, The Register 2005-03-15
Banks are spending millions on two-factor authentication for their customers but the approach no longer provides adequate protection against fraud or identity theft, according to Bruce Schneier, the encryption guru.
Expand all |
Post comment
I'd hardly call even a temporary drop in fraud "wasting millions"
2005-03-15
Bruce K. Marshall (3 replies)
Bruce K. Marshall (3 replies)
Joe User has no idea how to authenticate the site that he is connecting to. Joe Geek does, and can use the available tools, but until you can have a computer independent method to authenticate the site that you have connected to, there is a big security hole.
Put another way, the bank can authenticate the user, but the user can't reliably authenticate the bank.
The bank needs to provide a security code that can only come from it. That code must go to a trusted secure and independent device (pretty GUI's can be easily faked, but a dongle in your pocket can't) that can authenticate the site in an obvious and foolproof way to a non-technical user.
Like a ward in a mental hospital, a computer system can't be relied upon to prove its own sanity/security.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/10694/30911#30911