, 2005-10-18
People who lived through the Second World War, like my grandparents, had a very different view of money than those of us who grew up in the Information Age. Many of us still remember being told how foolish it is to keep one's life savings under a bed mattress, because the banks were known as trusted entities that will always do a better job of looking after your money. Even my grandparents, albeit reluctantly, came to realize that putting trust in financial institutions was the only way to go.
Expand all |
Post comment
Two-factor banking
2005-10-19
Todd Knarr (2 replies)
Todd Knarr (2 replies)
Re: Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
Re: Re: Two-factor banking
2005-10-19
Todd Knarr (1 replies)
Todd Knarr (1 replies)
Two-factor banking
2005-10-19
Anonymous (1 replies)
Anonymous (1 replies)
The regulation does not require two-factor authentication
2005-10-20
Anonymous (2 replies)
Anonymous (2 replies)
Two-factor banking
2005-10-20
Anonymous (3 replies)
Anonymous (3 replies)
"Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
Of course this is immediately subject to opinion on whether or not individual risk assessments indicate the use of single-factor authentication as inadequate. While it will depend on each institution to decide that, my arguement is that single-factor authentication for online banking is inadequate. The U.S. report adds credibility to this argument, but it's sure not the sole source of this debate. However if you want to get pedantic about it, let's turn to the next page where we read:
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."
Access to customer information is the sticky point here. Customer information can be gleaned from almost every aspect of today's web banking environments in many financial institutions. When I log into my banking account today, I immediately have access to many aspects of my customer information, including my mailing address, my account numbers, recent transaction history, linked accounts, bill payments which indicate other financial organizations I deal with, and more. These are frequently used in cases of identity theft! Therefore in many cases, even though the regulation does not need to be applied across the board it likely will be, because the systems would have to be either (1) reworked to make this information and level of access unavailable by adding two-factor authentication, because customer information such account numbers are in every aspect of online banking today, and (2) updated to allow for two-factor authentication as the primary means for a customer to authenticate. The latter may be found to be a simpler option and require less rework of existing systems.
If it is argued that two-factor authentication be used as an interim step after a customer has already authenticated and is viewing his accounts, then this is useful but still *not adequate* in my opinion.
The FFIEC guidelines in the U.S. that I mentioned were only a small part of my article and I never intended to "report" about the U.S. situation. A column is an opinionated people. Even if I were wrong, this does not invalidate my opinion. There are many other banks in the world outside of U.S. control and my opinion on this matter, while controversial, is offered because I feel strongly about this issue.
The article is an argument for making two-factor banking avaialbe on one's personal bank account.
Regards,
Kelly Martin
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/363/32616#32616