Two-factor authentication has been around and, more importantly, practical for a decade. Unfortunately, the technology has largely been shunned by consumers. I remember when AOL provided its subscribers an option to use the RSA SecurID card for authentication purposes. It was a very short-lived option, as few people chose to take advantage of it. Now we have consumers suing a company for not providing an incredibly effective security tool that was widely rejected by consumers.
The essence of the case is that in February 2007, a criminal somehow gained access to the couple's username and password, logged into the couple's account at Citizens Financial Bank, and then transferred $26,500 out of a home equity account. The couple did not notice the illicit activity for 10 days, and they were not allowed to cancel the check. Since this involves a home equity line of credit, it is not subject to normal consumer protections that require the bank to refund losses due to fraudulent activities. The bank refused to do anything for the couple, and claims the couple is now responsible for paying off the $26,500 "loan."
The couple's attorney claims that in 2005, the Federal Financial Institutions Examination Council (FFIEC) released a document basically stating that relying solely on passwords is inadequate and recommended banks move to two-factor authentication. Since the bank failed to implement the recommendation over the period of time in question, the judge concluded that Citizens could have breached its duty to protect account holders.
Chances are that this case will settle before it goes to trial. Similar cases, involving much more money, have previously settled, but they are never made public. However, they bring up very interesting issues that need to be discussed and understood.
First, you need to consider how the criminal got the username and password in question. Did the couple fail to properly protect their home computer by not installing updates or running up-to-date anti-malware? Did the couple respond to a phishing email? It is also possible that the bank was compromised in some way, but that is significantly less likely.
I am sure that Citizens will make the above arguments should the case go that far. However, two-factor authentication has been used by banks for more than 15 years. It is well established that after the Vladimir Levin attacks on Citibank, which I worked on, Citibank issued DES Gold cards to its largest consumer-account holders. It is absurd that as attacks/intrusions have become very widespread that two-factor authentication has not become standard more than a decade later.
Whether or not the couple in question did do anything wrong, I have come to the conclusion, is almost irrelevant. The attacks have become so common that banks need to step up and take actions to reduce the crimes. Two-factor authentication costs $30 per user or less, and I am sure that volume discounts will get prices down significantly. This is a drop in the bucket compared to the costs of the crimes we currently experience. In the current case, Citizens is not only passing on the cost of the crime, it is trying to profit from it by charging interest on the money.
At this point, users have to accept two-factor authentication if they want to take advantage of online banking. The reason is that banks should require it. Luckily, the current case is touching on the possibility that banks can be considered negligent by not providing and requiring two-factor authentication. What ever happens in the current case, we need to make sure that this doesn't happen again.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us
Not going into the Windows vs.Other security frick & frack, but RE: "Scary old systems" (not a mainframe guy, wasn't referencing those at all) --- referring to some DOS systems, OS2, Windows 3.1, Windows 9x..., yes, laughably unsecure back then. But then add in the lax workplace/security conditions in using those systems back then. Add in using the old "out of date" systems instead of newer more secure (NT/Win2K at the time) to save the almighty $$$$. Then, on top of that, using some of them unpatched,out in the open (hey, wanna get into my Windows 9x system, just hit Esc Key!), behind unlocked doors, w/ APPS that were also old & buggy was my point. Banks are notoriously cheap. One bank even wanted US (our consulting firm) to supply newer OS software TO them for free! Ha ha. Sure...idiot$.
Interesting for sure. We have smart keys at work to interface with our bank and some of our biggest suppliers require key users to use them to interface with them. I think the time will come that any compter user interfacing with a bank will use this. And as you note the cost would be miniamal for the banks. Heck take it out of some of the rediculous fees they charge us :-)
One, two or three factor- what does it mean? Let's say I created an ID for Bill Gates, or in fact may actually be named Bill Gates. Should a bank cash my check?
What I think is lacking is strong proof that their person who applies for two or three factor ID is the person he purports to be.
What might be interesting is if the root of trust of an ID merged back to a persons social networks.
The O/S OEM should be responsible for establishing the Trust Model
The Trust Model refers to Digital Certificates
a Digital Certificate is used to authenticate a message. a message can be a software update
When the OEM establishes the Trust Model for Software Updates then the O/S will only allow trusted software updates to be applied
a Trusted Software Update would be a software update delivered from the OEM, e.g. Microsoft
or from a trusted partner, e.g. Adobe
The OEM would sign the digital certificates for its trusted partners
this way the O/S can recognize what software updates are acceptable; the user does not have that responsibility, nor can he: he/she does not have that expertise. Digital signatures are required to distinguish legitimate updates from malware; no other means will work: not even for expert techies. Because as we know: The Devil hath power to assume a pleasing form, i.e. counterfeits can be created that a person cannot distinguish from legitimate ones.
certificates should be required for computers and systems participating in the Trust Model and commercial business should not be permitted except over computers and systems participating in the Trust Model.
So education doesn't work. Users are gulible and unable to learn technology. And computers are unsafe. But people want to have one anyway. Lets start a revolution and let everyone blame everybody else for everything that goes wrong. Hire lawyers and sue the pockets off everyone who doesn't live up to your expectation. Every new PC comes with a lawyers phone number. We'll call it:
Mike, you have to agree that the user bears some portion of responsibility to keep their PC free of viruses and malware, right?
As an analogy, let's use the atomobile...
When one purchases a vehicle, one has a reasonable expectation that it will perform as advertised, but the manufacturer/seller of the vehicle may state limits of liability based on usage conditions, proper maintenance, etc.
One would not drive around for 10k miles w/o doing proper oil changes, tire maintenance, engine inspections, etc. and expect the performance to remain of high quality, would they?
If a user abuses the proper maintenance of their computer, they should have no expectation or claims pertaining to it's proper functioning, period...
I don't know the solution for this, maybe we need to license people on Basic Computer Security prior to allowing the purchase of a Computing Device -- much like we license drivers.
Radical?? Maybe, but I don't think laying it all on IT's doorstep is the solution either...
Kurt: you (as well as many industry analysts) continue to take the position that the ordinary computer user needs to take responsibility for fighting malware
that hasn't worked and unless something changes there is no reason to expect that it will
the ordinary customer has a right to expect that his computer will run clean and the software industry has a responsibilty to provide that; the ordinary user does not have the expertise for this.
contrary to what a lot of pundits claim the malware problem can be controlled; it just hasn't been and the results of that have been bad.
Although on the bright side I like what I'm reading about Windows/7 thus far.
Brilliant post! I must say that its a fascinating case,not so much for the Technical Details which are not out of the ordinary-But rather because of the implications this could have both when it comes to educating Consumers on the importance of Computer security as well as forcing Banks/Anyone who has a business online to avoid skimping on costs when it comes to making Transactions online.As Ira very rightly points out-Two factor Authentication costs barely anything for a large-scale enterprise and Banks can very nicely include this in the cost of their Doing business-I would rather have Banks spending money here than doling out those Multi-million Dollar bonuses to Board Members every year.
But I digress,Security is a very important and significant part of IT-which unfortunately is still downplayed all across the Enterprise.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
When Comcast Corp. (Nasdaq: CMCSA, CMCSK) voluntarily took action to proactively remove infected users from its networks, I applauded because I think ISPs should try harder to protect customers.
For years, I have advocated that Internet Service Providers (ISPs) be responsible for taking proactive steps in mitigating infected subscriber computer systems. While I never said that ISPs were responsible for the infections, they are enablers for criminal activity. But ISPs have so far hidden behind the law that makes them publishers -- and not responsible -- for the actions of their subscribers.
A few months ago, I wrote about the backlash, including death threats, incurred by a local political group when it posted comments online equating President Obama to Hitler. While the group tried to distance itself from the individual (its president) whose comments drew ire, I commented that the group should suffer repercussions as well as the individual. After all, the group provided the venue for the offensive comments.
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year? Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
Evidence shows that you can tweet too much. Sites and services like Twitter and Facebook are a good place to reach your audience, but think quality over quantity.
As enterprises leap into the Web 2.0 world of blogging, commenting, and social networking, just 'being there' won't deliver ROI. You may want a 'Web Evangelist' to systematically harvest the feedback in order to polish your product or service.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Steve Saunders talks about the risks inherent in uncontrolled, widespread profiling of Internet users, and how one day this practice could form the basis of a new industry, the Outernet, which in economic terms will have outgrown the commercial value of the Internet itself.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and youre out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
The successor to the BlackBerry Bold 9000 the Bold 9700 will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
