Istanbul, Not Constantinople, A call to arms for financial institutions.

Istanbul, Not ConstantinopleThere are some great things about this city on the straits. The busy shipping traffic up and down the Bosporus for one.
Written by Richard Stiennon, Contributor

Istanbul, Not Constantinople

There are some great things about this city on the straits. The busy shipping traffic up and down the Bosporus for one. The extremely friendly people, and the safe streets as well. When I was there you could take a ferry ride from Europe to Asia for just under 800,000 Turkish Lira (About 70 cents).

There are two things to watch out for in Istanbul. The traffic and key stroke loggers. There are dozens of Internet Cafes in Istanbul, the result of pre-deregulation telecom infrastructure. The citizens don’t have broadband so they do their browsing from café’s where the costs are a reasonable million lira per hour. The trouble with browsing from public computers of course is that you never know what evil lurks on that machine. ( It is always a good idea to check, run spyaudit next time you are at a public terminal. ) In Istanbul hackers have installed key stroke loggers to steal online banking account info. The banks have recognized this and are starting to look into solutions. Some sort of downloadable security tool such as from WholeSecurity is one approach. But the simple answer is to move away from username/password pairs for authentication. Something I believe will have to be the norm for all financial web sites in the not too distant future.

Authentication technology is very mature. At last week’s Info Security and Storage Expo in Milan there had to be half a dozen biometric USB tokens available. Some very cool technology is available that uses your cell phone to authenticate. An identity thief would have to steal your password *and* your phone to get at your money. And there is always the good old one time password token from RSA, or Secure Computing. There are 49 exhibitors at this weeks RSA conference in San Francisco with authentication products.

Banks have been very reluctant to switch to strong authentication. First there is the cost, second imagine the help desk calls! This is the same issue IT departments have had with strong authentication for decades. But, as the threat increases the costs start to look reasonable.

Remember when the watch word in the auto industry was “safety does not sell�?? I was a crash worthiness engineer back then. Volvo changed all that and today we have auto companies falling over each other to improve airbags and crushability in their cars.

Prediction: In the next two years Banks will vie with each other to assure their online customers that they offer the best security.

What about token proliferation you say? Hey, how many bank cards are in your wallet/purse? Carrying a couple of USB tokens is a small price to pay for knowing that a hacker cannot break into your account.

Originally published at www.threatchaos.com  

Editorial standards