Interesting People mailing list archives
more on Banking Alert (fwd)
From: David Farber <dave () farber net>
Date: Thu, 26 May 2005 19:08:48 -0400
Begin forwarded message: From: Ed Gerck <egerck () nma com> Date: May 25, 2005 9:34:29 PM EDT To: dave () farber net Cc: Ip ip <ip () v2 listbox com> Subject: Re: [IP] more on Banking Alert (fwd) Dave, When a very large bank starts to use personal identifiers in insecure communications, identifiers which have not even been authorized for that use by the person they identify, I believe that some points need to be made in regard to right to privacy and security expectations. It's the usual tactic of pushing the liability to the user. The account holder gets the full liability for the "security" procedure used by the bank. A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like to set up a three- or four-character combination to be used in all emails from the bank to the account holder. This combination would not be static, because it could be changed by the user at will, and would not identify the user in any other way. Private, identifying information of customers have been used before by banks for customer login. The account holder's name, the ATM cardnumber, the account number, and the SSN have all been used, and abandoned,
for Internet banking login. Why? Because of the increased exposure creating additional risks. Now, with the unilateral disclosure by Citibank of the account holder's name as used in the account and the last four digits of the ATM number, Citibank is back tracking its own advances in user login (when they abandoned those identifiers). Of course, banks consider the ATM card their property, as well as the number they contain. However, the ATM card number is a unique personal identifier and should not be disclosed in a plaintext email without authorization. A much better solution (see above) exists, even using plaintext email -- use a codeword that is agreed beforehand with the user. This would be a win-win solution, with no additional privacy and security risk. Cheers, Ed Gerck ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Banking Alert (fwd) David Farber (May 26)
- <Possible follow-ups>
- more on Banking Alert (fwd) David Farber (May 26)
- more on Banking Alert (fwd) David Farber (May 27)