[59940] in North American Network Operators' Group
Re: User negligence?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Jul 27 04:49:24 2003
Date: Sun, 27 Jul 2003 01:47:53 -0700
From: Owen DeLong <owen@delong.com>
To: =?ISO-8859-1?Q?Kandra_Nyg=E5rds?= <kandra@foxette.net>,
nanog@merit.edu
In-Reply-To: <00b901c35415$93b6c120$0ef2a8c0@amalthea>
Errors-To: owner-nanog-outgoing@merit.edu
I don't think the average user has a smart card reader at home.
Everyone has accepted a very simple two-factor authentication system
for bank usage for a long time. Factor 1 is possession of the card.
This is relatively easy to forge. Factor 2 is the PIN. This is no
stronger than a password.
Most banks use smart cards for authenticating employees, with a password
required to access the smart card. This is not practical (at least today)
for home banking over the internet. Last I looked, the cost of the
cards and the readers exceeded what would be reasonable for the bank
to provide to all their customers. I don't think most home users =
understand
enough about security to think the smart card system would be worth the
price.
The real negligence in this case is the software company that released a
MUA that makes trojans so convenient to distribute. As someone else
stated earlier in this thread...
OUTLOOK: THe Exploding PINTO on the Information Superhighway.
This is _SO_ true.
Owen
--On Sunday, July 27, 2003 10:03 +0200 Kandra Nyg=E5rds =
<kandra@foxette.net>=20
wrote:
>
> From: "Sean Donelan" <sean@donelan.com>
>
>> Unfortunately there are a lot, and growing number, of self-infected PCs
>> on the net. As the banks point out, this is not a breach of the bank's
>> security. Nor is it a breach of the ISP's security. The user infects
>> his PC with a trojan and then the criminal uses the PC to transfer money
>> from the user's account, with the user's own password.
>
> Banks use passwords for authentication? That's what scares me.
>
> Personally, I find it terrifying that banks allow such weak =
authentication
> as a password for financial transactions. To the best of my knowledge, =
all
> banks around here use a smartcard based system. It might be a bit more
> inconvenient, but the added security makes it well worth it, in my
> opinion.
>
> It may not be a breach of the bank's security as such, but the measures
> they take in order to protect their customers' money is in my opinion so
> low that, IMHO, they are the ones guilty of negligence.
>
>
>
> -Kandra
>
>
>
