Check out the McAfee Avert blog for look at the black market for banking information. Accounts with high balances cost more, but have guarantees:

For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

Hat tip Johannes Ernst

Great article on the New York Times site about the psychology of insurance.

So when we think about passing up flight insurance, we conjure up disaster just as easily as ancient Greeks imagined a thunderbolt from Olympus, and we too figure we can avert it through the equivalent of a bull sacrifice. Intuitively, we haven’t made great strides since Homer’s day. But at least our gods take credit cards.

Hat Tip Marginal Revolution

On a recent trip to Mexico, our casita had a safe in it. The instructions for using it and the combination were printed on a covered sheet of paper sitting on top of the safe. As I scanned for directions on how to change the combination, I read:

Don't worry. Anyone here to steal cannot read this paper.

Read the post: Fingerprint charade.

The net of all of this was to drive home, yet again, just how silly it is to use a “public” secret as a proof of identity. The fact that I can somehow “apply” a given fingerprint means nothing. Identification is only possible by physically verifying that my finger embodies some fingerprint. Without physical verifcation, what kind of a lock does the fingerprint reader provide? A lock which conveniently offers every thief the key.

The core problem is that you are relying on the security of the carriers for the security of your system. Once you cede that control, you are at their mercy. And their idea of security might not be the same as yours. Consider this recent post at Consumerist about how easy it is to hijack a Sprint Account:

Remember, all I knew about this guy was his cellphone number, that he was in his 20's, and that he lived in DC. That's it. That's all it took to completely hijack his entire Sprint account.

In the comments on this post, a former Sprint rep says it's even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that "none of the above" for "which properties have you owned" was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers," he writes. "Fortunately I am an ethical person, but if I wasn't I could've done a LOT of damage very easily."

Companies make security decisions based on acceptable rates of false positives versus false negatives. The bigger the user base, the lower the tolerance for false negatvies. A cell phone company with 10 million subscribers will have a very low tolerance for false negatives. Do you want the same tolerance for your two-factor authentication? It seems highly unlikely.

More on SMS authentication issues

We previously announced our proof-of-concept for adding two-factor authentication to Google Apps. We have published How to add two-factor authentication to Google Apps over on Howtoforge. Check it out.

Update: I should also mention that it would be trivial to add support for Google Apps SSO into the WiKID server, removing the requirement for a 3rd party product. If there's interest in that...