Three myths about online security
“Myth 1: User education is the key to solving the phishing problem.
Myth 2: We need smart cards and biometrics instead of passwords.
Myth 3: Banks need to deploy strong authentication at the login so that only trusted individuals enter the bank.”
Two ideas specially ring true :
- No matter how strong authentication is at the user side, the user will not be safe from a man-in-the-middle attack where the thief poses as the bank. The best way to solve for this problem is to switch to 2 channel authentication : web, and a phone call, for instance.
- There is no point in having the strongest possible authentication at the point of access : security measures should instead be escalated in accordance with the transaction’s importance, and behavioural profiling.
My bank has just changed its identification procedures. Now, instead of typing my password, I have to click on an onscreen numeric keypad. I’m not sure I see the point (besides making the system innacessible to vision-impaired people). I sure do feel the inconvenience, though…