (released in 2001) with a known track record of abysmal security. Any financial company recommending it is seriously demented. Firefox also has its problems, but they are far smaller than Internet Explorer, even though the numbers might be the same. The issue is not the quantity of bugs but the severity. Combine that with financial websites requiring Internet Explorer. Using Internet Explorer for financial websites is like showing up for war in your pajamas. (I coined that, so give me credit when you say this, ok?)

If your bank, mutual fund, or stock broker requires you to use Internet Explorer, you should complain. Internet Explorer has holes severe enough for security experts to scream and shout about. The financial companies (HDFC, Geojit, and many others) are deliberately forcing their customers to use an inferior and unsafe product. It is our financial security at risk, not theirs.

Within hours of using the Geojit online trading system, my girlfriend and I found a gaping hole in their security. I have been told it has been fixed, but the relative ease with which we found one makes me jittery about using their website. (Both my girlfriend and I are relative nobodies, not security experts.) In any case, their website is nearly unusable, even in Microsoft Internet Explorer.

Security by unusability.