Banks and Web security



George Ou has a good post on Banks cheating their way to meet web security guidelines. Many of the observations that he notes come from the Between the Lines column here and are SPOT ON. The biggest I see is related to “multifactor authentication”….


For instance…

On page 3, the Federal guidelines go so far as to list the three factors of security:

Something the user knows (e.g., password, PIN);

Something the user has (e.g., ATM card, smart card) and ;

Something the user is (e.g., biometric characteristic, such as a fingerprint).

Currently MOST approaches that I’ve seen put into practice have a tendency to ask you for 2 or 3 items of something the user knows. This, of course, can easily be compromised.

I remember when online credit card transactions first started, the card number and expiration were pretty much all that was required to be input (plus the billing address). Then they started requiring the CVV2 numbers. Well – ok – so I should ONLY know that if I have the card, but what if the database is compromised of the company that just asked for my CVV2 number???? Are we going to need a third and fourth and further pins and bits of knowledge to be able to properly authenticate online.

I’ve read of some institutions use of some sort of smart card as an authentication factor and would REALLY like to see banks/card authorizations move towards taking at least that factor into account. George mentions that he’s not particularly fond of the biometric factor being pushed and I can agree on that – who wants to encourage theives to branch out into taking the thumb of a victim. (Or taking the victim hostage)… Biometrics I think could easily qualify as “something the user HAS” rather than something the user IS.

The point he gets at is this….

True strong authentication is a smartcard or some other forms of cryptographic tokens. Just the plain old ATM card or credit card does not qualify as strong authentication.

It makes me think in a way of the historical practice of signing letters with a seal. Wax would be dripped to seal the envelope and then the signet ring would be pressed in to leave a mark and it was a unique mark which, at that time would have given someone relative certainty as to the source. (The signets were supposedly unique to the wearer.) Of course, in the world of today, that could be easily forged (and likely was then).

But….. what IF we could go and get a smartcard that had a randomly generated keycode that was unique to us. Then that, as a third party card, could be used via a handshake of some sort with hardware could generate a key that ONLY that keycode could have made. (Much the way ssh encryption is built) All of it done without divulging the secret keycode…. Then if you have to prove your identity present your codecard (or whatever form this takes.) Of course, our computers would need a common and widely compatible way of using this authentication (which may be the hard part in getting widespread implementation.)

Related Posts

Blog Traffic Exchange Related Posts
  • Another wolf in sheeps clothing I did an article a while back on "wolves in sheeps clothing" software that poses as security software but will usually turn around and bite you. Sunbeltblog has a post on another fake security center site. Keep an eye peeled for these, information is power in protecting yourself against this......
  • Apple Security Update 13 Seperate vulnerabilities are addressed by the latest Apple security updates. 9 vulnerabilites exist in network facing services like the web server, a couple in the web browser, another couple in SSL (secure socket layer) handling. In other words, get updating. I haven't used the Apple OS much in a......
  • The "secure software" dilemma It's quite a dilemma when a software product is billed as more secure than another.... several days back when Mozilla Firefox released v. 1.5.0.4 which fixed a number of security issues, I saw someone comment "I thought firefox was supposed to be secure." I think there's a misunderstanding when it......
Blog Traffic Exchange Related Websites
  • Four Crazy Credit Card Scams Guest Post Author Bio: The following post comes from the NerdWallet.com team, experts in helping users find the right rewards credit cards. 4 of the Craziest Credit Card Scams We live in an age where identity theft is a major concern. There is always a threat of your financial......
  • Don't Sit Back, Attack Your Credit Problems A credit card may be the last thing that someone with credit issues wants to look at, let alone use. Unfortunately for consumers aiming at a higher credit score, merely letting time work does not, in fact, work and a credit card represents the most efficient means of attaining credit......
  • Consumers to Banks: Take this Card and Shove it Consumers are unhappy with their banks. No surprise there. What is remarkable is the tangible way in which they are expressing their unhappiness. Credit card debt declined 13.1% in August. This was the 11th straight month of decline, an all-time record. What is even more surprising (and pleasing for Mr.......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site