OT: Re: User negligence?
Simon Lockhart
simonl at rd.bbc.co.uk
Sun Jul 27 09:24:39 UTC 2003
On Sun Jul 27, 2003 at 01:25:24AM -0700, David Schwartz wrote:
> I don't think it would be that difficult to show that there are significant
> security flaws in the online banking system that the user is neither
> responsible for nor capable of correcting. You could get a dozen security
> experts to testify that a static password is not sufficient to protect a
> system that can perform unretrievable funds transfers. If that's all the
> bank's online scheme provides, this may negate the argument that the user's
> negligence was the sole/primary cause of the loss.
In the UK, I have 3 or 4 online accounts with different banks.
My main bank asks for a 10 digit "customer number", my date of birth, and
the 3 characters at random from my password. By not asking for the whole
password, this prevents simple replay style attacks. Asking for my DOB is
not really additional protection - it's extremely easy find (minus 5 points
for anyone who can't find it out within 2 minutes of searching on the 'net)
Another bank asks me for 5 different bits of information, but always the
same information everytime. Whilst this would seem more secure, it doesn't
prevent simple replay attacks.
Simon
--
Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum
Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli
BBC Internet Services | Email: Simon.Lockhart at bbc.co.uk | id reficere
BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
More information about the NANOG
mailing list