[TriLUG] OT: lack of security at BofA

matt at noway2.thruhere.net matt at noway2.thruhere.net
Mon Dec 22 10:38:12 EST 2014


> I would like a push transaction system. The merchant provides their
> account number and I push my money into their account, they see that
> the money has landed in their account and the deal is done.

I am not an expert in this area, but it sounds to me like the classic
cryptographic / spy paradox exists.  A and C need to trust each other and
rely upon a mutually trusted 3rd party, B.  In many ways, this is the
Paypal concept but that too adds a point of vulnerability.  My ATM / Debit
card was 'hacked' and the fraudster used it to create a Paypal account and
charged two transactions for $514 each.  Paypal admitted that they were
frauds and refunded one of them but then tried to fight me for the other. 
Ultimately my bank initially credited me back the $1K, took half of it
back when Palpay refunded the one charge, and left the other credit and
apparently settled the issue directly with Paypal.

I would like to see elimination of direct information and access to
accounts.  Transactions should be unique and use a one time cipher and
authentication where processing a transaction does not give you the
information or ability to process a future one. Something like Kerberos
ticket authentication comes to mind.

>I can secure my account with whatever means I consider acceptable and don't
> have to trust that the merchant is up to date with their security.
> Consider what we have now; I give the merchant my account number, my
> authentication info, etc, and the merchant reaches into my bank
> account and pulls out what they want.
>
We have to be careful not to put too much emphasis on individual
responsibility for securing the system.  Anything that requires a
technical approach or too many steps will fail with many consumers and
make the system vulnerable.  Its like the old weak password problem.


More information about the TriLUG mailing list