On-Line Banking Security

The friendliest place on the web for anyone with an RV or an interest in RVing!
If you have answers, please help by responding to the unanswered posts.

blueblood

Well-known member
Joined
Mar 16, 2005
Posts
1,082
We had a topic that got off on efficacy of SSL,etc. This is different but in same vein i.e.on line banking security. The Fed is worried about the vulnerability of on-line banking with particular focus on single layer access i.e. username/password and thus its openness to phising,etc.. They are in process or have completed a directive that is going to require banks to go deeper. Most banks are begrudgingly moving forward arguing that they need to be able to develop user-friendly solutions, etc. I thought I might talk about one that all ready exists at Bank of America On-Line.

BA has purchased and deployed a technology called SiteKey. One signs up for SiteKey  which includes picking an Image and providing answers to three questions. You are presented an Image at random during the sign up process but can pick any other one from a fairly wide selection. It just needs to be one you can remember/recognize each time you sign into BA On-Line. The three questions are similar i.e. you can pick from a selection of question in each of three categories and provide answers you will be able to remember if asked.

The sign on to BA On-Line is fairly painless. You are presented same opening screen as before i.e. the one that is vulnerable to phising. You enter your username as usual but not your passcode. Instead you click on the "use SiteKey to sign in" and it present a new screen that contains the image you selected when signing up for service. If its right, you enter passcode and proceed on as normal. If you have changed computers from the one you signed on to program or make an improper entry, you trigger the questions. Answer the question/s asked properly and you proceed normally. If you have changed computers and enter proper question, it will ask if you use this computer often as well and I assume a yes answer will add it as an approved alternate to your initial sign on one.
 

Ned

Moderator Emeritus
Joined
Feb 1, 2005
Posts
25,107
Location
USA
Here is Bruce Schneier's comments on the forthcoming two factor requirement for US banks: http://www.schneier.com/blog/archives/2005/10/us_regulators_r.html  Here is a link to the full document: http://www.ffiec.gov/pdf/authentication_guidance.pdf  Here's what Schneier has to say about it:

This won't help. It'll change the tactics of the criminals, but won't make them go away. I've written about that already (the short version is that two-factor authentication won't mitigate identity theft, because it's not an authentication problem -- it's a problem with fraudulent transactions), and also about what will solve the problem.

The biggest problem with on line security is that until the vendors (banks, credit card companies, etc.) are held liable for any fraud and not the customers, nothing really effective will happen.  Anyone interested in security should at least get Schneier's newsletter or read his blog.
 

blueblood

Well-known member
Joined
Mar 16, 2005
Posts
1,082
Ned said:
Here is Bruce Schneier's comments on the forthcoming two factor requirement for US banks: http://www.schneier.com/blog/archives/2005/10/us_regulators_r.html? Here is a link to the full document: http://www.ffiec.gov/pdf/authentication_guidance.pdf? Here's what Schneier has to say about it:

The biggest problem with on line security is that until the vendors (banks, credit card companies, etc.) are held liable for any fraud and not the customers, nothing really effective will happen.? Anyone interested in security should at least get Schneier's newsletter or read his blog.

I think it is very worthwhile to do both and since this is available to deploy it now.  Belts and suspenders is my motto.
 
Top Bottom