Re: Proposal to anti-phishing

[Jimi Thompson <jimi.thompson () gmail com>]

<SNIP>
> Zero-setup online banking will be possible again (with SSL client certs,
> hear me beat the drum once more) once enough clients have smart card
> readers as standard equipment, properly integrated with the operating
> system and the browsers.
>
> For an example, I look to the Dell Latitude D600, which comes with an
> integrated smart card reader. Maybe a good feature addition for the new
> LCD monitors would be a smart card reader slot, connected via USB. The
> more people use them, the more ubiquitous they will be, and the less
> "setup" will be required by new users/clients.
</SNIP>

Why not use something like the Rainbow Ikey that uses a USB connection
which virtually every computer has nowdays?  It too is an EPROM with a
PKI public/private key pair.  That way there's not extra hw to install
and you don't have to wait for the item to percolate through the
market place.  Remember betamax?  Consumer are used to carrying around
bar code tabs for their shopping/store club/discount/credit cards and
such on their key chains, why not that too?

The caveat is this - all authentication is based on one of 2 things -
something you have (token, thumb print, etc.)  or something you know
(PIN, password, etc.).  The "something you have" can be stolen.  Right
now, we have people going after the "something you know" by placing
devices on ATM machines to record information, identity theft on line,
phishing for id10ts, etc.  Now instead of realatively non-violent
(although highly annoying) crimes like phishing, we'll see an
escalation in muggings, purse snatchings, and the general category of
beating people up and taking their stuff.

As an aside, my big fear with biometrics is that some criminal groups
will start cutting off pertinent pieces of people in order to gain
access to accounts.  Before someone pipes up and says that it'll never
happen, I can tell you from personal eye-witness experience that there
are more than a few people on this planet who are perfectly willing to
cut off another person's hand or fingers to get their rings, watch,
bracelet, etc.  If they'll do it for some jewelry, which will hock at
the pawn shop for about $20, they'll definitely do it get into your
checking account.

One thing that I've not seen discussed here is non-repudiation.  
Non-repudiation was a major portion of the last PKI wg.  It's very
important in dealing with legal and money matters.  What do you when
my on line identity gets used and I say it wasn't me?  Just how good
is your system?  Will it stop me from buying a Lexus or transferring
all my money to the Cayman Islands and saying that I didn't?

While I agree with the "zero setup" stuff, it's probably not legal in
the USA.  We have laws that require you physically show identification
and few other things when opening a checking account.  There are more
laws that require the reporting of large sums of money.  This is to
prevent the laundering of drug money (for example) as well as other
illegal activites.    The federal laws are pretty minimal, but some
states have stricter laws about this.  Any bank that isn't doing
something to physically look at ID's is probably in voilation of
something.  I admit that these aren't well inforced but they should
be.


2 cents (as usual) 

-- 
Thanks,

Jimi