, 2005-10-18
People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.
Expand all |
Post comment
Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
The regulation does not require two-factor authentication
2005-10-20
Anonymous (2 replies)
Anonymous (2 replies)
Two-factor banking
2005-10-20
Anonymous (3 replies)
Anonymous (3 replies)
As for your second point, the whole purpose of a credential exchange is to establish identity. The bank has to accept that anyone who can successfully present credentials for a given user is that user. Two-factor authentication strengthens the credentials, but the bank still has to grant access to someone who successfully presents both parts of the credentials. If I can impersonate the bank's site, I can get the user to give me both parts of the authentication without much trouble. I then use them immediately while presenting the user with a pause and an "authentication failed" or "site is currently down for maintenance, try again later" screen.
Preventing a man-in-the-middle attack requires that both ends prove their identities. Strengthening user authentication won't help simply because it's not the user being impersonated here.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/363/32546#32546