W3C home > Mailing lists > Public > public-identity@w3.org > August 2011

Re: On-line Bank Auth. Was: Privacy

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Tue, 2 Aug 2011 09:33:50 +0100
Cc: public-identity@w3.org
Message-Id: <29852E90-7FE5-4636-A988-2547F555C264@bbc.co.uk>
To: Anders Rundgren <anders.rundgren@telia.com>

On 2 Aug 2011, at 09:15, Anders Rundgren wrote:

> It is probably no worse than 3D Secure (VISA VbV, MasterCard SecureCode) which
> requires the poor user to manually enter all the credit-card data and then as
> a "bonus" authenticate to the issuer.

No, it is considerably worse — it intercepts *everything* you do in your browser. It's a keylogger by another name.

3DS would be pretty much fine if it used a OTP instead of fixed personal data… and the 3DS pages weren't hosted on random third party domains which look like phishing attempts…

> The financial industry doesn't really cut it AFAICT.  Either they come up with
> stuff that has serious platform issues, is expensive, is security-broken, or
> is next-to-impossible to use.  Some banks even manage combining all of these
> features :-)

Yup. All of the experience I've had suggests that those implementing this stuff are completely clueless to the point of it being really quite disturbing.

> I can't on top of my head recall a single request in an SDO forum coming from a
> bank-representative.  I guess bank employees are not supposed to publicly air
> requirements?

I'd be very surprised if they were — I think this sort of thing is supposed to come through umbrella organisations like APACS in the UK, and through the card scheme operators (so Visa, MC, Amex, etc) rather than the banks themselves.


Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Drive, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
Received on Tuesday, 2 August 2011 08:34:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:47 UTC