This made me a bit sad because it failed to mention the two design principles that I would like every secure system to focus on:
The principle of least privilege
The principle of intentionality.
In the context of financial systems, inspecting my balance and seeing my list of recent transactions should be strictly less privileged operations than making a payment. I should be able to log into my account in such a way that an attacker who compromised the device that I’m using can leak data about me but can’t steal any of my money (this also requires not using my current balance as a secret for later authentication).
Similarly, if I want to spend money, I should elevate privilege specifically for that operation, not arbitrarily. My bank used to require me to sign each transaction with a separate device that required me to enter the amount, which made it harder for an attacker to inject malicious transactions. Now they don’t, which is an improvement in usability but not in security.
The worst security mistake that a lot of banks make (which mine, finally, has fixed) is that they lack any mechanism to authenticate themselves to their customers. It’s hard to fake a high street bank for in-person transactions but it’s trivial to call someone and claim to be from their bank. I had several conversations where the person from the bank was confused about why I didn’t trust their claim that they were from the bank, so they were training their customers to fall for scams. My bank now has a mechanism to send a message directly to the app, so they can call me and then send a message via a secure channel that lets me know that the person on the phone is really a bank representative (or someone who has compromised their systems so deeply that they don’t need me to to do anything to steal all of my money).
You’re playing chess and the ftc in this post is addressing people who are still playing tic tac toe, by giving them some very specific instructions that are hard to make security regressions.
This made me a bit sad because it failed to mention the two design principles that I would like every secure system to focus on:
In the context of financial systems, inspecting my balance and seeing my list of recent transactions should be strictly less privileged operations than making a payment. I should be able to log into my account in such a way that an attacker who compromised the device that I’m using can leak data about me but can’t steal any of my money (this also requires not using my current balance as a secret for later authentication).
Similarly, if I want to spend money, I should elevate privilege specifically for that operation, not arbitrarily. My bank used to require me to sign each transaction with a separate device that required me to enter the amount, which made it harder for an attacker to inject malicious transactions. Now they don’t, which is an improvement in usability but not in security.
The worst security mistake that a lot of banks make (which mine, finally, has fixed) is that they lack any mechanism to authenticate themselves to their customers. It’s hard to fake a high street bank for in-person transactions but it’s trivial to call someone and claim to be from their bank. I had several conversations where the person from the bank was confused about why I didn’t trust their claim that they were from the bank, so they were training their customers to fall for scams. My bank now has a mechanism to send a message directly to the app, so they can call me and then send a message via a secure channel that lets me know that the person on the phone is really a bank representative (or someone who has compromised their systems so deeply that they don’t need me to to do anything to steal all of my money).
You’re playing chess and the ftc in this post is addressing people who are still playing tic tac toe, by giving them some very specific instructions that are hard to make security regressions.