08
Jun 11

Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security

facebooktwittergoogle_plusredditpinterestlinkedinmail

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion.

David Navetta, a founding partner of the Information Law Group, said that Patco has about another week to dispute the magistrate’s recommendations, but that it is unlikely that the judge overseeing the case will overturn the magistrate’s findings.

Navetta said the magistrate considered the legal issues and propounded an analysis of what constitutes “commercially reasonable” security.

“Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability,” Navetta said. “The court explicitly recognizes this concept, and I think that is a good thing.”

But Avivah Litan, a fraud and bank security analyst at Gartner, took strong exception to the way the magistrate arrived at the recommended decision, calling it “an outrage.”

“In my opinion, this is frankly an egregious injustice against small U.S. businesses,” Litan said. “It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”

The Technology

Ocean Bank relied on service provider Jack Henry to process bank-to-bank transfers, and it selected an authentication process that required customers to log in with a company ID, user ID and password. Customers also were asked to provide answers to three “challenge questions” that would be asked if the system scored a transaction as “high risk.”

The Jack Henry product came with a risk scoring system developed by RSA‘s Cyota, which rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site. Challenge questions were prompted when the risk score for a transaction exceeded 750 on a scale of zero to 1,000 (RSA considers transactions generating risk scores in excess of 750 to be high-risk). Ocean bank also kept track of customer “device IDs,” an amalgamation of attributes from the customer’s PC that could be used to create a unique fingerprint for that machine.

Until 2008, Ocean Bank set its dollar amount threshold — transfer amounts that would automatically require the answer to a challenge questions regardless of the Cyota fraud score — at $100,000. But in July 2008, the bank lowered that threshold to $1. The bank told the court that it did so to enhance security following ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were forced to answer a challenge question whenever they used the bank’s system.

The Analysis

Patco’s security expert, Sari Green of Portland, Me. based Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, the bank greatly increased the risk that a fraudster equipped with a banking Trojan would be able to compromise the answers to a customer’s challenge questions. Patco also argued that because the questions were triggered on every transaction regardless of the scoring of the transaction, that system did not provide any additional security.

Navetta said the magistrate considered the question of whether Ocean Bank’s security was sufficient. The magistrate analyzed whether the bank’s security satisfied “multi-factor authentication” guidelines by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token); and something the user is, such as a biometric identifier. (Those guidelines were established in 2005 by banking regulators at the Federal Financial Institutions Examination Council (FFIEC).

Navetta said the magistrate accepted the bank’s argument that the password-based scheme used by the bank was multi-factor as described in the FFIEC. “To some degree the court acknowledged that the bank’s security could have been better,” Navetta said. “Even so, it was technically multi-factor as described in the FFIEC guidance in the court’s opinion, and ‘the best’ was not necessary.”

The magistrate wrote that while the guidelines say two out of three of those factors should be incorporated, it says nothing about how banks must respond when one of those factors detects an anomaly. More importantly, the magistrate accepted the bank’s assertion that a device ID satisfied the “something the user has” requirement.

The magistrate was unswayed by evidence presented by Patco’s lawyers that modern malware threats like ZeuS can modify content in the victim’s browser (and thus prompt users for the answers to all of their secret questions). ZeuS also allows attackers to tunnel their communications through a victim’s own PC and browser, an attack method that can negate the value of a device ID as a second factor. Navetta said Patco’s main theory concerning the weakness of the bank’s security was that the lower dollar threshold set by the bank made customers easier prey for predators like the ZeuS Trojan, but that the magistrate was unconvinced by that argument because Patco did not have actual forensic evidence that a keystroke logger was the culprit. The magistrate said Patco erred by “having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

Avivah Litan said the methods used by Jack Henry to support Ocean Bank were not appropriate to the risks associated with online business banking in 2009.

“Zeus, browser-based Trojans and other modern-day threats are known by anyone following online banking security to circumvent all the methods that were being used at the time by the bank and its processor,” Litan said. “Unfortunately, the 2005 FFIEC guidance referred to examples of relatively crude online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques.”

