Comments on: Strong Authentication for Online Banking - A Risk To Customers? http://www.riskbloggers.com/kurtseifried/2006/11/draft-strong-authentication-and-online-banking-a-risk-to-customers/ Security Wisdom Ahead of the Curve Fri, 16 May 2008 19:00:16 +0000 http://wordpress.org/?v=2.5.1 By: admin http://www.riskbloggers.com/kurtseifried/2006/11/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-16 admin Fri, 10 Nov 2006 06:54:04 +0000 http://www.riskbloggers.com/2006/10/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-16 If that's what the market wants. If we really wanted safety we wouldn't let people drive SUVs (you are more likely to die in a crash if an SUV hits you due to various design issues such as the high bumpers). We don't have mandatory breathalyzer machines in all vehicles (that would cut down on drunk driving...). Security is an economic question ultimately, and if the costs outweigh the benefits then yeah, there ya go. If that’s what the market wants. If we really wanted safety we wouldn’t let people drive SUVs (you are more likely to die in a crash if an SUV hits you due to various design issues such as the high bumpers). We don’t have mandatory breathalyzer machines in all vehicles (that would cut down on drunk driving…). Security is an economic question ultimately, and if the costs outweigh the benefits then yeah, there ya go.

]]> By: ricst http://www.riskbloggers.com/kurtseifried/2006/11/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-14 ricst Fri, 10 Nov 2006 05:17:31 +0000 http://www.riskbloggers.com/2006/10/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-14 "... what choice do consumers have?" OK - choice is almost always good for consumers. One of the few areas it's not so good is safety and security. Do we want to allow consumers the choice to fly on commercial airlines that don't inspect carry-on luggage? Do we want to give consumers the choice to drive cars that don't meet minimal crash standards? And with banks, do we want to give consumers the choice of weak, easily exploitable, authentication? Perhaps for a while, but sooner or later, it's best for everyone - banks, consumers, law enforcement and the economy - if we can reduce fraud with causing a greater expense or level of difficulty for the vast majority of people. You're welcome to take a libertarian stance and say, "Let the consumer decide whatever they want." OK, fine, but that consumer should then be forced to bear all the associated risks and costs. In general, it's better, especially in financial activities, if widespread fraud can be reduced without causing major consumer inconvenience banker/merchant costs. “… what choice do consumers have?” OK - choice is almost always good for consumers. One of the few areas it’s not so good is safety and security. Do we want to allow consumers the choice to fly on commercial airlines that don’t inspect carry-on luggage? Do we want to give consumers the choice to drive cars that don’t meet minimal crash standards? And with banks, do we want to give consumers the choice of weak, easily exploitable, authentication? Perhaps for a while, but sooner or later, it’s best for everyone - banks, consumers, law enforcement and the economy - if we can reduce fraud with causing a greater expense or level of difficulty for the vast majority of people. You’re welcome to take a libertarian stance and say, “Let the consumer decide whatever they want.” OK, fine, but that consumer should then be forced to bear all the associated risks and costs. In general, it’s better, especially in financial activities, if widespread fraud can be reduced without causing major consumer inconvenience banker/merchant costs.

]]> By: admin http://www.riskbloggers.com/kurtseifried/2006/11/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-13 admin Wed, 08 Nov 2006 07:57:48 +0000 http://www.riskbloggers.com/2006/10/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-13 I agree in theory, but in practice that doesn't always work, for example in Canada we basically have 4 large banks. If they all decide to do this (based on past issues with Interac and other electronic payment systems it isn't hard to imagine) then what choice do consumers have? As well I can't for the life of me find out what bank positions on this are officially so until it happens to me or someone I know I won't know what the bank's position is. I agree in theory, but in practice that doesn’t always work, for example in Canada we basically have 4 large banks. If they all decide to do this (based on past issues with Interac and other electronic payment systems it isn’t hard to imagine) then what choice do consumers have? As well I can’t for the life of me find out what bank positions on this are officially so until it happens to me or someone I know I won’t know what the bank’s position is.

]]> By: ricst http://www.riskbloggers.com/kurtseifried/2006/11/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-12 ricst Tue, 07 Nov 2006 03:28:20 +0000 http://www.riskbloggers.com/2006/10/draft-strong-authentication-and-online-banking-a-risk-to-customers/#comment-12 "This is not so good for customers, but with the rising cost of online theft it is an inevitable step for banks to take." That's a nice theory. But as soon as banks start saying, "Sorry!" and not covering fraud-associated customer losses, customers are going to switch banks. They will almost certainly move to (or stick with) backs that offer "full fraud protection". Banks that fail to offer this are gong to bleed customers. The bottom line is that strong authentication is a good thing, and eventually even most American customers will learn to use it without too must frustration. [And banks will learn to respond to perplexed customers and those who have lost their tokens.] But strong authentication doesn't get rid of fraud, it only makes it more difficult for most criminals to carry out. There will be speed bumps ahead, because this will be widely deployed new technology. But hell: Could it be worse than a new version of a Windows Operating System? “This is not so good for customers, but with the rising cost of online theft it is an inevitable step for banks to take.” That’s a nice theory. But as soon as banks start saying, “Sorry!” and not covering fraud-associated customer losses, customers are going to switch banks. They will almost certainly move to (or stick with) backs that offer “full fraud protection”. Banks that fail to offer this are gong to bleed customers.

The bottom line is that strong authentication is a good thing, and eventually even most American customers will learn to use it without too must frustration. [And banks will learn to respond to perplexed customers and those who have lost their tokens.] But strong authentication doesn’t get rid of fraud, it only makes it more difficult for most criminals to carry out. There will be speed bumps ahead, because this will be widely deployed new technology. But hell: Could it be worse than a new version of a Windows Operating System?

]]>