Court Rules Passwords+Secret Questions=Secure eBanking 284
An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."
Re:This has a name (Score:4, Informative)
I'm sure he's not depositing the check from the banking industry in an American bank account, so it shouldn't be a worry for him.
Re:why not use some sort of authenticator? (Score:4, Informative)
Actually it still does, as you need a separate device thats not connected to the computer in any way.
Re:One-time pads (Score:4, Informative)
If the bank attaches transaction details, this is a valid method of circumventing the OTP vulnerablity.
There are exploits in the wild that hijacked MSIE HTML rendering layer. So you want to transfer $15 to your aunt. You type in the amount, the account number, all details match. You press "send" and the trojan sends out the scammer's account number and your total balance as amount to transfer. Now the bank asks you to confirm the transfer - and the trojan displays your aunt's info you have just entered, asking for OTP code. And you sign the transfer to the thief's account with a valid OTP code.
Now the SMS will contain some digits of the account number and you can verify if it's your auntie who will receive your cash, even if your computer has been compromised.