Human Scoring / Recommendation

[ryankurte]

The current list is useful to those with domain knowledge. How can that be translated to be universally useful?

Ideas:

• Scoring system (like ssllabs)
• Recommendation

[nzkarit]

A+ through F.

My thoughts.

• Add a SSL Labs column for HTTPS.
  • Cap grade as SSL Labs level
  • Need to consider all the domains and sub domains they use front page, online banking etc
• No 2FA is F
• No HSTS Preload F (going to get MitM) (Preload they are a bank so should have first visit protection)
• SMS C
• Battleship C
• TOTP, RSA Token B
• U2F A
• If allow multiple TOTP or U2F (to handle the new device problem or letting the user have a backup thing) add a +
• If can full back to SMS (and can't disable) cap at C even if doing U2F
• If doesn't email or text you when 2FA, Password, email, phone, address, etc changes D. As if can change security settings without user knowing what is the point
• Backup codes not sure how to factor them in
• Min password length <10 F, as fails NZISM
• If password doesn't require three of Upper, Lower, Number, Symbol F as fails NZISM
• If max password arbitrarily short say <100 D, (OK to avoid very long ones as they basically end up DoSing the server while doing the hashing)

[ryankurte]

I like the idea of the A+ - F scheme, just have to work out how to tabulate / programmatically calculate rather than managing it manually (because wehh). Pretty much onboard with that list, and provided it's transparent we can always play with rankings later on if it needs balancing / requirements change.

Still recon the app side of it is worth a look (#2)? Seems both interesting and very time consuming :-/

Next step is probably to put together a list of steps to undertake to collect data for each bank / determine the rank, but it's going to have to wait until I have some free time again.

[nzkarit]

Yes collection of the data and automation and haven't thought of a way. Not as programmatically as say SSL Labs. Not really sure how to collect the input data automatically as every bank has a different URL, phrasing etc.

Could have a JSON that has a bank and the attributes and then just JS the JSON to calculate it? (if know JS or if me I would mostly likely get a cron job to run a python script to get the lastest data and just write a static HTML page) It calculates the letter from that data in the JSON and then as an overall shows the lowest letter? I have no HTML design skills so my thought is nested tables for GUI

-----------------------------------------
| Bank Foo                          | F             |
| Attribute 1 | Value            | A            |
| Attribute 2 | Value            | F             |
-----------------------------------------
| Bank Bar                           | B+          |
...

And the bottom have a table that has rules for getting to the letters and explanation

Yes need to look at the Apps, but as a 2nd release? Almost thinking three overalls grades. An overall overall which is the lowest letter out of the web and app and then a overall for each access method and then the nested table under that. Three if want the Public API as well.

Yes when have time. If we could get the data storage defined, people (I?) could start pottering away at the data collection. First thought:

{"banks":
    [
        {
            "name":"Bank Foo"
            "web":[
                "ssllabs":"A",
                "hsts":"true",
                "minpass":"8",
                "dateLastChecked":"YYYY-MM-DD"
            ],
            "app_andriod":[],
            "app_ios":[],
            "api":[]        
        }
    ]
}