Thank you all for your elucidating responses. I have come to understand better the technology that my bank will deploy. I just have one last point to clarify, and would like to ask one more time for info on this specific point.
The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in signed client contracts. But this obvious step will be pointless if the system we deploy to the customer is easily hacked. For the customer, physical security is a recommended control, and necessary to prevent the obvious hack, theft of the hardware.
But if the certificate itself is easily removed from the client and can be transported and installed on another PC, the client is even more easily hacked. It would not do the bank any good to deploy the system to any customer if the certificate is readily accessible by any employee with a fair technical knowledge.
This begs [the last and final] question: can the certificate be exported to another PC without re-issuance by the bank? Where does the certificate reside on the client? How easily is it hacked, copied, transported, and / or re-installed?
Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas 77805-8100
979/361-6515
801/835-5546
millerj_at_fabssb.com
Received on Nov 02 2000
Intro
