Security threats Toolkit
Story: Two-factor authentication 'not the solution' to online fraud
Posted by: Arthur B. (Thursday 17 March 2005, 9:48 PM)
Indeed. A multi-level approach is needed.
Think about two-factor authentication (or even more) combined with sequential response challenges (eg: the bank customer in question would have a piece of paper with a few hundred responses on it and the first transaction would ask for response number one, the second transaction for the second response and so forth; thus making it harder for a phising attack to know what the next question number is; thus alerting the bank customer in case they guess the wrong number) combined with logging the source of transaction requests and cross-referencing that with historical data to pinpoint which sources initiated transactions for various accounts all of a sudden and without reasonable explanation. Etc, etc.
What also might be of interest is the good old call-back security measure. Meaning that the bank customer initiates a transaction and once identity has been confirmed the transmission is ended and the bank will initiate a call back to the previous agreed upon location (e.g. the IP address of the customer, the e-mail adress of the customer or even the phone number of the customer [press 1 to confirm transaction request 411 or something]).
Yes, that will cost the banks some money but on the other hand it'll save them money (and face) as well.
In short, there's enough that can be done with existing technology and solutions. No need to let all those customers run to the store and empty their wallets for some half-baked solution so a few years from now they can run to the stores again.
Hmmm, perhaps I should software patent this and charge each and every one of you so I can pay my laywers to keep the laywers of the banks and big software companies of my back.
Full Talkback thread
