Interesting People mailing list archives

more on Banking Alert (fwd)

From: David Farber <dave () farber net>
Date: Thu, 26 May 2005 19:08:48 -0400

Begin forwarded message:

From: Ed Gerck <egerck () nma com>
Date: May 25, 2005 9:34:29 PM EDT
To: dave () farber net
Cc: Ip ip <ip () v2 listbox com>
Subject: Re: [IP] more on Banking Alert (fwd)

Dave,

When a very large bank starts to use personal identifiers in insecure
communications, identifiers which have not even been authorized for
that use by the person they identify, I believe that some points need
to be made in regard to right to privacy and security expectations.

It's the usual tactic of pushing the liability to the user. The account
holder gets the full liability for the "security" procedure used by
the bank.

A better solution, along the same lines, would have been for Citibank to
ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character combination
to be used in all emails from the bank to the account holder. This
combination would not be static, because it could be changed by the user
at will, and would not identify the user in any other way.

Private, identifying information of customers have been used before
by banks for customer login. The account holder's name, the ATM card

number, the account number, and the SSN have all been used, andabandoned,

for Internet banking login. Why? Because of the increased exposure
creating additional risks.

Now, with the unilateral disclosure by Citibank of the account holder's
name as used in the account and the last four digits of the ATM number,
Citibank is back tracking its own advances in user login (when they
abandoned those identifiers).

Of course, banks consider the ATM card their property, as well as the
number they contain. However, the ATM card number is a unique personal
identifier and should not be disclosed in a plaintext email without
authorization.

A much better solution (see above) exists, even using plaintext email --
use a codeword that is agreed beforehand with the user. This would be
a win-win solution, with no additional privacy and security risk.

Cheers,
Ed Gerck


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Current thread:

more on Banking Alert (fwd) David Farber (May 26)
- <Possible follow-ups>
- more on Banking Alert (fwd) David Farber (May 26)
- more on Banking Alert (fwd) David Farber (May 27)