[LINK] Requirements for net banking

Craig Sanders cas at taz.net.au
Fri Mar 18 11:41:16 EST 2005 

On Fri, Mar 18, 2005 at 10:55:03AM +1100, Stilgherrian wrote:
> On 18/3/05 10:35 AM, "Craig Sanders" <cas at taz.net.au> wrote:
> > this still requires that the end-user either not notice or ignore
> > the browser whinging about an unknown certificate or CA.
>
> ... and ...
>
> > the user would have to ignore the scary looking dialog boxes and
> > decide to trust the connection anyway.
>
> My experience is that when "the average user" is confronted with a
> dialog they don't understand, they'll simply hit "OK" to make it go
> away.

true enough, but irrelevant. no security scheme is idiot-proof. nothing
in the universe is idiot-proof - and trying too hard to cater for idiots
just provides evolutionary pressure to produce "better" (as in "more
incapable" or "more useless" or just plain "stupider") idiots.

if the end-user stupidly chooses to ignore security warnings, then there
is *NOTHING* that can be done.

if a car gets stolen because the owner leaves it unlocked with the keys
in the ignition, whose fault is that? is it the car manufacturer's fault
because they used an access control method (i.e. keys) that allowed the
user to be stupid? or is it the user's fault for being stupid?

the police and any insurance company would say it was the owner's
fault (and, IIRC, it's actually illegal in most states of Australia to
leave a car unlocked or with the window open and unattended on public
property). and anyone reasonable would agree with them.

most aspects of banking security are the direct and undeniable
responsibility of the banks.....but some are the direct and undeniable
responsibility of the user. this is unavoidable. some things just can
not be delegated or trusted to someone else.

> I suspect that very few users will know what a "certificate" is,
> let alone be able to translate an error message about "unknown CA"
> into "you are being attacked". So the lack of a valid SSL encryption
> certificate won't make a difference in 90%+ of cases.

learning one simple procedural rule is easy enough even for stupid
people: "if there is any warning at all, or any strange occurrence, then
STOP what you are doing RIGHT NOW. DO NOT PROCEED. DO NOT LOGIN. GET
ADVICE FROM SOMEONE WHO KNOWS WHAT THEY ARE DOING".

i.e. they can be taught at least a minimal level of appropriate computer
security paranoia.

craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)

More information about the Link mailing list