The FFIEC was on the verge of releasing updated guidance at the end of last year to clarify the new and stronger types of multi-layered defenses required in 2011.  Litan said those updates were expected to explain that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next-generation cybercrime techniques.

“It’s truly disappointing that the much-needed update was never issued, no doubt because of internal politics and disagreements among the regulatory agencies,” she said. “The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from bank shortcomings that compromise the safety and security of their accounts,  just as consumers are protected under Regulation E. In my opinion, this judge did not correctly interpret the 2005 FFIEC authentication guidance.”

Patco co-owner Mark Patterson said the company hasn’t yet decided whether to appeal.

“The one thing the judge mentioned in his decision is that there is basically zero case law on [question of what constitutes reasonable security] for the banks,” Patterson said. “Not anymore. That’s why we’re concerned this could have national implications. Tons of small businesses continue to be at a huge risk for this type of thing happening to them.”

The magistrate’s recommendations are by no means a done deal, even if the district court adopts them. The decision could be appealed, possibly all the way to the US Supreme Court. Interested parties could present further legal argument by filing amicus curiae (friend of the court) briefs at any time during the appeal process.

A copy of the recommended decision is available here (PDF).

KrebsOnSecurity will continue to follow this case and to bring you updates on new developments as they happen. Stay tuned.

Tags: , , , , , , , , , , ,

126 comments

  1. The one thing I have observed not in discussion here is that what are the smaller firms do that do not have sufficient IT training on hand such as small medical and law offices as well as hundreds of other sorts of firms? Most people in these firms have enough difficulty keeping up with their professions, never mind learning the computer skills required to lock down their machines or even keep them updated with the almost continuous updates we see falling from the sky lately.

    Most people I know treat their computers as if they were toasters or coffee makers and simply do not have the time, intellect or skills to affect their own security.

    It must be the banking industry that has the onus to secure and track their customer’s usual activities and take the proscribed measures sufficient to secure their client’s funds. Additionally, most banks seem to now almost require on-line banking or pay higher fees (to reduce paper usage is the usual excuse given).

    There will come a time when on-line banking will probably become so insecure for most that it will ground to a halt. Altering the laws improving security requirements will have no affect.

    Most operating systems I have installed interface with the internet even before installation is complete and have immediate exposure to a great number of ports that are not monitored by the system protections available or installed up to that point. That is just the way it is.

    • “Most operating systems I have installed interface with the internet even before installation is complete and have immediate exposure to a great number of ports that are not monitored by the system protections available or installed up to that point. That is just the way it is.”

      It’s always been my habit to install fresh operating systems on a machine that is not connected to the internet. Then install all the security software BEFORE the machine is physically connected to any network of any kind. I’m a little mystified why this doesn’t seem to be standard operating procedure.

      And, just because people want to think of their computers as being just like a toaster or a coffee maker, shouldn’t they get a clue at some point? If anyone tried to excuse themselves from bashing in the neighbor’s mailbox while backing out of their driveway by saying, “oh, I thought this gas powered vehicle was just like a wheelbarrow”, wouldn’t most people think they were a little nuts? And financially liable for the damage to boot? Or, maybe to make the analogy a little more appropriate, wouldn’t someone who bashed in their own mailbox feel a little stupid trying to explain that they thought a car was just like a wheelbarrow?

      I’m not trying to mean or superior, but what I think we’re seeing is the consequences of having a society in which people have come to expect that the world will be guaranteed safe for them. Expecting that someone else to save you from every danger, and believing that it’s their fault if something bad happens to you just opens the floodgates to a society of really stupid and helpless people. That is apparently what we have, to a very large and alarming extent. I just can’t see my way to saying that this is right and good. And I don’t believe it has always been this bad. There was a time when Americans expected and were expected to take care of themselves and their property, and they did – admirably well.

      Ok. rant off.

      • sadly, that is the way things have gone. people do expect the world to be made safe for them and get seriously offended when they get that rude wake up call. i appreciate what you’re saying, but mikep is correct. people not only don’t know how their computers work, they don’t care just as long as they do.

      • John David Galt

        Several problems with this viewpoint.

