Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 14 submissions in the queue.
posted by martyb on Thursday September 29 2016, @03:26AM   Printer-friendly [Skip to comment(s)]
from the is-it-okay-if-they-pay-me? dept.

While waiting for ten minutes on "hold" to make an appointment with my local branch of Scotiabank, I had time read through the new "Digital Services Agreement. Most of the eighteen pages were unremarkable, but a couple of things stood out.

When you click "Accept", you are agreeing to not give your password to police if they ask!

You are responsible for maintaining the confidentiality and safekeeping of your Card, Card Number, Username, and Electronic Signature. ... These responsibilities include:

  - not voluntarily disclosing your Electronic Signature to anyone else at any time, including any family member, friend, law enforcement agency, or financial institution employee;

You're also agreeing to not use "public" wifi:

(These responsibilities include:) using your own private wireless data connection, and avoiding use of public Wi-Fi services, when you are using the Digital Services;

This of course is from a bank that still refuses to allow Uppercase letters or Special characters in a password.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday September 29 2016, @03:34AM

    by Anonymous Coward on Thursday September 29 2016, @03:34AM (#407729)

    I, Robot and Asimov's Three Laws of Robotics

  • (Score: 0) by Anonymous Coward on Thursday September 29 2016, @04:05AM

    by Anonymous Coward on Thursday September 29 2016, @04:05AM (#407734)

    If only all srrvices carrier this as a legal obligation.

    Sorry, officier, I am legally required to not unlock my phone as you have demanded.

    • (Score: 4, Insightful) by frojack on Thursday September 29 2016, @04:20AM

      by frojack (1554) Subscriber Badge on Thursday September 29 2016, @04:20AM (#407741) Journal

      The word voluntarily was used.

      You make the cops get a warrant. Then it's no longer voluntary.

      I think everyone needs to calm down. And maybe read the whole quote before getting all excited.

      And maybe understand that upper case and special characters in a password mean diddly squat if your connection isn't secure because you logged into your bank from a coffee shop WiFi.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 5, Insightful) by pkrasimirov on Thursday September 29 2016, @07:38AM

        by pkrasimirov (3358) Subscriber Badge on Thursday September 29 2016, @07:38AM (#407776)

        What's wrong with coffee shop WiFi and SSL?

        • (Score: 2) by frojack on Thursday September 29 2016, @07:14PM

          by frojack (1554) Subscriber Badge on Thursday September 29 2016, @07:14PM (#408075) Journal

          Ask the pimply faced kid lurking behind his laptop screen in the corner.
          He probably already knows what level of SSL your bank is using and may have already tried a downgrade attack on your phone. (How sure are you that your phone isn't still using SSL 3?)

          VPNs are actually WORSE [infosecurity-magazine.com] then most new browsers.

          --
          No, you are mistaken. I've always had this sig.
          • (Score: 2) by pkrasimirov on Thursday September 29 2016, @09:21PM

            by pkrasimirov (3358) Subscriber Badge on Thursday September 29 2016, @09:21PM (#408125)

            But that is 1) bank's fault at cyber security, 2) user's fault for using the bank and 3) unrelated to the coffee shop wifi. With compromised SSL I am at risk even at home.

      • (Score: 0) by Anonymous Coward on Thursday September 29 2016, @03:35PM

        by Anonymous Coward on Thursday September 29 2016, @03:35PM (#407957)

        if you're logging into any site without tls you're a jackass.

        • (Score: 2) by bob_super on Thursday September 29 2016, @04:53PM

          by bob_super (1357) on Thursday September 29 2016, @04:53PM (#408009)

          And yet banks keep pushing people to use phone apps to do all their banking ... Who's the most irresponsible ?

          • (Score: 2) by frojack on Thursday September 29 2016, @06:45PM

            by frojack (1554) Subscriber Badge on Thursday September 29 2016, @06:45PM (#408061) Journal

            Phone apps can be quite secure. Most of them do use TLS/SSL. Very rarely do you hear of one that is being dragged through the mud in the press for not using secure communications.

