One of the interesting things about being a Milennium BCP customer is that you get a security newsletter in your e-mail now and then. I just read the latest, and it has a number of positive points that I think bear mentioning, because they put most of other Portuguese banks’ to shame:
- They send out a bilingual edition (Portuguese at the top, English at the bottom). I can’t even begin to say how much I appreciate this – and I’m a native. Plus the text is obviously written by people who know proper grammar (I get a lot of crappily written newsletters in either language).
- The newsletter is sent out in HTML format, but with a readable plaintext alternative correctly specified as such in the MIME structure. Most e-mail newsletters here in Portugal are done by people who either don’t get the Internet or hired an incompetent bozo to do their mailshots, but BCP clearly thought things through.
- The HTML formatting is done using inline CSS that works everywhere I’ve tried it (Mail.app, Thunderbird, Outlook, etc.). Even if there are minor issues with it here and there due to rendering quirks, it’s a solid, professional job. They also specify an e-mail address you can send feedback to if you can’t view the message correctly.
- The security advice is (even if somewhat basic at times, but then again we’re talking about a general newsletter here) not just up-to-date, but also clearly written – stuff like phishing, recommended password policies, how to protect your computer, etc. is clearly explained in a way everyone can understand it.
- Finally, the newsletter has no URLs whatsoever, clearly states the bank’s policy of not sending you any e-mail containing them – and asks you to report any spoofs that do.
All in all, it’s an excellent job. It conveys the message that they take things seriously – and, in security, taking things seriously is all about keeping customers informed and not going in for “security theatre”.
As to their site, they follow the current trend of having people provide random digits from your access code, but do so without asking you for umpteen other useless checks or using the hideous JavaScript keypads that other banks stick to despite their uselessness and utter lack of real security.
And another big thing is that they do so without following other banks’ asinine policy of forcing people to use Internet Explorer – Safari works mostly OK, except for the odd (harmless) rendering quirk in some menus and listings.
Good show.