Skip to main content

The WiKID Blog

Viewing posts tagged Mutual Authentication


There is a great post on DigitalID World by Eric Nolan about the recent FFIEC guidelines regarding two-factor authentication being a driver for the strong authentication market, much as other compliance rules have boosted the identity management marketplace. It is a very inciteful article and worth the read. I have some comments though:


One reason I haven't been posting is that I have been adding some Flash demos to the website.


As we noted way back in 2006 the value in gaming credentials will bring out the fraudsters.. Now Blizzard is offering tokens for WoW. Queue the "If I can get it for WoW, why not my bank" blog posts:

I agree with the sentiment but I wanted to start a conversation regarding why you won't be seeing these tokens in the mail from your bank any time soon. The reason most banks, e-commerce sites, and even corporate VPN connections aren't protected by two-factor authentication can be broken down into a few reasons:

  • cost: additional cost to customer, shipping, inventory, infrastructure, licensing, staff, overhead, etc.
  • complexity: dealing with lost tokens, mistyped numbers causing locked acconts, countless help desk calls, etc. If you are locked out of your WoW account you can't play a game, when you are locked out of your bank account you can't pay bills, transfer funds, check your balance, etc. Simply put, the downside risk of customer convenience is greater than the upside risk of greater levels of security.
  • motive: Blizzard is providing these tokens to help secure customers accounts, but also to further secure their future revenue stream and also to combat piracy and cheating, in short, it makes business sense. Banks don't typically suffer very much if a customer account is breached as they very rarely take the hit themselves but instead either insure against the loss (either federally or privately) or simply passing the costs onto customers.


According to the Register the recent 'defacement' of Zone-H was really a DNS hijacking. While it is not clear how the attackers took control of the domain, it points out the DNS system is not a reliable security mechanism. It is less likely that an attacker would get contorl of a major financial institution's DNS registration (or is it?), but DNS-cache poisoning is very likely.


Holy Cow.

Hackers on Tuesday hijacked the Web site, one of the largest online bill payment companies, redirecting an unknown number of visitors to a Web address that tried to install malicious software on visitors' computers, the company said today.
First, I find it very hard to believe that you would hijack the domain for one of the world's largest payment processor and only try to install malware.

Recent Posts







RSS / Atom