George Ou has a good post on Banks cheating their way to meet web security guidelines. Many of the observations that he notes come from the Between the Lines column here and are SPOT ON. The biggest I see is related to “multifactor authentication”….
On page 3, the Federal guidelines go so far as to list the three factors of security:
Something the user knows (e.g., password, PIN);
Something the user has (e.g., ATM card, smart card) and ;
Something the user is (e.g., biometric characteristic, such as a fingerprint).
Currently MOST approaches that I’ve seen put into practice have a tendency to ask you for 2 or 3 items of something the user knows. This, of course, can easily be compromised.
I remember when online credit card transactions first started, the card number and expiration were pretty much all that was required to be input (plus the billing address). Then they started requiring the CVV2 numbers. Well – ok – so I should ONLY know that if I have the card, but what if the database is compromised of the company that just asked for my CVV2 number???? Are we going to need a third and fourth and further pins and bits of knowledge to be able to properly authenticate online.
I’ve read of some institutions use of some sort of smart card as an authentication factor and would REALLY like to see banks/card authorizations move towards taking at least that factor into account. George mentions that he’s not particularly fond of the biometric factor being pushed and I can agree on that – who wants to encourage theives to branch out into taking the thumb of a victim. (Or taking the victim hostage)… Biometrics I think could easily qualify as “something the user HAS” rather than something the user IS.
The point he gets at is this….
True strong authentication is a smartcard or some other forms of cryptographic tokens. Just the plain old ATM card or credit card does not qualify as strong authentication.
It makes me think in a way of the historical practice of signing letters with a seal. Wax would be dripped to seal the envelope and then the signet ring would be pressed in to leave a mark and it was a unique mark which, at that time would have given someone relative certainty as to the source. (The signets were supposedly unique to the wearer.) Of course, in the world of today, that could be easily forged (and likely was then).
But….. what IF we could go and get a smartcard that had a randomly generated keycode that was unique to us. Then that, as a third party card, could be used via a handshake of some sort with hardware could generate a key that ONLY that keycode could have made. (Much the way ssh encryption is built) All of it done without divulging the secret keycode…. Then if you have to prove your identity present your codecard (or whatever form this takes.) Of course, our computers would need a common and widely compatible way of using this authentication (which may be the hard part in getting widespread implementation.)
Related PostsRelated Posts
- You wanted bluetooth in your car, right? This falls under comptuers and security. A new tool has been released that makes it possible to eavesdrop on and send audio messages to, the interior of some vehicles with bluetooth enabled with an insecure default password. Car Whisperer basically takes advantage of the fact that most bluetooth enabled cars......
- Firefox zero-day vulnerability (or is it?) I saw a comment somewhere else that zero-day was overused and in essense ANY previously unknown vulnerability in open source software is technically zero day... the intent here though is to use the word in this context.... "vulnerability has been released without giving the vendor an opportunity to patch..." Yes,......
- How to Remove Windows Smart Security (Removal Guide) Windows Smart Security is a rogue spyware application that may fool people into installing and purchasing due to the use of the words Windows and Security in the title. It may fool people into thinking that it is related to Microsoft Windows and perhaps even a part of the operating......
- Consumers Need to Exercise Caution as Credit Card Rates Climb Many consumers are finding that even though they have had the same credit card for years, and have paid the balances off completely every month, their monthly statements are suddenly appearing with a surprise: An interest rate hike by as much as three percentage points. Some consumers are not worried......
- Guide to Buying and Selling Antiques If you're looking for something unique to adorn the rooms of your home, then a hobby that you may want to delve into is buying and selling antiques. There are a couple of different things that you are going to need to consider when it comes to buying and selling......
- Dreamhost Promo Code For 2011 We all know about Dreamhost one of the best web hosting provider in the world, when compared to other low quality hosting providers. Dreamhost is better in terms of features, support, reliability. It is also one of the fastest growing hosting platform which has about 800K+ web sites hosted online.......
- How common is data theft?
- Another example of how we’re vulnerable for identity theft
- How to escape from the deluge of credit card offers…..
- Chase throws data on 2.6 million customers in landfill
- Google cache revealing critical personal infromation