Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Rules Passwords+Secret Questions=Secure eBanking

Posted by samzenpus on from the nobody-knows-your-mother's-maiden-name dept.

An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."

9 of 284 comments (clear)

  1. One-time pads by Anonymous Coward · · Score: 4, Insightful

    We've been using one-time pads in Finland for a long time, and they do the job.

    What's the issue?

    1. Re:One-time pads by Anonymous Coward · · Score: 4, Insightful

      well. Here in the US we don't feel like spending money on security.

    2. Re:One-time pads by ekhben · · Score: 5, Insightful

      I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.

      One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.

      So why do the banks resist the idea?

      Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

    3. Re:One-time pads by pirho13 · · Score: 5, Insightful

      As the previous poster said, we don't like spending money on Security.
      Now Security Theater, that's entertainment!

    4. Re:One-time pads by jonwil · · Score: 3, Insightful

      No it couldn't because the idea is that you enter the transaction details (amount and account number) into the little calculator thing.

  2. This has a name by IICV · · Score: 4, Insightful

    There's a name for this sort of security - "Wish it was two factor" security.

    And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

  3. Calm down by Charliemopps · · Score: 5, Insightful

    Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.

    What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

    1. Re:Calm down by memyselfandeye · · Score: 3, Insightful

      Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.

      Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.

      What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

      I agree, I mean, it's not like banks want to you easily move money out of an account anyway.

    2. Re:Calm down by Rockoon · · Score: 4, Insightful

      If your banks security sucks, switch

      Switch to another insecure bank? The problem is that this shitty security is industry standard.

      And if you don't mind me asking... What was the name of your first childhood pet?

      --
      "His name was James Damore."