|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: User negligence?
I wonder if this could just be solved by selling fraud insurance? It could be another ridiculous bank surcharge or service, but would negate the need for byzantine technology infrastructures to support it. All that user end security devices do is put more non-repudiable onus on the user, so that when it fails, the service provider is protected, and the user is cryptographically guaranteed to be SOL. Biometrics are an excellent example of this. They are a single factor authentication technology, maybe two factor if there is a PIN, and when the database gets compromised, nobody will believe that the user isn't responsible, because "The System is Perfect". Many security technologies are based upon the risk avoidance paradigm of government/military organizations, instead of the more practical risk management perspective of more nimble organizations. This is partially why alot of technologies aren't getting adopted. They are Perfect, but a burden. The solution that balances security and accessability will be the one that incorporates an acceptable loss expectancy and enables the company to leverage the convenience of that risk. Building massive security structures does little to decrease the actual risk, they just push it out to the edges, that is, to customers. The ubiquity of personal computers as general information appliances has made them more of an interface to the economy than the tools that we are used to using them as. Since these interfaces are as diversely designed as wallets (M$ turned our machines into wallets), we can either demand better wallet security devices, or we can mitigate risks to their contents through insurance. -- Jamie.Reid, CISSP, [email protected] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> "Christopher L. Morrow" <[email protected]> 07/27/03 03:39pm >>> On Sun, 27 Jul 2003, JC Dill wrote: > > At 07:21 AM 7/27/2003, David Lesher wrote: > > >Strip <http://www.zetetic.net/index.html> is your helper here. > > I have strip. Unfortunately, I don't always have my Palm at hand when I > want to login to my bank, and I didn't have it at hand the *last* time, > when I had to change the password, so the new password didn't get entered > into strip. But that's beside the point, using strip on a pda (to help > remember passwords) is a solution that only works for some people, in some > circumstances. It would be much better to have a policy that just WORKED. > or a 10 dollar key fob that always had a code you could combine with your 'pin' for a password... why is a solution like RSA/ACE so difficult for people to accept on a wide scale? Afterall, banks charge you for checks, why not for the FOB, and make you purchase the replacement when you lose it? -Chris <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD> <BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>I wonder if this could just be solved by selling fraud insurance? </FONT></DIV> <DIV><FONT size=1>It could be another ridiculous bank surcharge or service, but would</FONT></DIV> <DIV><FONT size=1>negate the need for byzantine technology infrastructures to support it. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>All that user end security devices do is put more non-repudiable </FONT></DIV> <DIV><FONT size=1>onus on the user, so that when it fails, the service provider is protected, </FONT></DIV> <DIV><FONT size=1>and the user is cryptographically guaranteed to be SOL. Biometrics</FONT></DIV> <DIV><FONT size=1>are an excellent example of this. They are a single factor authentication </FONT></DIV> <DIV><FONT size=1>technology, maybe two factor if there is a PIN, and when the database</FONT></DIV> <DIV><FONT size=1>gets compromised, nobody will believe that the user isn't responsible, </FONT></DIV> <DIV><FONT size=1>because "The System is Perfect". </FONT></DIV> <DIV> </DIV> <DIV><FONT size=1>Many security technologies are based upon the risk avoidance paradigm</FONT></DIV> <DIV><FONT size=1>of government/military organizations, instead of the more practical </FONT></DIV> <DIV><FONT size=1>risk management perspective of more nimble organizations. </FONT> This is</DIV> <DIV>partially why alot of technologies aren't getting adopted. They are Perfect, but </DIV> <DIV>a burden. </DIV> <DIV> </DIV> <DIV>The solution that balances security and accessability will be the one that </DIV> <DIV>incorporates an acceptable loss expectancy and enables the company to leverage the</DIV> <DIV>convenience of that risk. Building massive security structures does little to </DIV> <DIV>decrease the actual risk, they just push it out to the edges, that is, to </DIV> <DIV>customers. </DIV> <DIV> </DIV> <DIV>The ubiquity of personal computers as general information appliances has made </DIV> <DIV>them more of an interface to the economy than the tools that we are used to </DIV> <DIV>using them as. Since these interfaces are as diversely designed as wallets (M$</DIV> <DIV>turned our machines into wallets), we can either demand better wallet security </DIV> <DIV>devices, or we can mitigate risks to their contents through insurance. <BR></DIV> <DIV> </DIV> <DIV>--<BR>Jamie.Reid, CISSP, <A href="mailto:[email protected]";>[email protected]</A><BR>Senior Security Specialist, Information Protection Centre <BR>Corporate Security, MBS <BR>416 327 2324 <BR>>>> "Christopher L. Morrow" <[email protected]> 07/27/03 03:39pm >>><BR><BR>On Sun, 27 Jul 2003, JC Dill wrote:<BR><BR>><BR>> At 07:21 AM 7/27/2003, David Lesher wrote:<BR>><BR>> >Strip <<A href="http://www.zetetic.net/index.html";>http://www.zetetic.net/index.html</A>> is your helper here.<BR>><BR>> I have strip. Unfortunately, I don't always have my Palm at hand when I<BR>> want to login to my bank, and I didn't have it at hand the *last* time,<BR>> when I had to change the password, so the new password didn't get entered<BR>> into strip. But that's beside the point, using strip on a pda (to help<BR>> remember passwords) is a solution that only works for some people, in some<BR>> circumstances. It would be much better to have a policy that just WORKED.<BR>><BR><BR>or a 10 dollar key fob that always had a code you could combine with your<BR>'pin' for a password... why is a solution like RSA/ACE so difficult for<BR>people to accept on a wide scale?<BR><BR>Afterall, banks charge you for checks, why not for the FOB, and make you<BR>purchase the replacement when you lose it?<BR><BR><BR>-Chris<BR><BR><BR></DIV></BODY></HTML>
|