User negligence?

Stephen Sprunk stephen at sprunk.org
Mon Jul 28 03:38:20 UTC 2003


Thus spake "Jamie Reid" <Jamie.Reid at mbs.gov.on.ca>
> All that user end security devices do is put more non-repudiable
> onus on the user, so that when it fails, the service provider is
protected,
> and the user is cryptographically guaranteed to be SOL.
> ... and when the database gets compromised, nobody will believe that
> the user isn't responsible, because "The System is Perfect".

I hope this was in jest...  All it will take is one expert witness to show
the system is not perfect and there's hundreds of ways the bank (or even a
smart criminal) could defraud the user.

> Biometrics are an excellent example of this. They are a single factor
> authentication technology, maybe two factor if there is a PIN,

There are now techniques to copy latent fingerprints off surfaces and
produce counterfeits that have been shown to fool _all_ commercially
available fingerprint gear -- and it costs less than $2 per use.

Biometrics is a failure because there is no shared secret; once a user
submits to a test (either knowingly or not), the validator has all the
information necessary to spoof that person _for the rest of their life_.

S

Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking





More information about the NANOG mailing list