I don't think the average user has a smart card reader at home. Everyone has accepted a very simple two-factor authentication system for bank usage for a long time. Factor 1 is possession of the card. This is relatively easy to forge. Factor 2 is the PIN. This is no stronger than a password. Most banks use smart cards for authenticating employees, with a password required to access the smart card. This is not practical (at least today) for home banking over the internet. Last I looked, the cost of the cards and the readers exceeded what would be reasonable for the bank to provide to all their customers. I don't think most home users understand enough about security to think the smart card system would be worth the price. The real negligence in this case is the software company that released a MUA that makes trojans so convenient to distribute. As someone else stated earlier in this thread... OUTLOOK: THe Exploding PINTO on the Information Superhighway. This is _SO_ true. Owen --On Sunday, July 27, 2003 10:03 +0200 Kandra Nygårds <kandra@foxette.net> wrote:
From: "Sean Donelan" <sean@donelan.com>
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password.
Banks use passwords for authentication? That's what scares me.
Personally, I find it terrifying that banks allow such weak authentication as a password for financial transactions. To the best of my knowledge, all banks around here use a smartcard based system. It might be a bit more inconvenient, but the added security makes it well worth it, in my opinion.
It may not be a breach of the bank's security as such, but the measures they take in order to protect their customers' money is in my opinion so low that, IMHO, they are the ones guilty of negligence.
-Kandra