No, there is no guarantee that the user will not use a mobile phone to access his online banking (and the idiocy of some banks pushing out mobile apps for online banking doesn't actually improve security in that area either).
You can't make the user secure. You can only offer it to him and hope that he's intelligent enough to accept it.
I pointed out what the regulation says, with a verbatim quote, and you accused me of lying (editing it).
Yes, it's verbatim, but it's not the rule. You quoted an introduction to the rule. Here is the entire thing:
Based on the record,227 we propose a general rule prohibiting a broadband Internet access service provider from discriminating against, or in favor of, any content, application, or service, subject to reasonable network management. More specifically we propose the following new rule:
5. Subject to reasonable network management, a provider of broadband Internet access service must treat lawful content, applications, and services in a nondiscriminatory manner.
So it's also the 80s movies to blame that women are not interested in careers like soldier, spy, pilot, policeman (apology, -woman), archaeologist, exorcist, karate fighter,...
Has anyone ever looked closer at the 80s? The 80s were not a geek decade. The only movie I can remember where geeks were not just the comic foil (ok, even in that one they were) was "Revenge of the nerds". The whole "engineering geeks" were no role model in 80s movies, and even less so in TV series. Whenever they were in some prominent role, they were the little sidekick of the actual hero. Be it Automan's creator Walter, who was mostly a comic sidekick (ok, the show wasn't that memorable, but the special effects were great for its time) or Street Hawk's Norman who was some timid, beancounter-ish scaredy-cat. The geek roles were at best meant to make the hero shine some more.
Actually, the only engineer role I can remember that was allowed to be superior in areas to the hero and be more than a nuisance to him was that of Bonnie in Knight Rider.
A woman.
The second channel will not secure a compromised channel, but it will make it easier to detect it.
There are various defenses against replay attacks, most of them relying on keys being tied to the current time and only being valid NOW but neither before nor after. But that is only good against a replay, it is quite useless when the attacker is manipulating your own communication. That has been the staple of attacks against banking software since the advent of the OTPs, and the only sensible defense against that is actually a two channel communication. Out of band one way transmission (i.e. sending a OTP to the customer to use in the transaction) doesn't help here.
There is very little you can do to combat malware infections unless you are willing to use a second channel. At some point in the communication the data is vulnerable to modifiction, no matter how well you try to shield it. It resides in memory, unencrypted, at some point in time. And if nothing else, this is where it will be manipulated.
And it's heaps easier to do if the interface used is a browser. You can literally pick and choose just where you want to mess with the data.
Ok, using what frequency? As far as I'm aware the whole spectrum that could be used by 3G is owned by some telcos and considering just how expensive using those freqs is they will hardly be so nice to let you use them for a little bit. They'll want to see money for that!
By promising him dancing pigs if he just presses it for me...
Seriously, don't overengineer it. You'll only hate yourself for investing too much brain power when you learn that all it took was the promise of cute kittens of bouncing boobs.
The system you describe has been implemented often. Most often I've seen it with online games and the like where the main threat is the use of credentials by a malicious third party (i.e. some account hijacker stealing username and password, logging into your account and doing nefarious things with it). For that, you don't need a dongle. You need two synchronized devices that output the same (usually numeric) key at the same time. Basically you get the same if you take a timestamp, sign it using PKI and have the other side verify it. If you have two synchronized clocks, transmitting the signature (or its hash) suffices. That doesn't really require plugging anything anywhere, although it probably gets a lot easier and faster to use if you don't have to type in some numbers and instead have a USB key transmit it at the push of a button.
But that's no silver bullet. All it does is verify that whoever sits in front of the computer is supposedly who they claim to be and entitled to do what they're doing. It does NOT verify what is being sent, or that the content being sent is actually what this user wanted to send.
If anything, it protects Google rather than the user. Because all that system does is making whatever is done by the user of the account non repudiable. Because whatever is done, it MUST have been you. Nobody else could have done it, nobody else has your dongle.
That takes no "new" government regulation, just applying existing laws as intended. But since the government refuses to do so, people called for the government to make more regulations (on companies, not people or the Internet) to prevent damaging behavior.
Well that's how Hitler came to power.
BOOM! DONE! You can stop calling me names for pointing out what the regulations say now.
Technically, "real" two factor authentication, with two different channels involved, require an attacker to infect and hijack BOTH channels if he doesn't want the victim to notice it.
As an example, take what many banks did with text message as confirmation for orders. You place the order on your computer, then you get a text message to your cell phone stating what the order is and a confirmation code you should enter in your computer if the order you get as confirmation on your cellphone is correct. That way an attacker would have to manipulate both, browser output on the computer and text messages on the phone, to successfully attack the user.
In other words, it does of course not avoid the infection. It makes a successful attack just much harder and a detection of the attack (with the ability to avoid damage) much more likely.
What keeps me (or my malware, respectively) from opening a google page in the background (i.e. not visible to the user by not rendering it but making Chrome consider it "open") and fool the dongle into recognizing it and the user into pressing the a-ok button?
A machine that is compromised is no longer your machine. If you want two factor, use two channels. There is no way to secure a single channel with two factors sensibly.
Sorry you're so butt-hurt by the facts that you have to try to resort to offensive name-calling and wild speculation. Some people are such blind fools they just refuse to see the world as it is. The FCC have themselves stated that they would have different regulations that would not look like the POTS common-carrier rules. It's right there in the proposal. But I know you can't be bothered to read more than soundbites from UpVote, and can't understand more than 2 sentences strung together.
