Can Technology Stop Social Engineering Tricks -- Or Does It Make It Worse?

from the questions-questions-questions dept

There's been a lot of talk in the past few weeks about new guidelines from federal officials designed to help prevent online banking fraud by requiring some form of two-factor authentication, such as a security token that changes the code every sixty seconds. At a first pass, this may sound like a good idea. It helps get past the single username/password setup that is so easy to break (especially if you can get someone to cough up their password for the simplest of trinkets, or just by asking them for the password). However, some are suggesting that this new plan for two-factor authentication isn't such a good one. First of all, it will be expensive to implement. Banks will need to send customers the tokens or scratch off cards or whatever other system they use. They'll have to upgrade their own systems to handle that. Then, it makes life more difficult for users. Customers have to figure out how the token/card works, always carry it around with them and try not to lose it. Then, if the banks don't agree on a standard system, customers may be required to carry around a bunch of tokens with them at all time -- which won't be much fun. However, the worst of it is that the scammers will adjust so that such methods may not help very much at all. The problem is that most bank fraud is really done by social engineering: tricking people into giving up the info necessary to get into their account. So, now, all the scammers need to do is to trick them into giving up the token/scratch card info as well, or just using a standard man in the middle attack. Yes, it may be more time-limited, but that might not matter. In fact, the article notes that customers of a Scandinavian bank using two-factor authentication have already been scammed. What it comes down to is that most banking scams are done by social engineering -- and that's pretty difficult to stop by technology means.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    zcat, 1 Nov 2005 @ 6:13pm

    Re: No Subject Given

    Except that SMS costs money, and I guarantee that the banks will pass that cost to the customer (at the usual retail price, not what they pay for it, and probably with an extra 50% for no better reason than because the customer has NO CHOICE anyhow)

    Which means that my internet banking is going to end up costing me even more.

    I think the long-term solution to the problem is that the banks should do ABSOLUTELY NOTHING AT ALL about fraud.

    If you're stupid enough to follow an email link and not notice any of the generally HUGE giveaways that suggest a scam (wrong URL, bad spelling, broken links, wrong URL, no encryption, wrong URL, you've been told a million times to NEVER follow banking links in email, etc.) then you should accept the resulting fleecing as a fine for your stupidity and a painful reminder to pay more attention in future.

    If the banks want to do anything else I suggest they send their own customers a 'please verify your account' email of their own. Anyone who falls for this email should have their internet banking dissabled until they attend a mandatory lecture on basic security.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.