Skip navigation
Skip navigation



Security expert @stake warns against applying technology bandages to
policy problems


At a meeting of senior financiers in London this morning, Dan Geer, Chief
Technical Officer of Internet security consultancy @stake, warned that the
adoption of wireless technology will force a radical rethink of security
measures within the financial services sector. The growing dependence on
wireless networking within financial services institutions and the
increasing use of portable devices to exchange information with employees
and customers undermines many current assumptions about security that
technology alone is unable to address, he said.

"The recent scare stories about security flaws surrounding wireless
technology have clouded a more fundamental issue - effective security
starts not with technology but with the policies that financial
institutions put in place to control sensitive information," said Geer.
"As these institutions embrace mobile devices and wireless connectivity,
the policies surrounding access and accountability will have to be
fundamentally revised to maintain the high standards of security to which
customers and regulators have become accustomed."

Within financial institutions, security consists largely of the choice
between two different strategies - who may do what to whom and at what
time; and accountability, whereby individuals are given a great deal of
autonomy but are also subject to very strict audits of their behaviour to
ensure that any misdemeanours can be readily identified. Geer warns merely
extending existing technologies to the wireless world without
re-examination is a recipe for disaster.

As an example, Geer explained that because wireless devices can be easily
lost or stolen, any policy that identifies a user simply by their
possession of a particular device is very prone to fraud. Because any
radio transmission is relatively easy to intercept, 'replay attacks' -
whereby even encrypted security codes are captured and re-transmitted -
become relatively simple for the experienced hacker. To counter this, very
careful attention needs to be made to: user authentication;
'time-stamping' security codes; improving the meaningfulness of
transaction logging; and to 'velocity checking' whereby transactions
carried out in different apparent locations at the same time are flagged
as suspect.

"These security measures are themselves policy issues that exist quite
independently of the wireless security technologies employed and it is
only by addressing these issues that an effective and secure platform can
be created," said Geer. "Financial institutions must also take care to
identify the potential outcome of any security exposure to ensure that the
security they implement is consistent with the risk entailed, just as they
naturally do in other more familiar parts of their businesses."

Contact Brodeur Bfour

Matthew Ward/Lena Ahmed

mward@brodeurbfour.com


or lahmed@brodeurbfour.com


Telephone +44 (0) 1753 44 8875/8861

This press release was distributed by ResponseSource Press Release Wire on behalf of Pleon in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.