Print
Discuss
Send to friend
RSS feedsYou can buy everything on eBay, from the sublime to the ridiculous. Cuckolded husbands sell their wives' underwear; pranksters sell paper aeroplanes; you can even bid for a paper cup thrown at an American basketball star. But of course it also has its problems, most obviously the potential for imaginative crime.
Recently I heard of a hacker who had managed to fool a bidder into paying for an item being sold by someone else. Caveat emptor, of course: let the buyer beware. In other cases, the items sold have been the proceeds of robberies; the thieves used eBay as a high-tech way to turn the items into cash as anonymously as possible. But it's hard for any buyer to beware - or indeed, for any internet bank truly to "know their customer" - in an environment where "nobody knows you're a dog"; and where high degrees of anonymity are possible.
The issue, of course, is identification and authorisation - the identification of living human beings with some form of process block, and the authorisation of that process block to gain access to information.
There are three levels of authentication which are commonly recognised. Type 1, something that you know; a password, for example. Type 2, something that you have; a token or a smartcard. And type 3, something that you are; a biometric measure. And then, there are two common "factors" of authentication: one factor uses only one of these types; two factor uses two of them, preferably of different types. Unfortunately, almost all authentication that takes place on the internet, or indeed, in all but the most security conscious of environments, is one factor (a password) or at most a weak version of two factors (two passwords; a password and something such as your mother's maiden name).
In any security plan these would be considered weak, but they are the commonplace elements of most internet financial transactions.
There have long been better ways of achieving this authentication. Chip and PIN cards, for example, support true two-factor authentication: something you have, the card itself; and something you know, the PIN. Why can't we have those systems in place routinely on the internet, even if just for internet banking?
There are two reasons. First, the expense would cut into the banks' profits. Well, given the huge difference in cost between high street transactions and internet transactions - something like 20 times - this profit element seems less important. But there is another reason, and that is that users would be, in fact, less well protected.
An internet transaction on a credit card is a "cardholder not present" transaction, meaning that the burden of proof for the transaction lies with the merchant and the customer can expect to be refunded if anything goes wrong.
If you move to a stronger authentication - or even some form of digital signature - then this protection is removed; it becomes a "cardholder present" transaction and the burden shifts.
So, intriguingly, customers might be better protected with the weaker security versions. Worth thinking about next time you buy something online from eBay?
del.icio.us
Digg this
reddit!
