On Sun Jul 27, 2003 at 01:25:24AM -0700, David Schwartz wrote:
I don't think it would be that difficult to show that there are significant security flaws in the online banking system that the user is neither responsible for nor capable of correcting. You could get a dozen security experts to testify that a static password is not sufficient to protect a system that can perform unretrievable funds transfers. If that's all the bank's online scheme provides, this may negate the argument that the user's negligence was the sole/primary cause of the loss.
In the UK, I have 3 or 4 online accounts with different banks. My main bank asks for a 10 digit "customer number", my date of birth, and the 3 characters at random from my password. By not asking for the whole password, this prevents simple replay style attacks. Asking for my DOB is not really additional protection - it's extremely easy find (minus 5 points for anyone who can't find it out within 2 minutes of searching on the 'net) Another bank asks me for 5 different bits of information, but always the same information everytime. Whilst this would seem more secure, it doesn't prevent simple replay attacks. Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Services | Email: Simon.Lockhart@bbc.co.uk | id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK