Comments on: Charging Your Customers To Reduce Your Security Costs Never Has and Never Will Work

By: Scott Olson

Scott Olson — Fri, 31 Jul 2009 14:32:35 +0000

I couldn’t agree with you more. I have the Verisign iPhone token for my PayPal and eBay accounts and have been trying to get my bank to offer that as an authentication mechanism for online banking with no success. It is in the bank’s best interest to protect their customers and encourage them to use online banking, which saves the bank far more per year than their measly $10.

I saw a report from Black Hat yesterday discussing the latest trojan Clampi, which is targeting online banking accounts, and the conclusion of the report was to use a completely separate PC solely for online banking. It’s ridiculous. Multi-factor authentication should be a minimum bar of security for online banking and brokerages. I hope some of these institutions can get that through their heads.

By: John Pescatore

John Pescatore — Fri, 31 Jul 2009 10:52:59 +0000

I agree – for something as sensitive as online banking and with the risk of phishing rampant, strong authentication should be the only form offered. I think the text message to cellphone approach (plus a PIN) is good enough – tokens don’t necessarily have to be required but could be offered for those who don’t have mobiles or don’t like to text or whatever.

By: Marc Dierens

Marc Dierens — Wed, 29 Jul 2009 14:33:04 +0000

Agree, here in Belgium most of the banks have adopted this system as a default one, so we have no choice but to use the token. So far we have not yet had to put up some money, but who knows what will happen in the future.

Shouldn’t this bank give the users the token as only option? It would seem that the security of the system without token does not give enough security to be confident in using the system in the first place?