[LINK] A security question

Roger Clarke Roger.Clarke at xamax.com.au
Thu Dec 19 11:25:25 AEDT 2013 

At 11:06 +1100 19/12/13, Jim Birch wrote:
>From the behaviour of banks we might infer:
>(1) Multifactor identification is too hard for a proportion of their
>customers
>(2) The actual level of successful hacking is passably low

I think that factor needs re-phrasing, e.g.:

  (2) The level of successful hacking that costs banks serious money 
or material reputational harm is sufficiently low.

Costs can arise from:
-   refunds that can't be charged on to someone else - seldom?
-   handling complaints

Reputational harm can arise from:
-   customers churning away from that particular bank faster than they
     churn inbound
-   a media stink that is sustained over 2-4 years, and becomes
     serious enough for regulators to start asking awkward questions

>(3) So, it is simpler to run suspicious activity monitors and guarantee
>accounts

_______________________________________________________________________

>On 19 December 2013 10:23, David Lochrin <dlochrin at d2.net.au> wrote:
>
>>  On 2013-12-18 15:23 Dr Bob wrote:
>>
>>  > As I said in my original email, ING and CitiBank required the use of a
>>  token and each have provided a RSA fob.
>>
>>  Sorry for the spam then - I should have read your email more closely
>>  before responding!
>>
>>  > As an aside, ING and Citibank have provided me with an RSA fob to verify
>>  who I am in certain transactions. I wonder as well if having a fob to
>>  generate a one time password is more secure (not ignoring the fact that RSA
>>  got hacked a some time ago).
>>
>>  Westpac will also provide an RSA SecurID fob for authorisation of
>>  withdrawals over a certain user-defined amount, though I think I had to
>>  request one.  The RSA attack was over two years ago I believe and involved
>>  theft of the database which maps each fob serial-number to its seed, so any
>>  SecurID device manufactured since shortly afterwards should be reasonably
>>  safe.
>>
>>
>>  > Thanks for your email though. Also thanks for everyone else who have
>>  made suggestions. I am looking at Tails and that seems an interesting
>>  option but nothing is really secure I guess. I just have to keep a wary eye
>>  on the accounts.
>>
>>  I have never had any hack into my Internet banking in the 16-odd years
>>  I've had accounts (touch wood...) however I moved away from Windows many
>>  years ago and I wouldn't have an account without something-you-have access
>>  control.  If you feel able to speak about it I'd be interested to know if,
>>  and how willingly, the bank involved made up the amount of the theft?  I
>>  haven't seen any recent statistics on such crimes, but I'm amazed that the
>>  level of theft hasn't made Internet banking very much more expensive.
>>
>>  David L.
>>  _______________________________________________
>>  Link mailing list
>>  Link at mailman.anu.edu.au
>>  http://mailman.anu.edu.au/mailman/listinfo/link
>>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list