        1) What do we pay banks for if it isn’t to keep our money safe? If they aren’t any safer than keeping it under the mattress, we all should just do that.

        2) Banks have a license to (effectively) print money out of thin air at will, up to a limit set by the Fed. So it’s not too much to ask that they bear the loss if they foul up.

        3) The bank is in a position to improve the security around our money while they’ve got it. We are not. Therefore, it’s just common sense that they bear strict liability.

        The fact that they don’t already bear that strict liability is tantamount to proof that they’ve bought Congress. Let the investigation start at once and spare no one.

    • SSmall biz solution is very simple and free — boot a LiveCD that cannot access the harddrive (where malware resides) each time you want to bank online. US Air Force provides a free, award winning one called LPS. Download at spi.dod.mil

  2. Every company in USA, and I would not be surprised if the world, has an annual visit by outside accounting auditors, to check all kinds of things, some mandated by government regulations, some additions by request of top management. Some management requests more frequent visits by auditors.

    It might make sense to lobby the accounting auditor profession, in their annual reports to give some lip service to cyber security and other security associated with the company’s bank accounts. Did this audit check on risks, find any. What are industry standard risks which are commonly taken by most companies, and does this one also take some of those standard risks?

    • @Al Mac

      “It might make sense to lobby the accounting auditor profession, in their annual reports to give some lip service to cyber security and other security associated with the company’s bank accounts.”

      And here you have the starting point of solutions that have always worked. Not reliance on government and laws to work, but in the concerted efforts of private individuals to solve problems common to all.

      I think this is an excellent idea, and the auditors are in a good position to see in detail all of the problems on all of the sides, in real time. They may not have the perfect view or propose the perfect solutions, but they’re a lot closer to reality on the ground than government and laws will ever be.

      The problem, as you implicitly point out, is that the auditors currently know far more about the banks’ problems and relatively little about the customers’ problems. The solution will necessarily be to make them aware and responsive to customers’ problems. There’s no guarantee that this can be done and will happen, but it’s a lot more promising avenue of pursuit than petitioning the government.

      • Auditors serve clients which have an infinity of different combinations of computer hardware OS software packages, human interactions, but all the clients need to avoid drowning in the same sea of risks and governance mandates.

        Accounting auditor firms should know what risks are being faced by their clients, irrespective of whether their clients are doing a good enough job to deal with them, from the start of annual audit:
        • What government and industry mandates cover this client, due to nature of corporation and industry they operate in?
        • Other than us, what other kinds of audits does this place have? (Government, Industry, Customers, Insurance. Legal troubles)
        • Does this place have more money in one bank than FDIC insures?
        • Is this place banking with a bank on the FDIC endangered list?
        • What kind of data does this place have, which could be a nightmare if breached? (Identity Theft vs. Payroll or Health Insurance) (Cyber Bank Robbery) (Web site hijacked by spammers or worse) (malware in general)
        • Has this place had any kind of cyber security audit? How did the results compare to industry standard averages? Is the client better or worse off than the norm?
        • Has this place ever had any kind of software audit, to check on risks of embezzlement, bugs, decisions based on distorted data?
        • Is this place up-to-date on standard cyber-security, and security patches?
        • Are there tools available for this client’s OS and main software packages, to catch bad data, flaws, unwise combinations of settings? Has this client installed any, using them wisely?
        • From list of vendors this place has paid, sort their geography where they doing business, look up state records on companies registered to do business there, identify any vendors NOT registered in those states, investigate some – they could be crooked.

        One person, with the auditor team, ought to be able to answer many of the above very rapidly, by talking to a few people, and by using some standard tools, most of which do not need to connect to the Internet.

        The auditors could ask both to see what contracts the client has with their banks, and get something in writing from the client authorizing them to see the bank’s version of this. This is because several court cases have found severe discrepancies between what client and bank thought the agreements were.

        Similarly with general insurance against risks, to determine if the client is under-insured for risks it is found to be engaged in.

