BreachExchange mailing list archives
Re: a recurring theme...
From: security curmudgeon <jericho () attrition org>
Date: Thu, 16 Feb 2006 04:31:30 -0500 (EST)
: Why are invariant passwords to money [i.e. credit card numbers, which : themselves are only "unpredictable" within the last 5 digits or so] : being issued with expected *5-year* lifetimes? Why is the financial : industry still relying on crap like the last 4 of the SSN as a default : "verifier" of identity? Why the hell don't we have a workable : one-time-per-transaction authorization scheme in common use, so this : idiocy with stored plaintext card numbers just ceases to be a problem? On this specific topic: http://www.csoonline.com/read/020106/second_thoughts.html Second Thoughts on Second Factors Seven ways in which a new strong-authentication standard isn't quite what it appears to be By Scott Berinato Last October, a relatively obscure government body called the Federal Financial Institutions Examination Council, or FFIEC, issued what it called guidance but which looks much like a mandate. Starting in January 2007, financial institutions must provide consumers of online financial services with the same security protection enjoyed by customers buying groceries or gas with a debit card: strong authentication. Strong means two or more types of identity verification in return for access. At the grocery store or gas station, those two factors are usually a piece of plastic and a passcode. Online banking, on the other hand, still primarily works with "weak" single-factor authentication: a password. [..] _______________________________________________ Dataloss mailing list Dataloss () attrition org https://attrition.org/mailman/listinfo/dataloss
Current thread:
- a recurring theme... *Hobbit* (Feb 15)
- Re: a recurring theme... security curmudgeon (Feb 15)
- Re: a recurring theme... Adam Shostack (Feb 16)
- Message not available
- Re: Fwd: a recurring theme... sawaba (Feb 16)
- Re: a recurring theme... security curmudgeon (Feb 15)
- Re: a recurring theme... security curmudgeon (Feb 16)
- <Possible follow-ups>
- Re: a recurring theme... *Hobbit* (Feb 17)
- Re: a recurring theme... Mike Fratto (Feb 17)