TriNetre - Archive for March 17, 2005
(no longer updated)
Len Metheny, the chief executive officer of the company that created the admissions software for these schools -- ApplyYourself, Inc. -- told The Boston Globe that it was the first incident of its kind that the company had experienced.
"We still remain confident that it is a secure system," Metheny said.
Source (via IP). What more can I say!
Bruce Schneier concludes :
Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.
Now let us play a game, substitute "Two-factor authentication" with any other security technology/system and viola, the sentences still remains valid. That, unfortunately is the state of security and will be for a long time to come, if not forever.
If you read through the comments, there is one commenter "piglet" whose view I agree with. He says that while two-factor authentication (tfa) is not a silver bullet, it along with a couple of other tricks could spoil the plans of the crooked intruder. One of the example threats mentioned in the comments is the Win32.grams trojan that tried to move egold out of user's egold account. Dubbed "pharming" (enough already, give these exploits some good name, not weird one like phishing or pharming), these attacks are considered tip of the iceberg in terms of what the future years have in store for us.
But before we all throw in the towel and call in famous security consultants, let us see whether the existing technologies can do the trick. I am not sure what kind of technologies US banks use, but given the fact that Bruce Schneier says "only recently that they have gotten mass-market attention", I guess they haven't caught up with what people in Europe and even Asia are employing.
What if we can use a system that uses two kind of tfa. Every time you need to transfer money to an account that has not been transferred to before, you need to setup the account. This setup involves the use of the first tfa method - a unique number sent to your registered email or SMS to your mobile phone or via phone banking. I know for a fact that most banks in Singapore support at least one of these methods. So, every time I need to setup a new account, I am asked to enter a number that was sent to me via email, SMS or phone banking. Along with the number, the system also send details of the account so that I can make sure that the transaction I am going to allow is for the account I explicitly asked for and not a rogue number that some trojan substituted.
Now, once the account has been setup for transfer use, every transfer will have to be allowed using a second tfa method. It could be the same system as before (SMS, email, phone banking) or it could be the e-dentifier card.
Does that cover all bases?
"We need to be challenged to simplify this business."
That was the opinion of Stan Sigman, chief executive of Cingular Wireless, the US's biggest mobile service. I fully agree. There is a limit to the amount of functionality and keys that can be squeezed into a mobile phone while still keeping it easy to use, functional and elegant. Some phone manufacturers seem to get it right, but most just dump in everything they can put in - MP3 player, camera, FM radio, Bluetooth, WAP, UMTS, 3G, ABCD, EFGH and what not! I guess they seem to have forgotten about the KISS principle a long time ago.
Ed Zander, chief executive of mobile handset maker Motorola Inc., joked earlier this week about the device "formerly known as the cell phone ."
