nanog mailing list archives
Re: OT: Re: User negligence?
From: Simon Lockhart <simonl () rd bbc co uk>
Date: Sun, 27 Jul 2003 10:24:39 +0100
On Sun Jul 27, 2003 at 01:25:24AM -0700, David Schwartz wrote:
I don't think it would be that difficult to show that there are significant security flaws in the online banking system that the user is neither responsible for nor capable of correcting. You could get a dozen security experts to testify that a static password is not sufficient to protect a system that can perform unretrievable funds transfers. If that's all the bank's online scheme provides, this may negate the argument that the user's negligence was the sole/primary cause of the loss.
In the UK, I have 3 or 4 online accounts with different banks. My main bank asks for a 10 digit "customer number", my date of birth, and the 3 characters at random from my password. By not asking for the whole password, this prevents simple replay style attacks. Asking for my DOB is not really additional protection - it's extremely easy find (minus 5 points for anyone who can't find it out within 2 minutes of searching on the 'net) Another bank asks me for 5 different bits of information, but always the same information everytime. Whilst this would seem more secure, it doesn't prevent simple replay attacks. Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Services | Email: Simon.Lockhart () bbc co uk | id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Current thread:
- Re: OT: Re: User negligence?, (continued)
- Re: OT: Re: User negligence? Alex Rubenstein (Jul 26)
- Its not just Spam and DDOS anymore (was Re: OT: Re: User negligence?) Sean Donelan (Jul 26)
- Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User negligence?) Rob Thomas (Jul 27)
- Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User negligence?) Vinny Abello (Jul 27)
- Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User negligence?) Vinny Abello (Jul 27)
- Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User Paul Vixie (Jul 27)
- Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User Patrick (Jul 27)
- Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User Paul Vixie (Jul 27)
- Re: Its not just Spam and DDOS anymore (was Re: OT: Re: User Patrick (Jul 27)
- Re: OT: Re: User negligence? Alex Rubenstein (Jul 26)
- RE: OT: Re: User negligence? David Schwartz (Jul 27)
- Re: OT: Re: User negligence? Simon Lockhart (Jul 27)
- Re: User negligence? Sean Donelan (Jul 27)
- Re: User negligence? Kandra Nygårds (Jul 27)
- Re: User negligence? Owen DeLong (Jul 27)
- Re: User negligence? James H. Cloos Jr. (Jul 27)
- Re: User negligence? JC Dill (Jul 27)
- Re: User negligence? David Lesher (Jul 27)
- Re: User negligence? JC Dill (Jul 27)
- Re: User negligence? Christopher L. Morrow (Jul 27)