, 2005-10-18
People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.
Expand all |
Post comment
Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
The regulation does not require two-factor authentication
2005-10-20
Anonymous (2 replies)
Anonymous (2 replies)
Two-factor banking
2005-10-20
Anonymous (3 replies)
Anonymous (3 replies)
Your analysis of the impact of two-factor authentication is incomplete at best. The overall problem of phishing and identity fraud in general, like many complex human-technology risks, has multiple points of failure ? the complete sum of which is needed for fraud (in this case transferring money from your account to the criminal?s account) to occur. In no special order the first source of failure is that humans are naïve and trusting by nature and respond to urgent emails about suspended accounts and gladly provide their user id and password to the phishers thinking they are doing the right thing. The second, and perhaps most critical point of failure, is that the legitimate banking sites gladly take the credentials from anyone who has them with no attempt to verify the user with strong authentication (through the use of a second factor such as a one-time password). And thirdly the end-user is easily fooled by the phisher?s fake web site because most bank web sites fail to provide mutual-authentication to the user. Kelly Martin?s article only addresses the second point of failure ? strengthening the authentication of a customer by adding a second factor (e.g., a token) and chastises banks for their failure to do this long ago. However, the full FFIEC recommendation which is referenced in the article with a link in fact states that mutual authentication is also important. So, your point that simply having a bank provide you with proof that they are the real bank ignores the fact that the criminals ultimately in fact go to the real bank web site and use your credentials regardless of how they got them. The more complete answer is to educate the user, provide authentication from the bank web site, and provide two-factor authentication. There is at least one bank that I know of that presents the user with their own photograph taken at a branch. If you don?t see the photo you can immediately call the bank and report the fraud. These banks could also provide controls against fake branches by showing the user their photo.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/363/32542#32542