FW: User negligence?

• Previous message (by thread): New IPv6 block allocated to RIPE NCC
• Next message (by thread): public comment period for oisafety.org's vulnerability process
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Which goes back to the root of the *real* problem here. Banks are mainly
concerned with physical security. Internet security has always been handled
as more of an afterthought and mainly for reasons of due diligence. The real
problem is the banks have a known security flaw with a simple password login
for account access. That, as has been discussed here, is a significant flaw
in the overall design of what should be a secure system and access method.

The underlying issue here is that the bank, whom should be the subject
matter expert, clearly is not. They offer one way, and one way only to
access, arguably, our most sacred information. Furthermore, they offer very
little, if any, training to their clients, the end-user. A quick thirty
second blurb is not due diligence for an organization that values it's
customers.

The bottom line is if they offered a SecureID sort of setup, or any other of
a number of methods out there that *would* circumvent a key logger or
similar hack, the customer would more times than not, comply. Even at the
customer's expense. Customers may not be technically savvy overall, but they
value their own money above even the bank. If it's explained that the added
cost/benefit is there, and is a real, tangible issue, a ten or twenty dollar
nominal fee is just that, nominal.

Until banks realize this, they are undoubtedly and unequivocally at fault.

Bill G.

-----Original Message-----
From: Peter Galbavy [mailto:peter.galbavy at knowtion.net] 
Sent: Monday, July 28, 2003 3:13 AM
To: ken emery; North American Noise and Off-topic Gripes
Subject: Re: User negligence?



ken emery wrote:
> I'm not sure what needs to be done, but the security as now
> implemented
> is not even close to enough IMHO.  Networkwise (to bring this back on
> topic) I'm not sure there is really much that can be done.

Don't forget the desperate need for user *and* staff education. I have now
multiple time got calls from my bank asking to discuss my account. Could I
just verify my details ? they asked. Er, you first, I said. They didn't get
it. They didn't understand why, as someone who is lightly paranoid and
understand more about security than they do, I was concerned that they
couldn't prove they were from the bank...

Peter

• Previous message (by thread): New IPv6 block allocated to RIPE NCC
• Next message (by thread): public comment period for oisafety.org's vulnerability process
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]