Erik Christiansen <dvalin@internode.on.net> writes:
On 07.05.14 20:28, Andrew McGlashan wrote:
Still, from what I've seen and what I understand, I still don't trust them as much as I would like -- heck my NetBank with a dongle doesn't even work properly with Firefox [NetBank, not the login auth], I have to use Chrome and that's something I would otherwise like to avoid too.
For good or bad, I'm still in the "nuffin's visibly gone wrong so far" cohort. Without the dongle, even with the account ID and password, any stolen information would be useless, AIUI. (That said, known slack security of any kind has to be fixed ASAP.)
Are you talking about these tokens? https://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise Re liability dumping, some choice quotes from an excellent book: Although U.S. banks faced a much fiercer liability regime, they actually spent less on security that UK banks did, and UK banks suffered more fraud. [...] But the main change was to shift liability so that the merchant bore the full risk of disputes. If you challenge an online credit card transaction (or in fact any transaction made under MOTO rules) then the full amount is immediately debited back to the merchant, together with a significant handling fee. [...] The ability of banks to blame their customers for fraud has also led to many sloppy practices. -- http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c10.pdf UK law provides that a forged handwritten signature is completely null and void [...] it’s not possible for a bank to use its standard terms and conditions to dump the risk on the customer. -- http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c14.pdf In the UK in particular, smartcards have been more a liability engineering technology than a protective one; complaints are answered with a standard refrain of ‘your chip and PIN card was used, so it’s your fault.’ [...] The law moved the liability for forged [digital] signatures from the relying party to the party whose key was apparently used. By accepting such a device, you were in effect saying, ‘I agree to be bound by any signature that appears to have been made by this device, regardless of whether or not I actually made it’. -- http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c16.pdf On whom does the burden of proof lie under Australian law, for the respective banking technologies (e.g. signatures, mag strip, EMV, RSA tokens, two-factor SMS confirmation)?