Slashdot Mirror
Banks Begin To Use RSA Keys
jnguy writes "According to the New York Times (free bacon required), banks are begining to look into using RSA keys for security. AOL has already begun offering its customers RSA keys at a premium price. Is this the future of security, and is it secure enough? How long before everyone needs to carry around 5 different RSA keys just to perform daily task?"
I'll rather register then read through this unformatted text ;) thanks anyhow.
How long before everyone needs to carry around 5 different RSA keys just to perform daily task?
How long before everyone needs to carry around 5 different physical keys? Let's see... we have the house key, the car key, the shed key, the bike key, the gun case key, the baseball card key...
At first glance, the external token as described in the article sounds secure, but since the person only types it in once per login, phishing really isn't that much more difficult than before.
...
... sounds like that would blow #1 away, but not if the phisher then logs in via the victims machine.
Two ways off the top of my head a phisher can defeat this
1. Grab login data in real-time from an IRC channel, etc and race to login before the code changes - for extra measure, disable the user's connection for a little while - DoS, etc.
2. Proxy the request - that is don't try to steal the login data itself, but rather hijack their session and go to town.
Some may think, ok "check the person's ISP (IP range, etc) too"
In a nutshell, if the client machine can't be trusted, all bets all off!
Yes, tokens raise the bar, but I fear banks will use this more as an excuse to erode consumer protections for fruadulent transactions; Verify by VISA comes to mind.
Ron
How long before everyone needs to carry around 5 different RSA keys just to perform daily task?
It's not like a million keys are harder to carry around than one...
Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general), but isn't the net effect of this type of technology supposed to be a savings? Isn't it the bank's responsibility (and liability) to make sure their customers' accounts are secure (assuming a reasonable amount of due diligence by said customers)? Isn't the savings in reduced fraud and security breaches supposed to outweigh the cost of the security devices? If not, why does the technology exist?
It sounds great and all, but unless offered as a free service, I'll sit this one out.
no kidding.
"Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general)"
And this mystery group that will be paying the fees is?
If they *DONT* protect credit(/debit) card charges with this, its somewhat useless, since thats the simplest way for someone to suck the money out of someones account.
If they do require charges to a credit card to be authorized by the SecureID card, it not only protects against outright stealing, but also prevents a merchant from saving your CC# and automatically rebilling you without your permission unless you jump thru their hoops to 'cancel' somne service - their only recourse is to terminate the service, which is as it should be.
Breaking News! Sources have just confirmed that local schools contain all the machinery necessary for creating a password cracking super computer!
Seriously though.. How would Russia be any different? Or any other industrialized nation? Or, hell, the local high school? Frankly, anyone can build at least a small scale super computer these days, and it's not hard at all to crack the kinds of passwords we're talking about here. Most of it can be done using ready-made software and requires almost no technical knowledge.
Parent needs to take a chill pill and quit blaming China for America's problems.
All of which is irrelevant. If China (or any other country) wants to get hold of a few hundred PCs to build a clustered supercomputer it's just not that difficult to do. Cripes, if Iraq can get hold of nuclear tech how hard can it be to buy a few commodity computers (or even high-end processors) on the open market? Why is this even a question?
I mean, sure, China has openly ripped off numerous technologies from a number of countries to bootstrap their high-tech economy, but to say that our banking industry is in danger specifically from China because they can (holy CPU chip, Batman!) build a Beowulf cluster is sort of ridiculous. China is a significant threat to the Western world, for a variety of reasons, but I'd say banking fraud is probably not one of the biggest ones. I'd be more concerned about Russia or Nigeria.
The higher the technology, the sharper that two-edged sword.
"The reality is that the RSA key is a godsend for protecting your accounts. Many Americans are simply unaware of the fact that the Taiwanese have essentially given all the key computer technologies to mainland China. Beijing can now assemble a supercomputer based solely on the technology from Acer, a Taiwanese company with major investments in mainland China. This supercomputer can easily crack the passwords of many accounts at your bank, brokerage, etc.
