nanog mailing list archives
FW: User negligence?
From: "Genzoli, William" <William.Genzoli () McKesson com>
Date: Wed, 30 Jul 2003 11:58:14 -0700
Which goes back to the root of the *real* problem here. Banks are mainly concerned with physical security. Internet security has always been handled as more of an afterthought and mainly for reasons of due diligence. The real problem is the banks have a known security flaw with a simple password login for account access. That, as has been discussed here, is a significant flaw in the overall design of what should be a secure system and access method. The underlying issue here is that the bank, whom should be the subject matter expert, clearly is not. They offer one way, and one way only to access, arguably, our most sacred information. Furthermore, they offer very little, if any, training to their clients, the end-user. A quick thirty second blurb is not due diligence for an organization that values it's customers. The bottom line is if they offered a SecureID sort of setup, or any other of a number of methods out there that *would* circumvent a key logger or similar hack, the customer would more times than not, comply. Even at the customer's expense. Customers may not be technically savvy overall, but they value their own money above even the bank. If it's explained that the added cost/benefit is there, and is a real, tangible issue, a ten or twenty dollar nominal fee is just that, nominal. Until banks realize this, they are undoubtedly and unequivocally at fault. Bill G. -----Original Message----- From: Peter Galbavy [mailto:peter.galbavy () knowtion net] Sent: Monday, July 28, 2003 3:13 AM To: ken emery; North American Noise and Off-topic Gripes Subject: Re: User negligence? ken emery wrote:
I'm not sure what needs to be done, but the security as now implemented is not even close to enough IMHO. Networkwise (to bring this back on topic) I'm not sure there is really much that can be done.
Don't forget the desperate need for user *and* staff education. I have now multiple time got calls from my bank asking to discuss my account. Could I just verify my details ? they asked. Er, you first, I said. They didn't get it. They didn't understand why, as someone who is lightly paranoid and understand more about security than they do, I was concerned that they couldn't prove they were from the bank... Peter
Current thread:
- Re: User negligence?, (continued)
- Re: User negligence? Peter Galbavy (Jul 28)
- Remembering history passwords may be bad, but they are getting worse Sean Donelan (Jul 27)
- Message not available
- Re: Remembering history passwords may be bad, but they are getting worse Kevin Day (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Peter Galbavy (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Scott Call (Jul 28)
- Learning more about authentication and passwords Sean Donelan (Jul 29)
- Re: Learning more about authentication and passwords Dave Israel (Jul 29)
- Re: Learning more about authentication and passwords Jason Dixon (Jul 29)
- Re: User negligence? Stephen Sprunk (Jul 27)