Kelly Martin, 2005-10-18
People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.
Colapse all |
Post comment
Two-factor banking
2005-10-18
Anonymous (3 replies)
Anonymous (3 replies)
Two-factor banking
2005-10-19
Todd Knarr (2 replies)
Todd Knarr (2 replies)
I have to disagree with your article. Two-factor authentication will, in my judgement, do nothing to significantly slow down phishing. People aren't caught by phishing because of weak authentication of them to their bank, they're caught because of non-existent authentication of their bank to them. T...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
Todd,
Your analysis of the impact of two-factor authentication is incomplete at best. The overall problem of phishing and identity fraud in general, like many complex human-technology risks, has multiple points of failure ? the complete sum of which is needed for fraud (in this case transferring...
[ more ] [ reply ]
Your analysis of the impact of two-factor authentication is incomplete at best. The overall problem of phishing and identity fraud in general, like many complex human-technology risks, has multiple points of failure ? the complete sum of which is needed for fraud (in this case transferring...
[ more ] [ reply ]
Re: Re: Two-factor banking
2005-10-19
Todd Knarr (1 replies)
Todd Knarr (1 replies)
My suggestion directly addresses your first and third points. If the user can readily tell whether he's talking to the real bank or not when he goes to a site purporting to be the bank, it becomes much more difficult for phishers to successfully fool the user into giving away their credentials.
A...
[ more ] [ reply ]
A...
[ more ] [ reply ]
Re: Re: Re: Two-factor banking
2005-10-19
Anonymous (2 replies)
Anonymous (2 replies)
Right - you need both strong and mutual authentication (read the FFIEC guidelines). Neither by itself is entirely sufficient. You won't give your credentials away unless you're sure it's the bank and the bank won't let you (or the criminal) log in unless you strongly assert your identity. This is...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Re: Re: Two-factor banking
2005-10-23
Anonymous
Anonymous
the not real time is the key thing here, if the site is set up to automatically login to the real site as soon as the user authenticates with the fake site, then yeah the 2 factor auth isn't going to help, howerver for the majority of cases it will help as the key will have changed by the time the p...
[ more ] [ reply ]
[ more ] [ reply ]
Two-factor banking
2005-10-19
Theuns (1 replies)
Theuns (1 replies)
Actually, my bank (asb.co.nz) has an opt-in option where a confirmation code is sent via txt to the client's cell phone for any transaction subject to abuse.
It costs an extra fee (pretty much covering the txt), but apparrently the market driver for this is already sufficient to allow it to be im...
[ more ] [ reply ]
It costs an extra fee (pretty much covering the txt), but apparrently the market driver for this is already sufficient to allow it to be im...
[ more ] [ reply ]
Two-factor banking
2005-10-19
tarun_the_nut
tarun_the_nut
I have doubts about the use of two factor for protection against phishing. The bogus website usually have the look and feel of the actual website . The fake website can act as a Man in Middle platform and pass the authentication credentials to the actual website and once the session is established, ...
[ more ] [ reply ]
[ more ] [ reply ]
Two-factor banking
2005-10-19
Anonymous
Anonymous
Coming from the financial security world, I don't think we want a law mandating a specific token. As an aside: there are many different types of tokens, the type described in the article originated as Secure-ID (the company later bought RSA and changed its name to RSA).
The benefit of changing ...
[ more ] [ reply ]
The benefit of changing ...
[ more ] [ reply ]
Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
I think most banks in Sweden/Finland/etc scandinavian countries use the "scratch-card" method accompanied with an actual login pin to make any kind of transactions....
[ more ] [ reply ]
[ more ] [ reply ]
Re: Two-factor banking
2005-10-20
Anonymous (1 replies)
Anonymous (1 replies)
I believe this to be incorrect.
Most Swedish banks have used token/smartcard 2FA since 1996.
The good thing about their tokens is that transaction information is typed into the token and thus making amount, date etc part of the signature....
[ more ] [ reply ]
Most Swedish banks have used token/smartcard 2FA since 1996.
The good thing about their tokens is that transaction information is typed into the token and thus making amount, date etc part of the signature....
[ more ] [ reply ]
Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
Re: Two-factor banking
2005-10-22
Anonymous
Anonymous
Hard to say for sure, but I wouldn't have thought so.
A stolen token usually isn't enough - you still need to know the PIN and the username that goes with the token.
So in order to get a working token you need to steal 3 things.
And unlike the PIN or username, the user will notice if someone gets...
[ more ] [ reply ]
A stolen token usually isn't enough - you still need to know the PIN and the username that goes with the token.
So in order to get a working token you need to steal 3 things.
And unlike the PIN or username, the user will notice if someone gets...
[ more ] [ reply ]
Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
Interesting to see this only now is a topic (in the US). Over here in the Netherlands (but in much other west EU countries) 2 factor auth is already a longstanding fact of life. Most of us have never authenticated to banks only on static uid/pwd. There are plenty of systems available (RSA for exam...
[ more ] [ reply ]
[ more ] [ reply ]
Two-factor banking? I don't think so....
