On Tuesday 23 January 2007 08:52, [EMAIL PROTECTED] wrote: > They need to educate their own staff before they worry about the > customers' computers! > > (These experiences from UK banks, but I'm sure they apply here too.) > > I've regularly had my bank phone me up and say they're from the bank, > then ask me all the security questions. I refuse to give it to someone > I can't verify. I've only had one instance where the bank staff member > knew how to solve this problem, which was for me to phone them back > using the number printed on the card and ask for a specific person. > > Of course, they should be educating their customers by calling and > asking them to phone back in this manner EVERY TIME. > > Then while travelling around Europe I needed to change some of my > settings. The person on the phone suggested I use the Internet banking. > When I pointed out that the only Internet access I had was Internet > cafes where all the computers are loaded to the hilt with crapware, they > still encouraged me to use the Internet banking site. > > A really simple two-factor authentication is for them to sms a > single-use token to your mobile phone. This solves the "something you > have + something you know" problem. Yes, if someone robs you AND > somehow gets your password, you're stuffed. But that's less likely than > being keylogged by crapware, which is really the problem they're trying > to solve.
There are real people, who don't have a mobile !!! ie me! My sister-in-law is visiting Perth from Johannesburg. She tried to do some banking, the one-day-key was sms'd to her phone which does not exist as she had a prepaid simm for Oz in her phone and chaos! account frozen! etc etc! This really simple solution is a really crummy idea! James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
