One-Time Pads To Protect Electronic Bank Access

dummkopf writes "CNN reports how Scandinavian banks issue one-time passwords to protect customers' accounts when these use the same password for other, i.e., more insecure email accounts. Having a bank account in the U.S. (with a trusted and well known Bank OF nAtional reach) I always wondered why the security was soooo poor: while it has changed slightly now (better usernames/passwords) it used to be the case that your username was your SSN and your password a number code (!). I am sure most of you will agree with me that this is scary... I live now in Switzerland where one-time passwords for online banking are a must and where my current bank is one of the 'crappy' ones with a little card with one-time passwords like mentioned in the CNN Story. The nicer ones even give you credit-card-size RSA password generator which is combined with a calculator you can keep in your pocket. Hence my question: are others also worried about poor security of online banking in the U.S.? Are there banks which are better than the ones mentioned above?"

It's cliche, but...

[RobertB-DC]

I know it's cliche, but I still get stuck in line behind people who don't understand the basics of the ATM machine interface. Inserting (or swiping) the card throws them off. Grocery store POS systems, never consistent between chains, present even more hurdles. I've seen "Pay at the Pump" customers drive off because they just don't understand the instructions.

You want to give these folks RSA dongles? They don't even see the security implications of putting their entire credit line on their keychain with not even a PIN for validation.

The two problems are simple: People here won't understand it, and they won't care.

Why this works in Europe is beyond me, but I'm sure there are plenty of cliche anti-American rants to help explain it.

Maybe I should be more concerned, but...

[steevo.com]

There really isn't a lot of damage that someone could do with my online banking account.

I can't transfer funds to an account that is not mine.

The information that is available online about me and my account is less than what is available on a check. I guess I should be more concerned about that, but I have no control of my checks once I have used them to pay for something.

My Debit card information is not available online.

About the best someone can do with my account is see my balance.

Stronger security isn't always better security

[raehl]

Stronger security should only be provided if the cost of implementing that security (money, time, convenience) is less than the costs of not implementing it.

From my perspective, if someone breaks into my account, it's a hassle, but not a huge deal: My account is insured, and I get my money back. I'd rather deal with the inconvenince of this happening once or twice in my lifetime than having to deal with carrying and using a password generator for my entire life.

From the bank's perspective, it is probably cheaper to lose some money to accounts being compramised than to implement better security across the board. That translates to lower costs (or better interest) for me the customer, which is also nice. I'm fairly confident this is true, because were it better (cheaper, more convenient) to have stronger security, my commercial bank (always wanting to make a buck) would be doing that instead.

Your house would be more secure if you had bullet-resistent windows, steel-reinforced cross-bar doors, one-time pad electronic access, and 24/7 security guards, but most people the find much "weaker" deadbolt/key combination to be the BETTER solution.

Re:Ultimate security

[ePhil_One]

I'm poor.

Funny as it sounds, just wait till someone get a hold of your identity, you'll be poor and deeply in debt. Scammers are very good and obtaining credit, it helps that they don't fear the repercussions of being unable to pay.

Being poor is no reason to not protect your identity. You'll just get more funny looks.

Re:Ultimate security

[Master+of+Transhuman]

If you're poor, how do you pay the debt?

Answer: You don't. You tell the idiots who accepted somebody else as you that they're shit out of luck getting any money out of you and they'd better start looking for the guy who took them to the cleaners.

Which they should have done in the first place.

Of course, it's a hassle TELLING all these people that...