            And (contrary to popular opinion) the connection between joe user and the tower is a WHOLE LOT harder to hack than a wifi connection.

            Firther, even a Stingray does not break TLS/SSL as long as the app is using it. (Which is why it was such a big deal to remove all the downgrade attacks from all the ssl libraries).

            --
            No, you are mistaken. I've always had this sig.
            • (Score: 2) by bob_super on Thursday September 29 2016, @07:03PM

              by bob_super (1357) on Thursday September 29 2016, @07:03PM (#408067)

              Sure, but it doesn't matter how good your connection is, when most phones can be completely owned, with little work, by someone using any hack published a few weeks prior, because patching is slow at best, and typically non-existent.

              The other reason I really like my BB phone is that it gets security updates. Even then, I don't consider it a safe platform for banking.

              • (Score: 2) by frojack on Thursday September 29 2016, @07:26PM

                by frojack (1554) Subscriber Badge on Thursday September 29 2016, @07:26PM (#408081) Journal

                The actual incidents of someone's phone getting "completly owned" are vanishingly rare, in spite of the horror stories you read in the press.

                Install Warze on your phone from some gray-market app store in Singapore? Maybe. Real world? Your phone is far more likely to explode in your pocket than be owned by someone in a coffee shop.

                --
                No, you are mistaken. I've always had this sig.
                • (Score: 2) by bob_super on Thursday September 29 2016, @07:57PM

                  by bob_super (1357) on Thursday September 29 2016, @07:57PM (#408096)

                  The wonderful thing about the internet is that "the coffee shop" doesn't matter. Your phone is vulnerable to script kiddies scanning random IPs against old known bugs pretty much as soon as it's on...

                  • (Score: 2) by frojack on Thursday September 29 2016, @08:37PM

                    by frojack (1554) Subscriber Badge on Thursday September 29 2016, @08:37PM (#408110) Journal

                    So is every other connected device to some degree, realistically, the risk is tiny.

                    Funny thing is, other than early versions of windows directly to the internet, the script-kiddies are far from the most successful hackers in the world.

                    And as far as "vulnerable to kiddies the minute they are turned on", that just doesn't happen.

                    Have you actually tried to ping another phone on Cellular? Even if the owner looks up and tells you his IP and you have the same carrier connected to the same tower, you aren't going to ping it, let alone scan it.

                    You might be more at risk from the kiddies once you connect to wifi, but on cellular, not so much.

                    --
                    No, you are mistaken. I've always had this sig.
  • (Score: 1, Insightful) by Anonymous Coward on Thursday September 29 2016, @04:34AM

    by Anonymous Coward on Thursday September 29 2016, @04:34AM (#407747)

    Do they have (member-owned) credit unions where you are?
    Have you investigated that?

    -- OriginalOwner_ [soylentnews.org]

  • (Score: 3, Informative) by Beige on Thursday September 29 2016, @06:12AM

    by Beige (3989) on Thursday September 29 2016, @06:12AM (#407757) Homepage

    Clearly legitimate LEOs are not going to call you and ask for login information to your bank account. They can get whatever information they need from the bank itself with a subpoena.

    • (Score: 4, Informative) by isostatic on Thursday September 29 2016, @06:24AM

      by isostatic (365) on Thursday September 29 2016, @06:24AM (#407760) Journal

      People who fall for phishing are not going to read an 18 page EULA.

      It's all about covering the bank's ass because of their inadequate security measures.

      • (Score: 0) by Anonymous Coward on Thursday September 29 2016, @07:29AM

        by Anonymous Coward on Thursday September 29 2016, @07:29AM (#407771)

        It's both.

        It's about covering the banks ass when a customer gives his password to a phisher pretending to be law enforcement, because "legitimate LEOs are not going to call you and ask for login information to your bank account".