Full Disclosure mailing list archives
RE: NEW USA FFIES Guidance
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Thu, 13 Oct 2005 07:49:04 +1000
Like running to a bank/post office and getting a certificate? Certs are just a password verification tool, where user password verification occurs locally intead of at the server. This is NOT two-factor byt any definition, just a password verificaiton displacement tool. At a very quick look at the documentation, Australian banks have had similar guidelines for some months. The key requirement seems to be "do a risk assessment, and act based on the outcome". Everything else is optional, based on the risk assessment, however that is performed, and whatever that internal document recommends. On this model, its easy to justify not doing anything, since the fraud dollar losses don't seems to be even a few percent of the costs to implement and support two factor hardware devices based on the anecdotal evidence and reviews I''ve seen. Lyal -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Casey DeBerry Sent: Thursday, 13 October 2005 7:30 AM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] NEW USA FFIES Guidance For those that fall under US FFIEC governance, what are you doing to satisfy these requirements? I'd like to think I have more options than running to the store to pick up my RSA keyfobs... What about PKI? Are there other options for web based apps? http://www.fdic.gov/news/news/financial/2005/fil10305.html C. DeBerry
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NEW USA FFIES Guidance Casey DeBerry (Oct 12)
- RE: NEW USA FFIES Guidance Lyal Collins (Oct 12)
- <Possible follow-ups>
- RE: NEW USA FFIES Guidance Madison, Marc (Oct 13)