Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Rules Passwords+Secret Questions=Secure eBanking

Posted by samzenpus on from the nobody-knows-your-mother's-maiden-name dept.

An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."

13 of 284 comments (clear)

  1. One-time pads by Anonymous Coward · · Score: 4, Insightful

    We've been using one-time pads in Finland for a long time, and they do the job.

    What's the issue?

    1. Re:One-time pads by Anonymous Coward · · Score: 4, Insightful

      well. Here in the US we don't feel like spending money on security.

    2. Re:One-time pads by ekhben · · Score: 5, Insightful

      I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.

      One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.

      So why do the banks resist the idea?

      Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

    3. Re:One-time pads by MightyMartian · · Score: 4, Funny

      Maybe we can let the TSA take over computer security. You can have a couple of brawny perverts in front of every computer reading to cup your genitals before you go to pay some bills. Add in a X-ray machine to toast your testicles, and you're ready to go!

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    4. Re:One-time pads by Snarky+McButtface · · Score: 5, Funny

      I can handle my own genitals when in front of a computer screen.

    5. Re:One-time pads by pirho13 · · Score: 5, Insightful

      As the previous poster said, we don't like spending money on Security.
      Now Security Theater, that's entertainment!

  2. This has a name by IICV · · Score: 4, Insightful

    There's a name for this sort of security - "Wish it was two factor" security.

    And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.

  3. Re:Secure = Secure Enough by FatAlb3rt · · Score: 4, Interesting

    Unless the questions are like my bank's:
    Who is your favorite Disney character?
    What is your favorite color?

    You stand a good chance to get the right answer for any given account if you go with Mickey / Minnie or red / blue. How is that really security?

  4. why not use some sort of authenticator? by snuf23 · · Score: 5, Interesting

    I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.

    --
    Sometimes my arms bend back.
  5. Calm down by Charliemopps · · Score: 5, Insightful

    Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.

    What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!

    1. Re:Calm down by Rockoon · · Score: 4, Insightful

      If your banks security sucks, switch

      Switch to another insecure bank? The problem is that this shitty security is industry standard.

      And if you don't mind me asking... What was the name of your first childhood pet?

      --
      "His name was James Damore."
  6. Re:Secure = Secure Enough by definate · · Score: 4, Interesting

    I always answer those questions, with a different password. This results in many people going, "LOL So your mothers maiden name is jks)*8h9*H*(BY?"

    This is when those are used for verbal authentication over the phone. Then on top of this, I just need some reasonable password management.

    All good!

    --
    This is my footer. There are many like it, but this one is mine.
  7. What are banks for? by taucross · · Score: 4, Interesting

    If banks can't protect our money, and aren't liable when it goes missing, then what are banks for?

    --
    "In the absence of the ability to establish the attribute of truth they tried to establish the noble attributes."