[LINK] A security question
Roger Clarke
Roger.Clarke at xamax.com.au
Thu Dec 19 11:25:25 AEDT 2013
At 11:06 +1100 19/12/13, Jim Birch wrote:
>From the behaviour of banks we might infer:
>(1) Multifactor identification is too hard for a proportion of their
>customers
>(2) The actual level of successful hacking is passably low
I think that factor needs re-phrasing, e.g.:
(2) The level of successful hacking that costs banks serious money
or material reputational harm is sufficiently low.
Costs can arise from:
- refunds that can't be charged on to someone else - seldom?
- handling complaints
Reputational harm can arise from:
- customers churning away from that particular bank faster than they
churn inbound
- a media stink that is sustained over 2-4 years, and becomes
serious enough for regulators to start asking awkward questions
>(3) So, it is simpler to run suspicious activity monitors and guarantee
>accounts
_______________________________________________________________________
>On 19 December 2013 10:23, David Lochrin <dlochrin at d2.net.au> wrote:
>
>> On 2013-12-18 15:23 Dr Bob wrote:
>>
>> > As I said in my original email, ING and CitiBank required the use of a
>> token and each have provided a RSA fob.
>>
>> Sorry for the spam then - I should have read your email more closely
>> before responding!
>>
>> > As an aside, ING and Citibank have provided me with an RSA fob to verify
>> who I am in certain transactions. I wonder as well if having a fob to
>> generate a one time password is more secure (not ignoring the fact that RSA
>> got hacked a some time ago).
>>
>> Westpac will also provide an RSA SecurID fob for authorisation of
>> withdrawals over a certain user-defined amount, though I think I had to
>> request one. The RSA attack was over two years ago I believe and involved
>> theft of the database which maps each fob serial-number to its seed, so any
>> SecurID device manufactured since shortly afterwards should be reasonably
>> safe.
>>
>>
>> > Thanks for your email though. Also thanks for everyone else who have
>> made suggestions. I am looking at Tails and that seems an interesting
>> option but nothing is really secure I guess. I just have to keep a wary eye
>> on the accounts.
>>
>> I have never had any hack into my Internet banking in the 16-odd years
>> I've had accounts (touch wood...) however I moved away from Windows many
>> years ago and I wouldn't have an account without something-you-have access
>> control. If you feel able to speak about it I'd be interested to know if,
>> and how willingly, the bank involved made up the amount of the theft? I
>> haven't seen any recent statistics on such crimes, but I'm amazed that the
>> level of theft hasn't made Internet banking very much more expensive.
>>
>> David L.
>> _______________________________________________
>> Link mailing list
>> Link at mailman.anu.edu.au
>> http://mailman.anu.edu.au/mailman/listinfo/link
>>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916 http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list