Re: OT: Re: User negligence?

[Simon Lockhart <simonl () rd bbc co uk>]

On Sun Jul 27, 2003 at 01:25:24AM -0700, David Schwartz wrote:
> I don't think it would be that difficult to show that there are significant
> security flaws in the online banking system that the user is neither
> responsible for nor capable of correcting. You could get a dozen security
> experts to testify that a static password is not sufficient to protect a
> system that can perform unretrievable funds transfers. If that's all the
> bank's online scheme provides, this may negate the argument that the user's
> negligence was the sole/primary cause of the loss.

In the UK, I have 3 or 4 online accounts with different banks.

My main bank asks for a 10 digit "customer number", my date of birth, and
the 3 characters at random from my password. By not asking for the whole
password, this prevents simple replay style attacks. Asking for my DOB is
not really additional protection - it's extremely easy find (minus 5 points
for anyone who can't find it out within 2 minutes of searching on the 'net)

Another bank asks me for 5 different bits of information, but always the
same information everytime. Whilst this would seem more secure, it doesn't
prevent simple replay attacks.

Simon
-- 
Simon Lockhart         |   Tel: +44 (0)1628 407720 (x37720) | Si fractum 
Technology Manager     |   Fax: +44 (0)1628 407701 (x37701) | non sit, noli 
BBC Internet Services  | Email: Simon.Lockhart () bbc co uk    | id reficere
BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK