http://emergentchaos.com/archives/2006/10/is-that-lack-of-data-keeping-you-safer.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2006/10/is-that-lack-of-data-keeping-you-safer.html/comment-page-1#comment-2690 Your Friend Fri, 06 Oct 2006 20:39:33 +0000 http://emergentchaos.com/?p=1988#comment-2690 Oh, and the "2.7 billion" in fraud from the Gartner report referenced in the linked article? That's not necessarily Phishing - and likely over-valued if my work with banks is of any indication. Oh, and the “2.7 billion” in fraud from the Gartner report referenced in the linked article? That’s not necessarily Phishing – and likely over-valued if my work with banks is of any indication.

]]> http://emergentchaos.com/archives/2006/10/is-that-lack-of-data-keeping-you-safer.html/comment-page-1#comment-2689 Your Friend Fri, 06 Oct 2006 20:30:50 +0000 http://emergentchaos.com/?p=1988#comment-2689 Well, I'll tell you what - Multi Factor does not significantly reduce *risk* to the bank outside of keeping the OCC off their back. It may or may not help consumers, but in terms of pure economic decision by the bank - from the data I've seen it makes very little sense to spend seven figures on additional authentication methods. Well, I’ll tell you what – Multi Factor does not significantly reduce *risk* to the bank outside of keeping the OCC off their back.
It may or may not help consumers, but in terms of pure economic decision by the bank – from the data I’ve seen it makes very little sense to spend seven figures on additional authentication methods.

]]> http://emergentchaos.com/archives/2006/10/is-that-lack-of-data-keeping-you-safer.html/comment-page-1#comment-2688 Adam Tue, 03 Oct 2006 23:31:18 +0000 http://emergentchaos.com/?p=1988#comment-2688 Hi Vin, My real point was not to question sitekey, but rather to ask the question which headlines the post: Is a lack of data making us safer? I know how the banks feel. My real point was to ask, is that optimal, or are we stuck here because no one wants to be the first to change? Hi Vin,
My real point was not to question sitekey, but rather to ask the question which headlines the post: Is a lack of data making us safer? I know how the banks feel. My real point was to ask, is that optimal, or are we stuck here because no one wants to be the first to change?

]]> http://emergentchaos.com/archives/2006/10/is-that-lack-of-data-keeping-you-safer.html/comment-page-1#comment-2687 Vin McLellan Tue, 03 Oct 2006 19:22:49 +0000 http://emergentchaos.com/?p=1988#comment-2687 Hi Adam, With your experience working for financial institutions, I suspect you don't really expect banks to strip and reveal all. It's not in their nature or culture to do so, except under external compulsion. In the absence of full confessions, however, you might find an independent third-party report from Javelin Strategy & Research about their efforts to probe the defenses of the top 24 US banking institutions useful and informative. Bank of America, JP Morgan Chase, and Washington Mutual got top rankings. Javelin reported on its research in a presentation to the American Banker's 3rd Annual Identity Theft and Fraud Symposium last month in SF. See Joris Evers's C/Net article at: <a href="http://tinyurl.com/m6fdn" rel="nofollow"><a href="http://tinyurl.com/m6fdn" rel="nofollow"><a href="http://tinyurl.com/m6fdn" rel="nofollow">http://tinyurl.com/m6fdn</a></a></a> I'm a long-term consultant to RSA, obviously biased, but I don't understand why a number of security pros put up Sitekey as an ultimate defense strawman. No one with brains would claim that this -- or any other single defense -- is a silver bullet. It is, however, a security barrier that effectively bars many criminals, even if it tempts others to make a much more sophisticated MitM attack which is potentially identifiable by other defensive systems. (And there are protocols being considered by the IETF which could make MitM attacks much much more difficult.) Of course, as you well know, any even partially effective barrier sends many attackers off to pick up the low hanging fruit from insitutitons which don't require so much effort. Thanks for the blog. It's always stimulating! _Vin Hi Adam,
With your experience working for financial institutions, I suspect you don’t really expect banks to strip and reveal all. It’s not in their nature or culture to do so, except under external compulsion.
In the absence of full confessions, however, you might find an independent third-party report from Javelin Strategy & Research about their efforts to probe the defenses of the top 24 US banking institutions useful and informative. Bank of America, JP Morgan Chase, and Washington Mutual got top rankings.
Javelin reported on its research in a presentation to the American Banker’s 3rd Annual Identity Theft and Fraud Symposium last month in SF. See Joris Evers’s C/Net article at: http://tinyurl.com/m6fdn
I’m a long-term consultant to RSA, obviously biased, but I don’t understand why a number of security pros put up Sitekey as an ultimate defense strawman. No one with brains would claim that this — or any other single defense — is a silver bullet. It is, however, a security barrier that effectively bars many criminals, even if it tempts others to make a much more sophisticated MitM attack which is potentially identifiable by other defensive systems.
(And there are protocols being considered by the IETF which could make MitM attacks much much more difficult.)
Of course, as you well know, any even partially effective barrier sends many attackers off to pick up the low hanging fruit from insitutitons which don’t require so much effort.
Thanks for the blog. It’s always stimulating!
_Vin

]]>