On Tue, 18 Dec 2012 16:44:18 +0100, Casper Bang <[email protected]>
wrote:
Exactly. To invoke the insurance metaphor as a simple
cost/benefit analysis; a determined thief WILL succeed in breaking into
your house, regardless of how many locks and security cameras you have
- so
the best strategy is to limit the damage. There might be a
cultural/social
issue buried here though, as my bank is obliged to cover
(non-social-engeneered) fraud and in case of bankruptcy my
government guarantees for whatever money I have in the bank.
I should specify; "limiting the damage" means, among other things, not to
allow one compromised account to escalate by i.e. using unique passwords
(or password layers), unique email addresses (or aliases), two-factor
auth
etc. It's the escalation aspect that frightens me the most with the SSO
login aggregation solutions discussed in this thread.
Which reminds me, does any of these support security layers or rings?
That
is, one layer for non-important stuff (i.e. google groups), one for
medium
important stuff (say amazon) and of for very important stuff (email,
banking) in order to minimize exposure?
Government guarantees. LOL. We all have it in Europe. This is specifically
one of the things that makes me cautious. In fact, the problem is that in
my country never happened a case in recent times. You know "not tested? it
doesn't work!". I think it applies not only to software. The theory is
that a state agency will refund you (under a reasonable threshold that is
about 100k€) in 45 days max (or such). Now, the past summer it happened
for an italian bank. Indeed, several months passed before the authorities
approved the procedure, and the 45 days count started from there. In the
end, people were stuck with their accounts locked for at least six months,
more or less. This episode made me think a lot, that I don't feel
guaranteed until I see a test case that was handled positively.
As a side note: the government guarantee won't work in many countries if
multiple banks fail at the same time as a domino effect, because there
won't be money for everybody.
But this is OT with respect to computer security.
Back to the topic, the escalation worries me too. That's why I have
multiple bank accounts, as I said. But having all the passwords managed by
the same device would jeopardize this strategy.
And yes, one of the banks relies on a dongle for one-time passwords. I'm
still unsure if I had to move away from the other bank, that doesn't use
it. Probably it's ok as is now. In this way I can adopt the policy of
always keeping the dongle at home (more secure, even though losing it
would be just an annoyance of getting another, in fact the bank requires
the one-time password AND a fixed password plus the account name) even
though this prevents me from operating when I'm not at home. But in case
of urgent need, I have the other bank account.
--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - [email protected]
--
You received this message because you are subscribed to the Google Groups "Java
Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.
