Gary Nunn wrote:
This morning, I was trying to access a credit card webpage to check my
account, it didn't like my password. I was given two security challenge
questions:
1. What is the last name of your fifth grade teacher?
2. What was the license plate of your first car?
I'm reasonably sure that I had the correct name for the 5th grade teacher,
but I must be an incredible slacker because I didn't remember the license
plate number of my first vehicle - 25 years ago.
The real sad thing is that these Security Challenge questions that our
banks have gotten attached to are ultimately pretty useless. The banks
are faking security (and confusing consumers) because they are too cheap
to pay for the sorts of things that real security are made of.[*] As
someone else in this thread pointed out, more often than not these sort
of questions are becoming the sorts of things that it would be _more_
secure to lock out those that can answer the questions correctly on the
first try...
In trying to stop identity theft the banks seem adamant to make real
customers frustrated and all the while are merely encouraging smarter
and more dangerous identity thieves.
[*] http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx
The funny thing is that the price of hardware tokens for real two-factor
authentication is getting cheaper everyday. (I bought a consumer
hardware token for $40 that I can just pop into any USB port. Let's not
even talk about the dwindling bulk costs of these things.) Not to
mention that more and more people are *already* carrying hardware tokens
for work (many virtual networks now require RSA cryptographic hash fobs
or similar) or government needs (many European IDs now are smart cards
with a hardware token).
Just imagine if banks actually cared to invest in real security...
--
--Max Battcher--
http://worldmaker.net
Security through annoyance Maru
_______________________________________________
http://mccmedia.com/mailman/listinfo/brin-l_mccmedia.com
