Forgot your password?
typodupeerror
Security The Courts IT

Court Rules Passwords+Secret Questions=Secure eBanking 284

Posted by samzenpus
from the nobody-knows-your-mother's-maiden-name dept.
An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."
This discussion has been archived. No new comments can be posted.

Court Rules Passwords+Secret Questions=Secure eBanking

Comments Filter:
  • One-time pads (Score:4, Insightful)

    by Anonymous Coward on Wednesday June 08, 2011 @08:49PM (#36382414)

    We've been using one-time pads in Finland for a long time, and they do the job.

    What's the issue?

  • Re:One-time pads (Score:4, Insightful)

    by Anonymous Coward on Wednesday June 08, 2011 @08:52PM (#36382430)

    well. Here in the US we don't feel like spending money on security.

  • This has a name (Score:5, Insightful)

    by IICV (652597) on Wednesday June 08, 2011 @08:53PM (#36382448)

    There's a name for this sort of security - "Wish it was two factor" [thedailywtf.com] security.

    And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

  • Re:One-time pads (Score:5, Insightful)

    by ekhben (628371) on Wednesday June 08, 2011 @09:06PM (#36382538)

    I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.

    One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.

    So why do the banks resist the idea?

    Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

  • Calm down (Score:5, Insightful)

    by Charliemopps (1157495) on Wednesday June 08, 2011 @09:31PM (#36382716)
    Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.

    What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
  • Re:Calm down (Score:4, Insightful)

    by memyselfandeye (1849868) on Wednesday June 08, 2011 @09:54PM (#36382872)

    Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.

    Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.

    What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

    I agree, I mean, it's not like banks want to you easily move money out of an account anyway.

  • Re:Calm down (Score:5, Insightful)

    by Rockoon (1252108) on Wednesday June 08, 2011 @10:10PM (#36382988)

    If your banks security sucks, switch

    Switch to another insecure bank? The problem is that this shitty security is industry standard.

    And if you don't mind me asking... What was the name of your first childhood pet?

  • Re:One-time pads (Score:5, Insightful)

    by pirho13 (2247512) on Wednesday June 08, 2011 @10:45PM (#36383250)
    As the previous poster said, we don't like spending money on Security.
    Now Security Theater, that's entertainment!
  • Re:One-time pads (Score:4, Insightful)

    by jonwil (467024) on Wednesday June 08, 2011 @11:22PM (#36383486)

    No it couldn't because the idea is that you enter the transaction details (amount and account number) into the little calculator thing.

It is the quality rather than the quantity that matters. - Lucius Annaeus Seneca (4 B.C. - A.D. 65)

Working...