Court Rules Passwords+Secret Questions=Secure eBanking 284
An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."
One-time pads (Score:4, Insightful)
We've been using one-time pads in Finland for a long time, and they do the job.
What's the issue?
Re:One-time pads (Score:4, Insightful)
well. Here in the US we don't feel like spending money on security.
This has a name (Score:5, Insightful)
There's a name for this sort of security - "Wish it was two factor" [thedailywtf.com] security.
And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.
Re:One-time pads (Score:5, Insightful)
I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.
One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.
So why do the banks resist the idea?
Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.
Calm down (Score:5, Insightful)
What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
Re:Calm down (Score:4, Insightful)
Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.
Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.
What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
I agree, I mean, it's not like banks want to you easily move money out of an account anyway.
Re:Calm down (Score:5, Insightful)
If your banks security sucks, switch
Switch to another insecure bank? The problem is that this shitty security is industry standard.
And if you don't mind me asking... What was the name of your first childhood pet?
Re:One-time pads (Score:5, Insightful)
Now Security Theater, that's entertainment!
Re:One-time pads (Score:4, Insightful)
No it couldn't because the idea is that you enter the transaction details (amount and account number) into the little calculator thing.