User negligence?

• Previous message (by thread): User negligence?
• Next message (by thread): User negligence?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't think the average user has a smart card reader at home.

Everyone has accepted a very simple two-factor authentication system
for bank usage for a long time.  Factor 1 is possession of the card.
This is relatively easy to forge.  Factor 2 is the PIN.  This is no
stronger than a password.

Most banks use smart cards for authenticating employees, with a password
required to access the smart card.  This is not practical (at least today)
for home banking over the internet.  Last I looked, the cost of the
cards and the readers exceeded what would be reasonable for the bank
to provide to all their customers.  I don't think most home users understand
enough about security to think the smart card system would be worth the
price.

The real negligence in this case is the software company that released a
MUA that makes trojans so convenient to distribute.  As someone else
stated earlier in this thread...

OUTLOOK: THe Exploding PINTO on the Information Superhighway.

This is _SO_ true.

Owen


--On Sunday, July 27, 2003 10:03 +0200 Kandra Nygårds <kandra at foxette.net> 
wrote:

>
> From: "Sean Donelan" <sean at donelan.com>
>
>> Unfortunately there are a lot, and growing number, of self-infected PCs
>> on the net.  As the banks point out, this is not a breach of the bank's
>> security. Nor is it a breach of the ISP's security.  The user infects
>> his PC with a trojan and then the criminal uses the PC to transfer money
>> from the user's account, with the user's own password.
>
> Banks use passwords for authentication? That's what scares me.
>
> Personally, I find it terrifying that banks allow such weak authentication
> as a password for financial transactions. To the best of my knowledge, all
> banks around here use a smartcard based system. It might be a bit more
> inconvenient, but the added security makes it well worth it, in my
> opinion.
>
> It may not be a breach of the bank's security as such, but the measures
> they take in order to protect their customers' money is in my opinion so
> low that, IMHO, they are the ones guilty of negligence.
>
>
>
> -Kandra
>
>
>

• Previous message (by thread): User negligence?
• Next message (by thread): User negligence?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]