The RSA will help to protect Western bank/brokerage accounts from Chinese theft. That the majority of stolen credit card numbers end up in the hands of Chinese gangs, aided and abetted by Beijing, in Southeast Asia should surprise no one."
Nice troll. The fact is that the Chinese, as well as *the rest of the world* have had access to computer technology equivilent to that which exists in the US for *years*. There's nothing new.
Moreover, you don't use a "supercomputer" to crack bank accounts. The fact is, you can't brute force the passwords on bank accounts unless you are able to steal the password hashes - and by then you've already broken the system.
Bank accounts are being stolen using phishing, not supercomputers.
I've always thought that what we really need is devices like this with an LCD display that tells you what, exactly, you are signing.
:)
For example, imagine paying for some goods with one of these devices vs. credit card or smart card...
Smart card: You must trust that the card reader will not choose to use your card to sign things you didn't agree to. The reader could, for example, overcharge you, and you would have no way to know that it did until you checked your monthly statement. (And, hey, by that time, do you even remember if that item was $59 or $69?) For that matter, the reader could very easily make the charge under a different name, making it difficult to determine who committed the fraud.
Credit card: In addition to the smart card caveats, you must trust that the entity reading your card will not distribute your credit card number to any entity whom you don't trust at any time in the future. For that matter, if you use the same credit card with multiple entities, you have no way of knowing which one leaked your number. How can you fight back? Who do you charge with fraud or neglegence? In most cases you just let them go and your credit card company covers the illegal charges, while the FBI spends massive amounts of resources in mostly fruitless efforts to track them down. Why do we use these things?
The device I described: The LCD screen displays the question "Authorize payment of $59 to Acme Co.? Yes/No". No charge can go through without your device approving it. You only need to trust that your device will ask you to confirm any charge. And you can trust it because the manufacturer knows that if it screws up, they'll get their pants sued off.
The only thing that could make it more secure would be to implant the device into your body so that people can't steal it. Though, it's probably better to just deal with having to revoke a cert once in awhile rather than have people cutting you open to get to your bank account.
First, the consumer pays for every needed cost by a business. That's a fact just like we all pay when a scammer steals someone's credit card or someone gets into an auto accident and all our fees(credit card or insurance) get raised a little. Do you think when you get reimbursed that it's free, that the business has FREE MONEY out there??!! That's crazy. If your bank is NOT losing money because of scammers because of increased security, they save money having to reimburse their customer and they save money not having to man customer support with irate calls from customers who are crying about an account hijack.
Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general), but isn't the net effect of this type of technology supposed to be a savings?
The bank can "bury" the fees & pretend to you that it's free, but you (I hope) and me know that's a load of BS. The customer pays no matter what. Any bank who says it's free is lying. We all pay one way or another.
Isn't it the bank's responsibility (and liability) to make sure their customers' accounts are secure (assuming a reasonable amount of due diligence by said customers)?
True, but the bank doesn't have direct control over every computer in the world who can easily keylog any of their customers and stick their password and username into their bank website. They give warnings, but when the THIRD WORLD has EASY ACCESS to every first world nation customer's account & law enforcement in those countries are corrupt, you expect the bank to still provide security in said countries??!! The bank's response would be: Don't do anymore banking online. Go directly to your bank where they can put a camera on you and talk to you and see your bank account pass book.
Isn't the savings in reduced fraud and security breaches supposed to outweigh the cost of the security devices? If not, why does the technology exist?
In the long run, the costs go down.
It sounds great and all, but unless offered as a free service, I'll sit this one out.
I don't mind if you sit it out and my cousin who works in the bank doesn't mind if you leave for another bank because you pay no matter what. Also, those BANKS with the BEST SECURITY REPUTATIONS WILL CONTINUE TO GAIN THE CUSTOMERS, especially the ones who understand there is a big problem with keeping 3rd world scammers & anonymous computer user scammers away from their accounts and WHO just want to BE COMFORTABLE DOING BUSINESS ONLINE.
* weedshare.com 50% to artists, webjay.org iuma.com CDBaby.com Epitonic.com ampcast.com