, The Register 2005-03-15
Banks are spending millions on two-factor authentication for their customers but the approach no longer provides adequate protection against fraud or identity theft, according to Bruce Schneier, the encryption guru.
Expand all |
Post comment
I'd hardly call even a temporary drop in fraud "wasting millions"
2005-03-15
Bruce K. Marshall (3 replies)
Bruce K. Marshall (3 replies)
I'd hardly call even a temporary drop in fraud "wasting millions"
2005-03-15
bwatson_at_nettracers.com
bwatson_at_nettracers.com
But to say the money is wasted is nonsense. When the first shield was invented and created, the effort was not wasted because swords and spears would evolve through better metals, to crossbows and longbows, on to cannon and rifles, and now nuclear weapons. The aim is to force the attacker to have to upgrade capabilities, or move on to softer targets. That is what two-factor authentication can and will accomplish.
Schneier is correct that this does not solve all problems, and that there are already techniques that overcome this defense. Shoot, social engineering and bank heists will still work too! (Maybe we should do away with bank guards and alarms?) But it will rule out a class of less sophisticated attackers (or force them to return to walking into the bank with a note). The next step will be to address the attacks that filter through the gaps that begin to absorb the more sophisticated attackers' attention.
Not implementing something better than passwords just ensures that no one needs to bother with those more sophisticated attacks. Why spend the time when all the password sniffing, shoulder surfing, phishing and other lower-tech password theft techniques do the job perfectly?
This article is NOT helpful in the battle to make the work of thieves harder. On the contrary, if those considering improving on the very flawed password-only model throw up their hands and say what's the use, this article is positively conterproductive.
I can't say from the quotes that the context justifies Schneier's apparent assertions, but I can say that this article badly misreads the implications of the situation, either on the part of its author, or as a result of a poorly thought out or articulated position on Schneier's part. It does its readers a disservice.
I've read Scneier's books and have a tremendous respect for his thinking. But what is said here is just wrong, in practice.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/10694/30904#30904