US banks that can send PGP/MIME e-mail

Anonymous anonymous at
Mon Feb 25 23:10:01 CET 2013

>> Ship a device.

>Meaning what, exactly?  At first blush you seem to be trading one
>problem for another: people don't know how to use GnuPG, so ship a
>device and now they don't know how to use the device.

Ing in Netherlands distributes software (windows, mac, and linux
versions) - so apparently it's easy enough for enough average joe's to
figure out how to install an app.

In the states, the trend of banks offering proprietary apps for
smartphones is snowballing.  Banks what users to take their software
so bad they're offering free miles and contests to get customers to
take the bait.  Such an app could embed an email client that does
everything the advanced users would do, and hide everything possible.
Such an app could even hide the email address, and hide the fact that
email is used at all, if they wanted.

>To a first approximation, MBAs and bean-counters divide a business's
>operations into revenue and overhead.  They'll go to great lengths to
>maximize revenue, and they'll go to great lengths to minimize

They're not good at it.

Moreover, the nerds among them are a very different variety of nerd
than that which would understand or appreciate the needs of a comp
sci/math/software nerds.  This is very evident in their websites,
which only offer a point-click GUI interface with no shortage of
marketing gloss, round corners, and flashy shit that fails when using
a proper and hardened linux or unix OS with hardened browser --
ultimately insulting the intelligence of self-respecting nerds that
really just want to connect over SSH and skip the BS.

> Security doesn't directly generate revenue -- at best it indirectly
>facilitates it, but that's difficult to quantify and plug into a
>spreadsheet.  That means security gets viewed as an overhead expense:
>something to be minimized at all costs.

The cost of securing their webserver and all the flashy shit that they
compulsively upgrade on a regular basis cannot be cheap.

A bank forward-thinking enough to cater to nerds with ssh for
transactions and openpgp for statements would spend the least amount
on security, and simultaneously achieve a more secure infrastructure
than the other banks who try to keep up with the latest web animation
tricks, and all the holes that this emerging junkware continues to

>People keep on thinking in terms of "wouldn't it be nice if," but
>that's not how business thinks.  Business thinks in terms of, "what
>will maximize revenue and minimize overhead?"

Different sectors of business think differently.  Bankers fear risk
where it's small with respect to the gains, and then they take on
stupidly risky investments when it's inappropriate.  You're giving the
banksters too much credit here.  

When it comes to security, they just want to do what the next guy is
doing, and not give it another thought.

>OpenPGP users account for probably less than a thousandth of all
>computer users.  99.9% of all banking users have no real desire to see
>OpenPGP used for their statement delivery.

The average American has ~14 bank/credit card accounts.  I shit you
not.  So it's not just one account they must "go pickup" their
statement from.  You could not make a convincing claim that only 0.01%
of Americans would appreciate their statements *delivered*

Many customers cannot cope with the manual effort of downloading all
their statements, so they simply don't.  They see their balance and
send a payment, and let the statements rot online, and ultimately get
archived and cleaned off the server.

Others resort to giving all their bank usernames and passwords to a
3rd party whome they must trust, which downloads the statements for
them, and then offers yet another "pickup" service (yes, these users
must still login to a website, but at least it's 1 site and not 14).

More information about the Gnupg-users mailing list