Can Technology Stop Social Engineering Tricks -- Or Does It Make It Worse?

from the questions-questions-questions dept

There's been a lot of talk in the past few weeks about new guidelines from federal officials designed to help prevent online banking fraud by requiring some form of two-factor authentication, such as a security token that changes the code every sixty seconds. At a first pass, this may sound like a good idea. It helps get past the single username/password setup that is so easy to break (especially if you can get someone to cough up their password for the simplest of trinkets, or just by asking them for the password). However, some are suggesting that this new plan for two-factor authentication isn't such a good one. First of all, it will be expensive to implement. Banks will need to send customers the tokens or scratch off cards or whatever other system they use. They'll have to upgrade their own systems to handle that. Then, it makes life more difficult for users. Customers have to figure out how the token/card works, always carry it around with them and try not to lose it. Then, if the banks don't agree on a standard system, customers may be required to carry around a bunch of tokens with them at all time -- which won't be much fun. However, the worst of it is that the scammers will adjust so that such methods may not help very much at all. The problem is that most bank fraud is really done by social engineering: tricking people into giving up the info necessary to get into their account. So, now, all the scammers need to do is to trick them into giving up the token/scratch card info as well, or just using a standard man in the middle attack. Yes, it may be more time-limited, but that might not matter. In fact, the article notes that customers of a Scandinavian bank using two-factor authentication have already been scammed. What it comes down to is that most banking scams are done by social engineering -- and that's pretty difficult to stop by technology means.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    jmud, 3 Nov 2005 @ 5:04am

    Re: No Subject Given

    In South Africa, where banking is quite expensive as it is, and fraud is almost common place, an SMS is sent to the account holder after every single transaction above a certain amount. If you go to a store and make a purchase above that amount you immediatly get an SMS informing you that a transaction has taken place, where and for how much.
    But then in South Africa you have to pay to withdraw cash, you pay for the bank to hold your money - basically you pay for everything.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.