Banks to Use 2-factor Authentication by End of 2006 313
Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."
Great, if they keep it compatible (Score:5, Interesting)
Sounds great, as long as they don't take the opportunity to lock out their actual customers.
Good ideas:
Bad ideas:
Bottom line: These are average people on home PCs, not corporate desktops where they can dictate the hardware/OS config, and anything that takes too much time/effort/skill/cash to install is going to be prohibitive. If banks keep that in mind, this should work. If not, they'll find a sharp drop in use of their online services.
Why couldn't they just (Score:3, Interesting)
then when they login into the system, it sends a temporary use code to the email address.
Not used in 5 minutes, to is no longer anygood.
Older then 30 minutes, your logged out, the number is no longer any good.
In the email, you jsut send the number. If all banks used the same sender to send the code, then people intercepting it would not know what bank it came from.
How about "Common Sense" authentication? (Score:2, Interesting)
Too many.
Re:good idea, in my opinion. (Score:3, Interesting)
This is another in a long series of laws/policy that servers the "It sounds like we should do this" crowd. Read through the BS and its the insurance (FDIC in the US) behind the banks pushing policy. It does nothing to protect the idenitiy/credit of consumers.
Australian Bank (Score:4, Interesting)
Taking up the extra security is entirely up to the individual and is gradually being introduced to customers, though it costs a reasonable amount of money to actually order a security device.
There is already two factor authentication (Score:1, Interesting)
1. username or account number
2. password
What is actually being discussed is a third factor of authentication. This would be extremely harmful to usability because people have enough trouble remembering two things. In fact, Jef Raskin suggests in his book "The Humane Interface" that systems should only require 1 factor of authentication--a password. He explains that if a password is made up of real words (such as "book-garbage-soda-airplane") not only will it be easy to remember (good for usability) but that it will be extremely difficult to guess as well as accidentally have two users with identical passwords. For example, if a dictionary of 10,000 words is used to generate a password that contains only 3 words, that would yield 1,000,000,000,000 possible unique passwords.
Found this... (Score:3, Interesting)
Also, is this simlar what we have had in sweden for a couble of years for our banking systems? We have a personal badge that we enter a pin and a temporary code to get a new temporary code to be able to authenticate??
my bank already implemented a low tech version (Score:5, Interesting)
sure, it's really far from RSA, as my code doesn't change and anyone can easily just photocopy my card. but i thought that it was a creative solution to implement a two factor auth that even dummies would understand, while providing a lower cost to implement.
Burden of Proving Fraud Shifted to Customer (Score:5, Interesting)
Speaking of fault
Keys, etc are no good if the fraudster takes control of the victim's computer itself
Banks are going to love this - sure the key tokens, etc are going to be a hassle for them to distribute, etc, but in the longrun banks will be able to shift more of the risk to the customer unless consumer groups speakup
Ron
Re:No fraud needed (Score:3, Interesting)
http://www.bankrate.com/brm/news/cc/20030613c2.as
So if you are in a state that allows it, I think this is an excellent idea. For the rest of us, I guess we will have to fend for ourselves.
One-time PAD isn't working either. (Score:1, Interesting)
As Bruce Schneier recently stated this problem will continue until Financial institutions are made 100% responsible for all aspects of this problem. That include the cost of cleaning up the mess afterwards etc. IMHO. Hell, they used to give away toasters, they can afford to give everyone that want's to bank online smartcard readers etc.
Re:One more damn thing to carry around (Score:3, Interesting)
More info needed, and this is inconvient! (Score:3, Interesting)
Userid and password is simple, and effective in most cases.
The Feds want more security here, yet if I ask my bank to only accept ACTUAL PHYSICAL checks with my signature on them before honoring them and paying the other banks, it is ILLEGAL for my bank to give me what I want and refuse to accept a "substitute check". It is ILLEGAL for a bank to insist on security which would go a long way towards stopping check fraud, something which I can't protect against.
Whereas phishing attacks require stupidity on the part of the user.
Why protect people from seomthing they can protect themselves against, yet not protect us from something we can't protect ourselves from (people can forge our signature, and anyone getting a check from us has the routing number and account number, which is all they need)?!
If you don't understand the basics of computer security, you shouldn't be allowed to bank on the Internet. If you don't understand the basics of operating a car, you shouldn't be allowed to drive on public roads. Same principle at work here.
Don't take away my convience and require me to carry a smart card (oops, left it at home and can't do some needed banking at work or on vacation - sucks to be me) because of other's stupidity.
Let the stupid people lose their money, get off the Internet and/or go broke and die.
We molly coddle the stupid way too much in this country (USA).
If they must DO SOMETHING, just mandate the banks block *.aol.com at the firewall and be done with it.
95% of the problem will be solved.
Or have the server attempt the common Windows exploits, if they fail, the user isn't on Windows or has actually secured Windows - in either case they likely aren't terminally stupid - and the banking session should be allowed.
Now 99% of the problem is solved.
As for the remaining 1%, guess what, nothing is perfect. Even with 2 factor authentication, once logged in, a malicious hacker with control of your PC can add an illicit transaction request to the banking session.
In any event, people should be responsible for computer security. Secure your damn PC, learn to not trust spammers and scammers and don't be a dumbass.
Or stay off the Internet, and don't cross the street either if you are an idiot.
Re:One more damn thing to carry around (Score:3, Interesting)
It depends. If the waiver covered them purely for losses incurred through phishing, I would happily sign it. I use only secure computers to get to my bank's web site, and I type the URL by hand. I would rather not carry a token to access just one web site.
On the other hand, if they wanted to extend the waiver to all forms of account loss, regardless of whether it involved an online transaction or not, I'd be more concerned about signing it.
Re:One more damn thing to carry around (Score:2, Interesting)
Huh? How often do major credit card issuers take a loss from fraud? Not often. I'm a CC merchant and if I get a chargeback, Visa/Mastercard doesn't eat the loss (even though they authorized the charge)... they just take the money back out of my account and stick me with, what, a $25 chargeback fee? Visa/Mastercard makes money off of fraud.
Visa/Mastercard is one of the biggest racketeering schemes in modern history... They get about 2% of every transaction, $25 off of every chargeback, and the merchant gets to run the risk of fraud... not Visa/Mastercard. What a scam!