2005-10-19
Anonymous
Anonymous
For those who still believe in the one solution fits all, they are in for a rude awaking.
1) Tokens are very expensive. Who is going to pay for it? Answer - sooner or later, the customer.
2) There are programs, Cain and Able for example, that can crack a token code.
3) Someone can still fall for...
[ more ] [ reply ]
1) Tokens are very expensive. Who is going to pay for it? Answer - sooner or later, the customer.
2) There are programs, Cain and Able for example, that can crack a token code.
3) Someone can still fall for...
[ more ] [ reply ]
Two-factor banking
2005-10-19
HumbleOpinion
HumbleOpinion
My account at Etrade has an RSA token with a number that changes every minute or so. I haven't had any problems, but I worry about losing it and access to my bank.
A bigger concern to me is ACH transfers. I can go to my credit card account at AmericanExpress, enter a bank routing number and accou...
[ more ] [ reply ]
A bigger concern to me is ACH transfers. I can go to my credit card account at AmericanExpress, enter a bank routing number and accou...
[ more ] [ reply ]
Two-factor banking
2005-10-19
Anonymous2 (1 replies)
Anonymous2 (1 replies)
To believe that the thefts will stop gathering money with a poor security solutions like these two factor autentication is subestimate the technics that can be used to explore the flaws in this solutions. I believe that this solutions will not resist to these atacks until the financial systems have ...
[ more ] [ reply ]
[ more ] [ reply ]
One more stupid device to carry around
2005-10-20
Anonymous
Anonymous
I am really sick of all the convient things in life suddenly become too cumbersome to use. I would really, really hate to have a hard token to carry around. IT has so many band features:
1. I have to carry it around
2. I may lose it
3. It will probably break
4. Its code could be duped
T...
[ more ] [ reply ]
1. I have to carry it around
2. I may lose it
3. It will probably break
4. Its code could be duped
T...
[ more ] [ reply ]
Two-factor banking
2005-10-20
Anonymous
Anonymous
The solution isn't placing all the burden on banks - this would (if it were ever implemented) just cost consumers lots and lots of money. Why? Because there is no difference between being taken by a phishing scam and giving your information to your friend. Either way, you wouldn't lose but the ba...
[ more ] [ reply ]
[ more ] [ reply ]
The regulation does not require two-factor authentication
2005-10-20
Anonymous (2 replies)
Anonymous (2 replies)
Like virtually everyone who has reported this story, the author of this article got it wrong. The new regulation does not require two factor authentication across the board for Internet banking, only for certain high-risk activities (e.g. interbank funds transfer). It requires that banks assess th...
[ more ] [ reply ]
[ more ] [ reply ]
Re: The regulation does not require two-factor authentication
2005-10-28
Anonymous (1 replies)
Anonymous (1 replies)
Yup, it's rather interesting to see just how many "experts" read the *guidelines* and still got it wrong. The guidelines "strongly suggest" multi-factor auth for client facing web apps only. It does not require tokens. It also notes that this is where it makes business sense.
I would have expect...
[ more ] [ reply ]
I would have expect...
[ more ] [ reply ]
Re: Re: The regulation does not require two-factor authentication
2005-11-01
Kelly Martin (author)
Kelly Martin (author)
Please see my reply below. I don't believe I'm incorrect, and as with any guideline there are parts that are always subject to interpretion.
More than that, however, is the fact that this article was never meant to focus on the U.S. regulation, it was simply to argue for two-factor authentication...
[ more ] [ reply ]
More than that, however, is the fact that this article was never meant to focus on the U.S. regulation, it was simply to argue for two-factor authentication...
[ more ] [ reply ]
Re: The regulation does not require two-factor authentication
2005-11-01
Kelly Martin (author)
Kelly Martin (author)
Actually I don't believe I am incorrect. Part of it is subject to what is considered 'customer information' which is something that, by the very nature of web banking and for all intents and purposes, is available across the board. There are exceptions to this of course, and systems could be retoole...
[ more ] [ reply ]
[ more ] [ reply ]
Two-factor banking
2005-10-20
Anonymous (1 replies)
Anonymous (1 replies)
Of course you all should realize (if you do not know at this point) that the reason why your bank charges you fees is because your bank is a business in this economy. At all cost, your bank's goal is to provide services that are cheap for them, and as low of an impact of cost on the customer. If we ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Two-factor banking
2005-10-23
Anonymous
Anonymous
Regarding Windows Vista, you said it yourself, it doesn't matter how many patches or changes you make, the crooks will find a weakness to exploit. So, don't think Vista will be a panacea.
Also, it has been reported that for under $50 at a hobby shop and by lifting your fingerprints biometric read...
[ more ] [ reply ]
Also, it has been reported that for under $50 at a hobby shop and by lifting your fingerprints biometric read...
[ more ] [ reply ]
One Time Passwords via Mobile Text Messaging
2005-10-20
Anonymous (1 replies)
Anonymous (1 replies)
This is getting popular for reasonably strong authentication in many areas, since the vast majority of people that use the internet for secure transactions also have a mobile phone. Pretty much everyone who has used this system prefers it to using token methods such as those you mention for the foll...
