User negligence?

• Previous message (by thread): Learning more about authentication and passwords
• Next message (by thread): User negligence?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wonder if this could just be solved by selling fraud insurance? 
It could be another ridiculous bank surcharge or service, but would
negate the need for byzantine technology infrastructures to support it. 

All that user end security devices do is put more non-repudiable 
onus on the user, so that when it fails, the service provider is protected, 
and the user is cryptographically guaranteed to be SOL. Biometrics
are an excellent example of this. They are a single factor authentication 
technology, maybe two factor if there is a PIN, and when the database
gets compromised, nobody will believe that the user isn't responsible, 
because "The System is Perfect". 

Many security technologies are based upon the risk avoidance paradigm
of government/military organizations, instead of the more practical 
risk management perspective of more nimble organizations.  This is
partially why alot of technologies aren't getting adopted. They are Perfect, but 
a burden. 

The solution that balances security and accessability will be the one that 
incorporates an acceptable loss expectancy and enables the company to leverage the
convenience of that risk. Building massive  security structures does little to 
decrease the actual risk, they just push it out to the edges, that is, to 
customers.  

The ubiquity of personal computers as general information appliances has made 
them more of an interface to the economy than the tools that we are used to 
using them as. Since these interfaces are as diversely designed as wallets (M$
turned our machines into wallets), we can either demand better wallet security 
devices, or we can mitigate risks to their contents through insurance.  


--
Jamie.Reid, CISSP, jamie.reid at mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 
>>> "Christopher L. Morrow" <chris at UU.NET> 07/27/03 03:39pm >>>

On Sun, 27 Jul 2003, JC Dill wrote:

>
> At 07:21 AM 7/27/2003, David Lesher wrote:
>
> >Strip <http://www.zetetic.net/index.html> is your helper here.
>
> I have strip.  Unfortunately, I don't always have my Palm at hand when I
> want to login to my bank, and I didn't have it at hand the *last* time,
> when I had to change the password, so the new password didn't get entered
> into strip.  But that's beside the point, using strip on a pda (to help
> remember passwords) is a solution that only works for some people, in some
> circumstances.  It would be much better to have a policy that just WORKED.
>

or a 10 dollar key fob that always had a code you could combine with your
'pin' for a password... why is a solution like RSA/ACE so difficult for
people to accept on a wide scale?

Afterall, banks charge you for checks, why not for the FOB, and make you
purchase the replacement when you lose it?


-Chris
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TEXT.htm
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030727/d65cba8d/attachment.ksh>

• Previous message (by thread): Learning more about authentication and passwords
• Next message (by thread): User negligence?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]