        The audit report could say:
        We looked at the PC(s) of the person(s) who do most of the company banking (payroll, payables, billing), used standard freely available PC security tools, and found the following problems: (list them)
        We brought these to the attention of those person(s), the manager(s) they report to, and the IT staff. Here is what (if anything) resulted from our heads-up, during the few days we were on-site for the annual audit.

        Be aware, that should you suffer a Cyber Bank Robbery, your Bank may not be able to recovery most of your losses, and the US Court System will probably rule against you, if you sue your Bank. Here are some recent court rulings, to illustrate vulnerability of other companies whose security against this kind of thing was about the same as yours.

        This accounting auditor action, like cyber security audit state-of-art, cannot be expected to exhaustively find everything that needs repairing. But it can determine if the client has serious unsolved risks.

        • I don’t believe private organizations have any obligation to hire an external auditor for any purpose, and only larger private organizations actually do. Even when they do, I suspect it’s more often some sort of financial audit where the scope is really quite narrow. I know the smaller company I worked for (60 million/yr revenue) hired a financial auditor for year-end and pretty much told them what to do. We hired them to perform a particular accounting related service, not assess our security.

          In my experience, larger organizations (where I work now), are usually far more worried about what an internal auditor or gov’t auditors will say than some [well paid] 3rd party auditor. Think Enron, without any of the legal complications (e.g. hey 3rd party auditor, don’t even try to hand me some report that says to use 2 factor authentication when my customers don’t want it and the law doesn’t require it). And that brings me to my main point…

          I would argue that most of an organizations customers are completely ignorant of these threats. They don’t want better security and may even be openly opposed to any changes that make access more difficult (at least until something bad happens). If the company does not have a legal/regulatory obligation to have something like 2 factor auth, and in fact might lose customers as a result of having it…why would they implement it?

          • @Matt

            “If the company does not have a legal/regulatory obligation to have something like 2 factor auth, and in fact might lose customers as a result of having it…why would they implement it?”

            The simple answer is that they wouldn’t have to, and probably only would do it if they were motivated to do the right thing as a matter of principle. This is a problem in our current financial environment, that doing the right thing is a meaningless gesture in our current culture of making money.

            Personally, I don’t do business with financial institutions that have no interest in doing the right thing. Right now at least, I’m just a consumer and have lots of choices that are satisfactory, but I don’t know how one’s choices are limited as you work your way up in organizational size. Still, I suspect the choices are there if you look for them. My credit union, for example, handles finances for some fairly large though local businesses.

            And perhaps you are correct that the kind of 3rd party auditors we were talking about earlier don’t really exist right now. But if more people were pickier about where they did their financial business, the more financial institutions might feel the need for 3rd party auditors such as these. To attract and keep customers, if for no other reason. This sort of arrangement has historically been needed in the past, trade associations coming to mind first, and maybe we need it now.

        • FYI, all of the major Auditors explcitly offer this service. It is up to the Management to decide to purchase it.

          All of the Big 4 offer services thst cover both a general audit as well as Pen Testing with products like Zeus. For the Auditor to put their name on the line, more analysis and investigation is required than to “ask a few questions”.

          But these services cost money.

  3. Bottom line here is that the business needs to ensure that they are protected against ACH fraud. Here are some suggestions.
    1) Demand that the bank have an out-of-band authenication process in place with you.
    2) Set specific limits in the ACH agreement with the bank. If your payrole runs once every two weeks and the amount is alway under a specified amount make sure that is in the agreement. Set the schedule in the agreement.
    3) Have insurance coverage to protect against fraud.
    4) Incorporate IDS/IPS systems and firewalls in your network and keep the software updated with all the correct patches applied. Rootkits with key loggers can be detected here.
    5) Have virus walls in place, and anti-virus on the workstations.
    6) Do proper due diligency on the bank. Some bankers will protect their customers from fraud, others do not care. Ask to look at the banks NACHA rule compliance audit.
    7) Have proper internal controls in place, seperation of duties, verifications and monitoring. Proper logging and monitoring would of caught the first fraudulate transaction.
    8) If you cannot afford some of the suggestions hand carry your ACH to the bank and disconnect the workstation used for ACH format from the internet.

