I wonder if this could just be solved by selling fraud insurance? It could be another ridiculous bank surcharge or service, but would negate the need for byzantine technology infrastructures to support it. All that user end security devices do is put more non-repudiable onus on the user, so that when it fails, the service provider is protected, and the user is cryptographically guaranteed to be SOL. Biometrics are an excellent example of this. They are a single factor authentication technology, maybe two factor if there is a PIN, and when the database gets compromised, nobody will believe that the user isn't responsible, because "The System is Perfect". Many security technologies are based upon the risk avoidance paradigm of government/military organizations, instead of the more practical risk management perspective of more nimble organizations. This is partially why alot of technologies aren't getting adopted. They are Perfect, but a burden. The solution that balances security and accessability will be the one that incorporates an acceptable loss expectancy and enables the company to leverage the convenience of that risk. Building massive security structures does little to decrease the actual risk, they just push it out to the edges, that is, to customers. The ubiquity of personal computers as general information appliances has made them more of an interface to the economy than the tools that we are used to using them as. Since these interfaces are as diversely designed as wallets (M$ turned our machines into wallets), we can either demand better wallet security devices, or we can mitigate risks to their contents through insurance. -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
"Christopher L. Morrow" <chris@UU.NET> 07/27/03 03:39pm >>>
On Sun, 27 Jul 2003, JC Dill wrote:
At 07:21 AM 7/27/2003, David Lesher wrote:
Strip <http://www.zetetic.net/index.html> is your helper here.
I have strip. Unfortunately, I don't always have my Palm at hand when I want to login to my bank, and I didn't have it at hand the *last* time, when I had to change the password, so the new password didn't get entered into strip. But that's beside the point, using strip on a pda (to help remember passwords) is a solution that only works for some people, in some circumstances. It would be much better to have a policy that just WORKED.
or a 10 dollar key fob that always had a code you could combine with your 'pin' for a password... why is a solution like RSA/ACE so difficult for people to accept on a wide scale? Afterall, banks charge you for checks, why not for the FOB, and make you purchase the replacement when you lose it? -Chris
All that user end security devices do is put more non-repudiable onus on the user, so that when it fails, the service provider is
Thus spake "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca> protected,
and the user is cryptographically guaranteed to be SOL. ... and when the database gets compromised, nobody will believe that the user isn't responsible, because "The System is Perfect".
I hope this was in jest... All it will take is one expert witness to show the system is not perfect and there's hundreds of ways the bank (or even a smart criminal) could defraud the user.
Biometrics are an excellent example of this. They are a single factor authentication technology, maybe two factor if there is a PIN,
There are now techniques to copy latent fingerprints off surfaces and produce counterfeits that have been shown to fool _all_ commercially available fingerprint gear -- and it costs less than $2 per use. Biometrics is a failure because there is no shared secret; once a user submits to a test (either knowingly or not), the validator has all the information necessary to spoof that person _for the rest of their life_. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
participants (2)
-
Jamie Reid -
Stephen Sprunk