Bill Thompson on security
Bill Thompson, BBC Blogger and contributor to Go Digital recently reported on GetSafeOnline, a UK government backed website promoting online security. Overwhelmingly this is great news, however Bill took a swipe at e-commerce sites and software vendors for being insecure.
I also think that the software companies, internet providers, computer manufacturers, website designers and e-commerce sites are really to blame, because they have built a network which is fundamentally insecure and open to fraud, theft and abuse. Making the users do all the work is adding insult to injury.
I would like to point out to him that transaction online between users/customers to e-commerce sites such as amazon and banks such as natwest are very secure. Customer PCs are the weakest point in any transaction as the customer is not a security expert. Banks and shops however tend to be. Therefore the only way to protect against most forms of criminality is to get customers/users to update their machines as this is where most virus and attacks take place. Users must install anti virus software and firewalls in addition to learning how not to be duped by scams on the internet. Perhaps the entities mentioned by Thompson should be more involved with this, as Thompson would agree, but ultimately the user has to secure it themselves just as the home owner cannot expect the police to install padlocks on the garden shed.
October 26th, 2005 at 2:09 pm
hmm i don’t think that is a reasonable response. All but the most computer savy users can fall to phishing scams or indavertantly be running an undetected trojan application.
The simple fact is there is no way banks can guarantee all their users are accessing the online bank system from a fully patched, secure, virus free computer - public access terminals anyone?
Also there is no way to guard against phishing or trojan attacks on a users pc unless two factor authentification is used.
If I want to access my works internal network from home via vpn I have to use a token that generates a random number every minute. After the minute is up the password is useless and it doesn’t matter if some scammer has acquired it.
All you would need is a token that displays another changing code for performing any transaction and you have a fairly secure system.
The point of failure maybe the home user and more security awareness would be lovely but its the bank’s responsibility to ensure their system is as secure as possible and unless they stump up the cash to develop two factor authentification they are not protecting their customers.
October 26th, 2005 at 9:05 pm
Those token things are cool though and really banks and shops should use them. TSB are testing them right now and will roll out across all banks in the next two years (so I hear).
I suppose it just depends on how far the banks should go out of their way to making the user secure. Take the real world situation, banks don’t provide a shredder to me to protect my credit card information on my bills or receipts. This would reduce the chances of fraud by bin divers, but would cost the bank a fortune and it could be argued that they are not providing me with protection for not doing so. It’s the same for getting banks to say pay for antivirus stuff or software updates.
It just bugged me that Thompson said that sections are ‘fundamentally insecure’ when, it simply isn’t if both parties are set up correctly. I personally think that customers should be made aware about how to protect themselves as it is they who are the real weak point and banks should not be blamed for the totality of somebody telling Mr Criminal on msn their credit card info. Those token things would stop loads of it and I’m well happy that they making them.
In an ideal world we wouldn’t need all this shit, bah.