[Dataloss] a recurring theme...
security curmudgeon
jericho at attrition.org
Thu Feb 16 04:31:30 EST 2006
: Why are invariant passwords to money [i.e. credit card numbers, which
: themselves are only "unpredictable" within the last 5 digits or so]
: being issued with expected *5-year* lifetimes? Why is the financial
: industry still relying on crap like the last 4 of the SSN as a default
: "verifier" of identity? Why the hell don't we have a workable
: one-time-per-transaction authorization scheme in common use, so this
: idiocy with stored plaintext card numbers just ceases to be a problem?
On this specific topic:
http://www.csoonline.com/read/020106/second_thoughts.html
Second Thoughts on Second Factors
Seven ways in which a new strong-authentication standard isn't quite what
it appears to be
By Scott Berinato
Last October, a relatively obscure government body called the Federal
Financial Institutions Examination Council, or FFIEC, issued what it
called guidance but which looks much like a mandate. Starting in January
2007, financial institutions must provide consumers of online financial
services with the same security protection enjoyed by customers buying
groceries or gas with a debit card: strong authentication.
Strong means two or more types of identity verification in return for
access. At the grocery store or gas station, those two factors are usually
a piece of plastic and a passcode. Online banking, on the other hand,
still primarily works with "weak" single-factor authentication: a
password.
[..]
More information about the Dataloss
mailing list