[ more ] [ reply ]
[ more ] [ reply ]
Two-factor banking
2005-10-20
Anonymous (1 replies)
Anonymous (1 replies)
What I expect from online banking is the ability to access my accounts via the internet from anywhere in the world, without needing any information other than what I carry in my head.
I'm not going to carry some widget so I can access my account. I'm not even going to carry my ATM card. If I wo...
[ more ] [ reply ]
I'm not going to carry some widget so I can access my account. I'm not even going to carry my ATM card. If I wo...
[ more ] [ reply ]
Two-factor banking
2005-10-20
Anonymous (3 replies)
Anonymous (3 replies)
I work on the security side of a regional bank in the United States. That means I am going to be in charge of making this happen for our company.
As stated by others here, there is almost nothing about two-factor authentication that will prevent phishing incidents. All this does is turn banks in...
[ more ] [ reply ]
As stated by others here, there is almost nothing about two-factor authentication that will prevent phishing incidents. All this does is turn banks in...
[ more ] [ reply ]
Re: Two-factor banking
2005-10-21
Anonymous (1 replies)
Anonymous (1 replies)
I'm puzzled. The guidance says "Where the risk assessments indicated that the use of single factor authentication is inadequate, financail institutions shoudl implement ** multi-factor authentication, layered security, or other controls ** reasonably calculated to mitigate those risks." It sounds ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Two-factor banking
2005-10-25
Anonymous
Anonymous
These "guidances" almost always weedle their way into becoming mandates. Unfortunately, those mandates usually are based on knee-jerk reactions by legislators.
I belive this will become a mandate for one type of hardware or another. Possibly mutliple types of hardware. Why? Because requiring hard...
[ more ] [ reply ]
I belive this will become a mandate for one type of hardware or another. Possibly mutliple types of hardware. Why? Because requiring hard...
[ more ] [ reply ]
Re: Two-factor banking
2005-10-23
Anonymous (1 replies)
Anonymous (1 replies)
I am similarly tasked. I completely agree with your thoughts. Have you considered server and client-side certificates?...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Two-factor banking
2005-10-26
Anonymous
Anonymous
Yes, we have. We are also looking at it from the point of view with how each method will be viewed by OTS auditors.
What we have found is that auditors don't generally understand networking very well. Here's a good example.
During an OTS audit, the auditors got all wound up comparing the firew...
[ more ] [ reply ]
What we have found is that auditors don't generally understand networking very well. Here's a good example.
During an OTS audit, the auditors got all wound up comparing the firew...
[ more ] [ reply ]
Paving the way for a national ID card
2005-10-21
Anonymous
Anonymous
When you compare the costs of each commodity token with the number of users at the larger banks, you are talking into the billions of dollars here (remember also that tokens have a shelf life of about 3 years to boot, so you have ongoing costs in the hundreds of millions). I think the government cer...
[ more ] [ reply ]
[ more ] [ reply ]
Two-factor banking
2005-10-21
AP (1 replies)
AP (1 replies)
After having read this article and all the posts previously, I've come to the realization that most of the people (the author included) who write or comment on this have never had to deal with a customer security issue directly. They've never had to deploy a large security system at a financial ins...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Two-factor banking
2005-11-01
Kelly Martin (author)
Kelly Martin (author)
You wrote:
"Kelly - you're great at flip flopping. You agree with Bruce Schneier (who states that two factor authentication is not the solution) and then clamor for a token 'Where are our tokens?' I have no idea what your position is except to write articles to confuse people."
I'm not flip-f...
[ more ] [ reply ]
"Kelly - you're great at flip flopping. You agree with Bruce Schneier (who states that two factor authentication is not the solution) and then clamor for a token 'Where are our tokens?' I have no idea what your position is except to write articles to confuse people."
I'm not flip-f...
[ more ] [ reply ]
ABN in the Netherlands has been using this for a long time
2005-10-23
Sergej (2 replies)
Sergej (2 replies)
I have been a customer with ABN AMRO in the Netherlands for the longest, and for a couple of years now, internet banking works like this:
You have a device that looks like a small calculator. You insert your bank card into this device. In order for the device to accept it, you have to use your P...
[ more ] [ reply ]
You have a device that looks like a small calculator. You insert your bank card into this device. In order for the device to accept it, you have to use your P...
[ more ] [ reply ]
Two-factor banking
2005-10-23
vmmello
vmmello
I agree with those that say "scratch-cards" are very inconvenient. And IMHO, I don't think they are a great step toward solving the problem. If you enter a phony bank site and put a still valid one time password (OTP) you have just bypassed your card. To solve (?) this problem each banking session y...
[ more ] [ reply ]
[ more ] [ reply ]
Two-factor banking
2005-10-26
Alexey Vesnin
Alexey Vesnin
This problem - problem of "unhijackable" authentification - it is the common and important problem today. Not only in online banking industry. And there's one more reason - I agree with all the arguments in this article - but there's one more significant and important reason. The problem of IT-cultu...
[ more ] [ reply ]
[ more ] [ reply ]
...
[ more ] [ reply ]