Comments on: Multi-factor Authentication for Online Banking: Security or Snake Oil?

By: Dannie

Dannie — Tue, 24 Jun 2008 01:38:31 +0000

you really have to be sure in every step you made, especially in giving your personal informations to others. this may led to identity fraud, where, they will take your identity and pretend that they are you. we must be aware.

By: Richard M. Conlan

Richard M. Conlan — Mon, 05 May 2008 21:42:52 +0000

It’s not “doom and gloom” to point out that a technology isn’t actually providing security, which is exactly the case with many deployments of two-factor auth. In some cases banks have admitted it hasn’t really affected fraud….but it makes customers more confident so is good for business anyways. What do you mean by “it worked for Paypal”? What does it mean to work? Did they release numbers of how it actually cut fraud? (If so, please provide link?)

Boy do I hope we avoid the “everybody uses biometrics” world….at least until they can figure out how to “replace” my voice, iris, or whathaveyou when the system is inevitably compromised.

By: Mark

Mark — Fri, 11 Apr 2008 05:24:16 +0000

It is my opinion that two factor authentication while imperfect (what technology isn’t) is the best type of security out there, especially for banks that deal in online banking. PayPal has implemented a type of TFA and has had success with it. Why must everyone paint doom and gloom for this technology? Once biometrics advance and become more affordable I think that this will be the type of security everyone uses, not just big business.

By: Karen

Karen — Fri, 14 Mar 2008 08:50:30 +0000

This is very true, fraud is increasing..
Let me share my experience of email phishing..

Sort of Email-Phishing

Phishing is one way of taking your identity..

By: Soren

Soren — Wed, 12 Mar 2008 22:41:42 +0000

I think that Two Factor Authentication is indeed enough though the technology does need to mature to a certain degree. As it does get better, expect to see security measures become increasingly difficult to crack. I agree to that while client side SSL is helpful, many don’t understand that process. I’d like to see those who create these systems focus more on bio metrics and things like vocal recognition etc.

By: Piscean Chap

Piscean Chap — Mon, 17 Dec 2007 06:09:16 +0000

Appreciate on good and concise information put in here by Rachna. Is it really that difficult to target the problem of MITM / Phishing / Pharming.

My 2 cents on it, Whatever it be, Challenge based Tokens, Hardware Tokens, scratch cards, biometric solutions, as long as the user enters something directly into the “Public Form”, without any derived modification/manipulation it is MITM’able.

In most of the popular deployed systems, there has been no concrete solution to this issue, despite all the claims.

If I have to list down the needs of the security system, to be able to prevent it from the Phishing, Pharming, MIMT, following needs to be addressed

The need is to protect what user enters into a Public Form from getting reused, if entered from anywhere else

If Fraudster captures the information submitted by user, he should not be able to use it in same form or any form.

The information submitted by user should not only be based on the challenge provided by server. To prevent any kind of relay scenarios

The need is to prevent user from entering something into public form that provides key to user identity.

OK, here is the shadow, and am turning around to face the light.

-Cheers,

By: Alessandro "jekil" Tanasi blog

Alessandro "jekil" Tanasi blog — Tue, 24 Jul 2007 11:30:39 +0000

Week’s Links…

Multi-factor Authentication for Online Banking: Security or Snake Oil?DCT, MPack developerThe Nduja Job: Into The World Of XSS WormsLessons Learned From the Deployment of a Smartphone-Based Access-Control SystemMeasuring Privacy Loss and the Impact of …

By: A Hopefully Final Word on EV « the declutterist

A Hopefully Final Word on EV « the declutterist — Tue, 24 Jul 2007 02:59:03 +0000

[...] Hopefully Final Word on EV July 24, 2007 Posted by Jeremy in Uncategorized. trackback Last week, I presented a paper at the Symposium on Usable Privacy and Security (SOUPS). During apanel discussion, the topic of EV certificates came up. I shared a short version of my position. Afterwards, I got into a discussion with several people whose disagreement with my position led me to clarify a few things. I thought I would share them. [...]

By: schlumamol

schlumamol — Fri, 20 Jul 2007 21:06:44 +0000

What we need a is mutual authentication solution that validates that our users are indeed at the correct sites… and not some bogus ones…

think there may be some solutions out there that can solve the MITM and the fistful of devices effect..

Check out what this company called Gemalto has been pushing recently….

Check out what this company called Gemalto is pushing…

Found a video on you tube http://www.youtube.com/watch?v=cA8QZ7DvIts

Found an older post on Slashdot that was describing the process…. http://www.engadget.com/2007/02/01/gemalto-intros-usb-smart-card-to-curb-phishing/

I sent an email to nim@gemalto.com and someone contacted me…

We are in Pilot right now and looks like this solution is going to make the lives of our users so easy!!
The onus of recognizing if you are at the correct site is done by the simple device securely.. each time every time!

The acceptance from our users has been fantastic.

By: Jeremy Clark

Jeremy Clark — Fri, 20 Jul 2007 15:29:50 +0000

I made a comment on the economics of EV certificates that may not have been as articulate as I would have liked it. I do have a short essay on the topic here:

http://declutterist.wordpress.com/2007/06/02/the-game-theory-of-phishing/

By: zeveck

zeveck — Thu, 19 Jul 2007 21:09:20 +0000

Wow. A whole lot of the above didn’t really get discussed. I think there were waaaay too many tactics for the time alloted. This would have been rather interesting as a multi-part discussion, or perhaps being given it’s own day, but as presented it felt like a breeze-by overview just brushing on each issue. =( The only clear thing to come out of the discussion, from my point of view, is that EV certs are a waste of time.