North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: OT: Re: User negligence?
On Sun Jul 27, 2003 at 01:25:24AM -0700, David Schwartz wrote: > I don't think it would be that difficult to show that there are significant > security flaws in the online banking system that the user is neither > responsible for nor capable of correcting. You could get a dozen security > experts to testify that a static password is not sufficient to protect a > system that can perform unretrievable funds transfers. If that's all the > bank's online scheme provides, this may negate the argument that the user's > negligence was the sole/primary cause of the loss. In the UK, I have 3 or 4 online accounts with different banks. My main bank asks for a 10 digit "customer number", my date of birth, and the 3 characters at random from my password. By not asking for the whole password, this prevents simple replay style attacks. Asking for my DOB is not really additional protection - it's extremely easy find (minus 5 points for anyone who can't find it out within 2 minutes of searching on the 'net) Another bank asks me for 5 different bits of information, but always the same information everytime. Whilst this would seem more secure, it doesn't prevent simple replay attacks. Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Services | Email: [email protected] | id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
|