lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed Oct 12 22:49:19 2005
From: lyal.collins at key2it.com.au (Lyal Collins)
Subject: NEW USA FFIES Guidance

Like running to a bank/post office and getting a certificate?
Certs are just a password verification tool, where user password
verification occurs locally intead of at the server.  This is NOT two-factor
byt any definition, just a password verificaiton displacement tool.
 
At a very quick look at the documentation, Australian banks have had similar
guidelines for some months.  
The key requirement seems to be "do a risk assessment, and act based on the
outcome".  Everything else is optional, based on the risk assessment,
however that is performed, and whatever that internal document recommends.  
On this model, its easy to justify not doing anything, since the fraud
dollar losses don't seems to be even a few percent of the costs to implement
and support two factor hardware devices based on the anecdotal evidence and
reviews I''ve seen.
 
Lyal
 
 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Casey
DeBerry
Sent: Thursday, 13 October 2005 7:30 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] NEW USA FFIES Guidance


For those that fall under US FFIEC governance, what are you doing to satisfy
these requirements?  I'd like to think I have more options than running to
the store to pick up my RSA keyfobs...  What about PKI?  Are there other
options for web based apps?
 
http://www.fdic.gov/news/news/financial/2005/fil10305.html
 
C. DeBerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051013/14121fe8/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