Online Banking
Similar to the previous post regarding online commerce, every time you log into your bank you're conducting a 1-factor authenticated transaction. Sure, Bank of America has "SiteKey" which asks you for additional knowledge-based credentials (Something You Know) but other than a clever image-oriented system to help you avoid entering those credentials into a fake version of their website, this system, and systems like it, don't help protect you. They help prevent your credentials from being stolen, sure, but as we saw in the Dateline piece, those credentials are fairly easy to obtain or guess - and once obtained, you're in big trouble.
What's needed is a true 2-factor authentication system to validate your identity before you log into the bank website.
The Financial Services Technology Consortium issued recommendations on this subject, available at the following URL:
http://www.fstc.org/projects/docs/Recommendations_and_Requirements_for_BMA_v1.0.pdf
We wholeheartedly agree with this document, especially their statement that “no authentication system should rely solely on passwords or other knowledge-based queries or shared secrets. If a password should be compromised, it must not be feasible for an impostor to defeat authentication with just knowledge of a password and an associated claim—e.g., userid, account number, name, SSN.”
posted by Joel Haspel @ 11:56 AM
1 Comments
1 Comments:
What really outrages me is that people within the industry discourage the use of 2-factor authentication, merely based on the vulnerabilities of one technique.
Here is one such article:
http://www.channelregister.co.uk/2005/03/15/2-factor_auth_is_pants/
People muddy the waters of the technology concept by inadvertantly linking it to the implementation, which could be faulty, in the case of OTPs (see comments in the other post for details on this).
What's really needed is an implementation that inherently avoids the vulnerabilities.
Post a Comment
<< Home