Monday, February 05, 2007

Study Finds Web Anti-Fraud Measure Ineffective

See today's New York Times.

Bank of America: I told you so!

I'll say it again: the solution to phishing is out-of-band authorization of transactions.

Blogged with Flock

1 comment:

  1. In my observation most of these type of system fail because :
    1)Designers make system secure not the perception of Human Mind ,as the mind sees security as a level of trust built in with time i.e after each logging sessions the sense of security towards particular system increases but systems deal with it as the single instance i.e the system will behave the same way as it behaved in the first logging session but user has changed his behavior. This what was reflected in the study ;)
    2)There are 3 entities interacting in any authentication system and most of the designers only try securing any 2 not all three :
    The medium through which client inputs the sensitive info e.g screen scrappers,keyloggers ,health of the client machine e.g virus infection etc
    Most of the servers are secure expect for the design flaws
    c)Channel(the medium through which the info is transmitted ):
    Most of these attacks are like DNS Poisoning,pharming ,MITM etc these can be avoided by Multi channel authentication as you have mentioned in your previous post;)