<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2900.2722" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff size=2>Like
running to a bank/post office and getting a
certificate?</FONT></SPAN></DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff size=2>Certs
are just a password verification tool, where user password verification occurs
locally intead of at the server. This is NOT two-factor byt any
definition, just a password verificaiton displacement tool.</FONT></SPAN></DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff size=2>At a
very quick look at the documentation, Australian banks have had similar
guidelines for some months. </FONT></SPAN></DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff size=2>The
key requirement seems to be "do a risk assessment, and act based on the
outcome". Everything else is optional, based on the risk assessment,
however that is performed, and whatever that internal
document recommends. </FONT></SPAN></DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff size=2>On
this model, its easy to justify not doing anything, since the fraud dollar
losses don't seems to be even a few percent of the costs to implement and
support two factor hardware devices based on the anecdotal evidence and reviews
I''ve seen.</FONT></SPAN></DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff
size=2>Lyal</FONT></SPAN></DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=689174021-12102005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] <B>On Behalf Of </B>Casey
DeBerry<BR><B>Sent:</B> Thursday, 13 October 2005 7:30 AM<BR><B>To:</B>
full-disclosure@lists.grok.org.uk<BR><B>Subject:</B> [Full-disclosure] NEW USA
FFIES Guidance<BR><BR></FONT></DIV>
<DIV><SPAN class=474382621-12102005><FONT face=Arial size=2>For those that
fall under US FFIEC governance, what are you doing to satisfy these
requirements? I'd like to think I have more options than running to the
store to pick up my RSA keyfobs... What about PKI? Are there other
options for web based apps?</FONT></SPAN></DIV>
<DIV><SPAN class=474382621-12102005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=474382621-12102005><FONT face=Arial size=2><A
href="http://www.fdic.gov/news/news/financial/2005/fil10305.html">http://www.fdic.gov/news/news/financial/2005/fil10305.html</A></FONT></SPAN></DIV>
<DIV><SPAN class=474382621-12102005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=474382621-12102005><FONT face=Arial size=2>C.
DeBerry</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML>