It is in the nature of risk mitigation that one aims to seek a balance between the cost of the hazard and the cost of the mitigation. However, it's even better when you can reduce the cost of the hazard through a few dollars of good PR. Banks long since realized that it was cheaper to blame other people for problematic systems and processes than to fix them. Back in the 80's, until the people and the courts became wise, ATM hacks would routinely result in accusations of mistake or fraud against the accountholders. (Google some of Ross Anderson's writings or comp.risks archives if you don't believe me.)
Le plus ce change, le plus ce la meme chose. My bank in the UK has for many years provided me with a strong two-factor authentication for their online services (PIN pad hashed SecurID token plus a further website username and password). However, this is certainly the exception to the rule, and most of my online accounts continue to operate on single-factor setups that are easily socially engineered around, by telephone, by no-factor public-records type questions, etc. You know the sort of thing... where were you born, who was your mom, what's your social? And then there's the credit reporting agencies, who require no authentication at all before they will throw spurious negative reports into your files.
So what, you ask? Well, I recently came across a well-researched discussion of the issues and can recommend it to your attention...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment