Banks Getting Serious About Security Part II

So I was exchanging emails with the AP reporter who wrote the article, Brian Bergstein, and we were discussing that while this is a noble and worthwhile cause, the biggest hurdle will be the savviness of the online banking user. Granted they are probably pretty savvy to begin with to even be online in the first place, but will they be savvy, and perhaps more importantly motivated, to participate in this two factor authentication initiative.

One thought I had to approach on this was if the banks limit the FULL access to account transactions (read/write) to one device or machine (work or home as an example) then it could be easier to manage since there are ways to positively identify a specific machine and control access to network resources. The second part of this approach is that anyone could get READ access, or review level access to see balances and transaction histories but execute no transactions (transfers, withdrawls, trades, etc.) from any other machine.

This may be the happy medium, at least as far as approach goes. I mean I really can't see banks spending money on mailing a token to their banking customers for cost of token and tech support alone, let alone the expertise of the user on how it all works. And you know that cost is passed onto us the consumer anyway, and since I am in a position to try to help keep costs down, this is my feeble attempt at helping the banking system.

MM

Banks Getting Serious About Security

In today's Wall Street Journal (October 18, 2005), page B13, there is an interesting article about how Federal Regulators are moving to require banks to roll out 'two factor' authorization by the end of 2006.

What they are saying is that users on banks' systems must provide two forms of identity - one the users know -Username/PIN - and one they have which is something physical like a Secure ID, token, or other unique identifier that is tied to a piece of infrastructure.

Having just met with a regional midwestern bank yesterday, I discussed the solution offered by Trusted Network Technology where a driver is pushed out to any device (computer, ATM, etc.) using Zen Works, Tivoli, etc. and this driver (unknown, undetectable, and unalterable by a user) is planted on their device and based on the access defined by a role in a directory. In other words, this can be rolled out, solve the problem and be done very quickly (one install I know of took 2 hours).

I should probably mention that I am not a paid pitch man of TNT's however the technology they have created is fantastic, and this view is based on a deployment that my company did 3 weeks ago, and feedback received in meetings.

If you are a bank looking at solutions, you owe it to your management, board, and most importantly customers who are concerened with security and protection of personal information.

Great presentation...

http://www.identity20.com/media/OSCON2005/

This was a presentation that was given by the CEO of SXIP (skip) talking about identity 2.0. It validated my musings about a Federated Reserve in so far as needing an online model of the offline world and a way to validate ID, assess and manage value of currency, and what it means for users. Plus, it was a well done presentation.

Go Red Sox!!!!