I do not think it is that clear cut. Unless the bank assumes full responsibility for any kind of security breach, including social engineering, you need to be allowed to take care of protecting yourself (including the crucial step of testing the measures). It falls to the systems, both the banks and political/judicial, to have measures and rules in place to allow and account for that.
If they don't, I feel there's a rather lopsided situation.
How does that translate to the physical world? What happens if I pay someone to break into the bank and access my safety deposit box? What if they break into the branch manager's home to steal their key?
I’m not saying physical security is easy, but it’s better understood in general, and at the very least, it’s pretty easy to insure against. Most banks offer insurance on safety deposit boxes so if your item goes missing, you are compensated.
I was talking to a guy who provides online security services for financial institutions. I asked him what happens when someone loses money due to a hack. I found his response amusing and horrifying.
“When someone breaches your online account and steals money, if the amount is $50, the bank will restore it at their expense to keep you happy as a customer. If the amount is $50,000... well, the bank doesn’t care about having you as a customer that much.”
The bank will seek to see who/what was at fault. If you handed someone your passwords etc, they carry no responsibility and kiss that 50k goodbye. Your pin/passwords are yours and yours alone. You should protect them. At least in the UK there have been plenty of cases were people were tricked to hand in their passwords. They never got anything back from the banks.
If someone breaks in physically and steals the contents of your safety deposit box they will hunt-them-down. If you come forth and you say "I know who it was, I helped him/her as part of a pen-test" then you are going down with them.
And yet I get much more assistance in keeping my login secure from a two-bit social media site than I do from virtually every bank I’ve had an account with (speaking of banks in the USA).
Two factor using something like Google Authenticator? Nope.
Two factor using a less-secure text messsge? Rarely.
An email asking for secondary confirmation when logging in from a new device or IP address? Forget it.
A history within my account that shows all logins and login attempts, along with the request IP address and location? I wish.
I’m sure banks do stuff behind the scenes to secure my account. But it seems they could do a lot more to empower me to help in the process. I understand that it’s difficult to pin the blame on a bank for a password stolen by a virus a customer picks up that had nothing to do with them. But it seems they’d do a whole lot more to help me protect my account.
I’m generalizing, I know, but I find it comical (and frustrating) at how often I see banks attempt to do things in the name of security that don’t help at all, but go a long way to destroy UX, or even decrease security.
- Prevent paste on the password field.
- Security questions, often with ridiculous questions.
Judge: who gave you the right to invite someone to hack a company's e-banking security process or Facebook's security processes?
You: it is my data
Judge: it is THEIR system, see you and your friend in 5-to-10 (or whatever the penalty is in whichever country)