W3C home > Mailing lists > Public > public-identity@w3.org > August 2011

Re: On-line Bank Auth. Was: Privacy

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Tue, 02 Aug 2011 10:15:24 +0200
Message-ID: <4E37B21C.6000005@telia.com>
To: Mo McRoberts <mo.mcroberts@bbc.co.uk>
CC: public-identity@w3.org
On 2011-08-02 09:34, Mo McRoberts wrote:
> 
> On 31 Jul 2011, at 20:16, David Chadwick wrote:
> 
>> not surprising, since the UK SME that produces it seems to believe more in security through obscurity rather than on using published open, and rigorously validated security protocols and algorithms. When I spoke to one of their directors, he was not willing to reveal anything about how it works
> 
> here's a bit more about it, from Craig Hockenberry of The Iconfactory fame:
> 
> http://furbo.org/2011/08/01/un-trusteer-ed/
> 
> All in all, it's pretty horrific.

It is probably no worse than 3D Secure (VISA VbV, MasterCard SecureCode) which
requires the poor user to manually enter all the credit-card data and then as
a "bonus" authenticate to the issuer.

The financial industry doesn't really cut it AFAICT.  Either they come up with
stuff that has serious platform issues, is expensive, is security-broken, or
is next-to-impossible to use.  Some banks even manage combining all of these
features :-)

I think the real culprit is that they mainly listen to local "security vendors",
rather than realizing that secure on-line authentication for consumers is a
pretty generic issue that essentially only platform vendors can deal with in
a cost-efficient way.

I can't on top of my head recall a single request in an SDO forum coming from a
bank-representative.  I guess bank employees are not supposed to publicly air
requirements?

Anders
Received on Tuesday, 2 August 2011 08:15:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 August 2011 08:15:57 GMT