  4. I realise I’m potentially putting myself in hot water here as a furriner coming in and criticising US banks, but I’m continually astounded at the genuinely Mickey-Mouse “security” that the majority of US banks seem to use for online banking. In Europe it’s pretty much unheard of for a bank not to use TANs (per-transaction PINs, and these are regarded as low-security), SMS-based out-of-band auth, smart card readers, challenge-response tokens, USB-based displays with transaction verification, biometric auth tokens, and so on. These are given out free to home users, while in the US even large-scale business users have to make do with Mickey-Mouse methods that any non-US bank would be too embarrassed to ever use. Why are US banks so bad with this? Is there some cultural difference? I don’t think it’s legislative, because European banking-regulation legislation is pretty much the same as in the US, in fact Reg.E/Reg.Z lead the world in consumer protection.

    • @Dave: “I realise I’m potentially putting myself in hot water here as a furriner coming in and criticising US banks,”

      If somebody here disputes your standing to expose Truth, they are part of the problem. Facts and correct reasoning do not require agreement from the banking-herd.

      “Why are US banks so bad with this? Is there some cultural difference? I don’t think it’s legislative, because European banking-regulation legislation is pretty much the same as in the US, in fact Reg.E/Reg.Z lead the world in consumer protection.”

      Inferring motive from actions is always tricky. However, I have done some cryptographic consulting for a big New York bankers-bank, who did in fact evaluate their security according to their court losses. My interpretation is that something unique about US law allows banks to risk customer funds without significant liability.

      When banks lose in court, they may seek to improve security, but that is difficult, expensive and cannot be guaranteed. So it may be that banks are more likely to seek government regulations and standards which provide predictable legal cover. Simply by doing “this, and this, and that” the bank can show they have behaved at least as well as the government standards expect.

      Of course, customers do not get boxes to check, have no legal cover, and so have no way to argue that they have behaved as well or better than the bank, given the tools they have. Too bad, customers!

  5. @Matt: “As a customer, you have lots of choices, that’s the beauty of online banking right? Here are a couple:”

    Bank of America: It’s still only optional, whereas elsewhere you can’t do banking without it (or some equivalent). Even if you choose to enable it (how many people do this?), it looks like its use is rather infrequent, “If you choose to use SafePass, some online activities will be automatically protected while some can be optionally protected. Most actions will only require that you use SafePass just a few times per month”, which implies it’s barely ever used, and certainly not to authorise each transaction.

    HSBC: That’s not a US bank :-).

    As an example of the sort of thing that’s used overseas, see e.g. http://www.theinternetpassport.com (disclaimer: I have no connection to these people, just using them as an example after seeing it demo’d for use with a Swiss bank). That’s a pretty fancy option, in my case my bank just texts me the transaction details for every transaction over a floor limit along with a crypto auth code that I then need to use to authorise that transaction. This is the default for online banking, not something that you have to optionally enable.

    • @Dave

      I showed you two examples, I’m betting there are more. I included HSBC intentionally, because they offer banking here as well (see the “us” in the provided domain name). You seem to be asserting that in Europe the MFA authentication that is so common here is not allowed. Is that true? If so, what is it that mandates something stronger?

      • @Matt:

        >You seem to be asserting that in Europe the MFA authentication that is so
        >common here is not allowed. Is that true?

        Weeelll… what’s called two-factor auth in the US is mostly just twice-as-much one-factor auth (e.g. something you know and something else you know), or as the Daily WTF puts it, “Wish-It-Was Two-Factor Auth” (see http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx). It’s not so much that Wish-It-Was Two-Factor Auth isn’t allowed in Europe, it’s that no bank would think of deploying something like that.

        (Oh, when I say “Europe” I mean “continental Europe”, UK banks are another story, they just blame the customer for any problems so there’s no need to worry much about security).

        >If so, what is it that mandates something stronger?

        I don’t think anything mandates it (well, maybe some countries have laws about it, but I’m not really aware of any… heck, some countries have laws about what days you’re allowed to mow your lawns on), but like “don’t pee in the font during a baptism” it’s just one of those things that you know not to do even if it’s not explicitly stated in any law.

  6. The solution is very simple and free — boot a LiveCD that cannot access the harddrive (where malware resides) each time you want to bank online or do any sensitive. The US Air Force provides a free, award-winning one called LPS. Download at spi.dod.mil

    • @K: “The solution is very simple and free — boot a LiveCD that cannot access the harddrive (where malware resides) each time you want to bank online or do any sensitive. The US Air Force provides a free, award-winning one called LPS.”

      I think “the solution” may be a bit much. When I tried it, I found LPS a bit rough for my taste, because it had no facility for updating the browser or add-ons. Browser updates are required to maintain a secure system, and security add-ons fill the security holes in the general browser product. These things probably are unavailable unless one can update the browser.

      For over a year now, I have been using Firefox and Puppy Linux for all my online work, and I am using them right now. There are a lot of Linux LiveCD systems around, but as far as I know Puppy Linux is the only one which supports browser customization and security updates into future sessions.

      Using Linux can be frustrating at first. Using LiveCD systems without user updates can be additionally frustrating.

      • LPS gets a Quarterly update!

        Lastest version does Sound now
        Security and Grooveshark!!

        They will even email you when updated.
        Regards
        gvnmcknz

  7. I had another idea, which may be dumber than my auditor idea.

    With the rapid reduction in the cost of PCs, cell phones, etc. and the escalating costs when something bad happens.

    A bank could offer a service “cyber insurance.” There are already several companies offering various kinds of insurance, where if you become victim of cyber theft, whether your negligence involved or not, just like a traffic accident, your auto insurance pays off unless it can be shown that you deliberately crashed your car. The bank suffers no increase in liability by offering this insurance, since the insurance company is providing the service. The bank benefits several ways … they get agent commission every time they sell a policy, and if the premiums can be tied to a percent of how much money in the bank account, maybe every time a premium is paid, the bank gets another commission, then if a customer is victimized, the bank can say “you should have had that insurance,” and thus further lower the bank’s responsibility.

  8. I had another idea, for a nitch business, to move cyber security state-of-art forwards.

    With the price of digital hardware plummeting, and the fears of cyber-theft rising, a bank could make an offer to its customers of a service, which would actually be provided by some cyber security firm it sub-contracts implementation to.

    Customers would get a BC (Bank Computer) which is to be used EXCLUSIVELY for doing business with the bank, and which is to be brought in for regular inspection and upgrading at one of the cyber security depots. If used for anything other than doing business with bank(s) specified in the contract, then there can be penalties for the customer, loss of insurance supplied by the bank.

    There are business precedents for this.

    My day job facilities received a PC for free from UPS which has World Ship installed. The only stuff we were (supposed) to add were connections to our network, so as to put info about what we shipped, out to their network. We received one such free PC at each of our facilities.

    My day job uses a lot of NC’s (network computers) in which the data is stored on the network, not on the client, so the NC’s are totally interchangeable. When one needs service, we call the depot, they send us a replacement, we hook it up & send them the busted one, using the box they sent the replacement in.

    A BC might similarly not store anything which is confidential to the customer, but would need some output device to provide customer with transaction record, in a form which could be input to customer PC.

    My Cable TV company had an upgrade. With the new box, I can no longer tape shows that arrive via cable.

    I have a water bed. The landlord dictates certain features on my renter’s liability insurance.

    I recently paid off a car loan. I now have a deductible on my auto insurance, which I could not have when the bank loan was still in effect.

  9. Keith Appleyard

    Nice try but I don’t think this is very feasible.
    In my instance, I need to receive e-mails containing my employees timesheets (30+ 0f them), then I need to cut and paste these into the Payroll software, then cut and paste the ‘net pay’ into the Banking application, then cut and paste the deductions and e-mail the employees their Payslips.
    If I had to keep moving this data between different PCs, eg via USB drive, it would be very sub-optimal use of my time.
    I also like to be able to do my ‘one-off’ Internet Banking on any other device, rather than carry my laptop around. All I need to do is carry my Chip Card Reader in my pocket (I’m on the UK Banking model).