I wonder if this could just be solved by selling fraud
insurance?
It could be another ridiculous bank surcharge or service, but
would
negate the need for byzantine technology infrastructures to
support it.
All that user end security devices do is put more
non-repudiable
onus on the user, so that when it fails, the service provider
is protected,
and the user is cryptographically guaranteed to be SOL.
Biometrics
are an excellent example of this. They are a single factor
authentication
technology, maybe two factor if there is a PIN, and when the
database
gets compromised, nobody will believe that the user isn't
responsible,
because "The System is Perfect".
Many security technologies are based upon the risk avoidance
paradigm
of government/military organizations, instead of
the more practical
risk management perspective of more nimble organizations.
This is
partially why alot of technologies aren't getting adopted. They are
Perfect, but
a burden.
The solution that balances security and accessability will be the one that
incorporates an acceptable loss expectancy and enables the company to
leverage the
convenience of that risk. Building massive security
structures does little to
decrease the actual risk, they just push it out to the edges,
that is, to
customers.
The ubiquity of personal computers as general information appliances
has made
them more of an interface to the economy than the tools that we are used to
using them as. Since these interfaces are as diversely designed as
wallets (M$
turned our machines into wallets), we can either demand
better wallet security
devices, or we can mitigate risks to their contents through insurance.
--
Jamie.Reid, CISSP,
jamie.reid@mbs.gov.on.caSenior
Security Specialist, Information Protection Centre
Corporate Security,
MBS
416 327 2324
>>> "Christopher L. Morrow"
<chris@UU.NET> 07/27/03 03:39pm >>>
On Sun, 27 Jul 2003,
JC Dill wrote:
>
> At 07:21 AM 7/27/2003, David Lesher
wrote:
>
> >Strip <
http://www.zetetic.net/index.html>
is your helper here.
>
> I have strip. Unfortunately, I don't
always have my Palm at hand when I
> want to login to my bank, and I
didn't have it at hand the *last* time,
> when I had to change the
password, so the new password didn't get entered
> into strip. But
that's beside the point, using strip on a pda (to help
> remember
passwords) is a solution that only works for some people, in some
>
circumstances. It would be much better to have a policy that just
WORKED.
>
or a 10 dollar key fob that always had a code you could
combine with your
'pin' for a password... why is a solution like RSA/ACE so
difficult for
people to accept on a wide scale?
Afterall, banks charge
you for checks, why not for the FOB, and make you
purchase the replacement
when you lose it?
-Chris