On Apr 14, 2014 10:11 PM, "Richard Hector" <richard@walnut.gen.nz> wrote:
>
> On 15/04/14 12:59, shawn wilson wrote:
> >> That statement was made in the sense that at least the bank could have
> >> > issued a statement along the lines of 'you may have heard of the
> >> > heartbleed bug, we can assure all of our customers that we are not
> >> > affected by this bug and there is no need to panic.'
> >> >
> > No, I don't want to hear from my bank unless there's a problem. If
> > everything is going OK, don't spam me. If its not, by all means, let me
> > know. This didn't affect them so don't tell me anything.
> >
>
> They don't need to send an email, or anything intrusive. They just need
> to put a big notice on the login page of their internet banking site -
> along with (or instead of) all the ads they have for cheap loans or term
> deposits or whatever. It would make virtually no difference to the speed
> of logging in, and would reassure me that they take security seriously.
>
This is totally OT (this thread sorta has been for a while)
All banks take security seriously - if they fail audits, someone will get fired (probably a C level someone). Past that, I can say BofA seems to spend extra effort on security for businesses and high value customers, and Wells Fargo is probably one of the most secure financial instructions I know of (based on someone I know who Fortify for them and my mom complaining about how irritating it is to deal with them). I also know of a security company who has contracts with a financial instruction. Basically they care and have tons more knowledge working on a subject than either of us have.
If a company starts posting CVEs on their home page, I'll think it kinda cool or interesting, but I'm not going to read through it or take them more seriously because of it.