So I'll leave this excerpt from the FCC's proposed rules, for anyone else that may come along actually interested in something more than screaming and shouting down anyone pointing out inconvenient facts.
As explained above, rather than extending that common carrier standard to broadband Internet access services, we propose a general nondiscrimination rule subject to reasonable network management and specifically enumerated exceptions (including separate treatment of managed or specialized services). We believe that a bright-line rule against discrimination, subject to reasonable network management and enumerated exceptions, may better fit the unique characteristics of the Internet, which differs from other communications networks in that it was not initially designed to support just one application (like telephone and cable television networks), but rather to allow users at the edge of the network to decide toward which lawful uses to direct the network.
Net Neutrality is all about classifying the ISPs as what the other telecom and freight companies are: common-carriers.
They actually state in the rules that they will NOT be doing that. They want something different than the common-carriers rules, because it is "not like the phone system which used only one application." Here is a quote directly from the proposed rules:
As explained above, rather than extending that common carrier standard to broadband Internet access services, we propose a general nondiscrimination rule subject to reasonable network management and specifically enumerated exceptions (including separate treatment of managed or specialized services). We believe that a bright-line rule against discrimination, subject to reasonable network management and enumerated exceptions, may better fit the unique characteristics of the Internet, which differs from other communications networks in that it was not initially designed to support just one application (like telephone and cable television networks), but rather to allow users at the edge of the network to decide toward which lawful uses to direct the network. Reasonable network management consists of: (a) reasonable practices employed by a provider of broadband Internet access service to (i) reduce or mitigate the effects of congestion on its network or to address quality-of-service concerns; (ii) address traffic that is unwanted by users or harmful; (iii) prevent the transfer of unlawful content; or (iv) prevent the unlawful transfer of content; and (b) other reasonable network management practices.
Which rules are those? I've never seen "net neutrality" rules that would have the effect you state.
You haven't bothered to read them, then. Go have a gander at the full document. Since it's 107 pages long, and you're too lazy to read and try to understand it yourself, I'll provide a few excerpts. But first, let's check out the difference between "Lawful" and "Legal": There is a pretty good explanation here, but you should research it yourself. Basically, "unlawful" is MUCH broader than "illegal"
All emphasis from the FCC rules excerpts below is mine.
To encourage broadband deployment and preserve and promote the open and interconnected nature of the public Internet, consumers are entitled to access the lawful Internet content of their choice.
The nondiscrimination principle would prohibit broadband Internet access service providers from favoring or disfavoring lawful content, applications, or services accessed by their subscribers, but would allow broadband providers to engage in reasonable network management.
Note in the above, we are now addressing not just whether content is lawful, but even services and applications being used or accessed.
The draft rules would not prohibit broadband Internet access service providers from taking reasonable action to prevent the transfer of unlawful content, such as the unlawful distribution of copyrighted works.
Now a broader definition of copyright infringement is being implemented - not just "illegal" infringement, but any distribution not explicitly allowed is subject to "reasonable action" by ISPs.
The Commission determined that consumers are entitled to: access the lawful Internet content of their choice[;] . . . run applications and use services of their choice, subject to the needs of law enforcement[;] . . . connect their choice of legal devices that do not harm the network[; and] . . . competition among network providers, application and service providers, and content providers.
Here, again, we see that what the FCC wants to ensure is that "consumers" can "access" content that they consider lawful. How far can we go? What if we need to ensure what content is "lawful" by ensuring that anyone, say, running a server, writing a blog, etc., has a valid license from the FCC to do so. Want a domain name from ICANN? What will you be using it for? Do you have a journalism license? Is your content lawful?
we propose that all the principles be subject to the needs of law enforcement, as well as public safety, and national and homeland security, by proposing separate draft rules on these topics. As explained in more detail below, we intend to leave sufficient flexibility in all our rules to allow broadband Internet access service providers to address law enforcement, public safety, and national and homeland security needs. Furthermore, we have no intention of protecting unlawful activities in these rules. Therefore, for additional precision, we add the word “lawful” to the proposed second rule to make clear that nothing here requires broadband Internet access service providers to allow users to engage in unlawful activities. The addition of the word “lawful” also harmonizes the second proposed rule with the first and third.
The emphasis above is from the original document.
As explained above, rather than extending that common carrier standard to broadband Internet access services, we propose a general nondiscrimination rule subject to reasonable network management and specifically enumerated exceptions (including separate treatment of managed or specialized services). We believe that a bright-line rule against discrimination, subject to reasonable network management and enumerated exceptions, may better fit the unique characteristics of the Internet, which differs from other communications networks in that it was not initially designed to support just one application (like telephone and cable television networks), but rather to allow users at the edge of the network to decide toward which lawful uses to direct the network.
Reasonable network management consists of: (a) reasonable practices employed by a provider of broadband Internet access service to (i) reduce or mitigate the effects of congestion on its network or to address quality-of-service concerns; (ii) address traffic that is unwanted by users or harmful; (iii) prevent the transfer of unlawful content; or (iv) prevent the unlawful transfer of content; and (b) other reasonable network management practices.
I fail to see how ISPs would be doing this without actually examining content. It seems here that it would be required. And just what is meant by "unlawful transfer of content"? It has nothing to do with the content being lawful or not, but it can still be unlawfully transferred?? Do you really think all this stuff is copacetic?
Call me paranoid if you want, but I have reason to be paranoid.
And that's what Net Neutrality is all about.
That's what you would like it to be about - but it's a mistake to look to government (and the former Comcast lobbyist who is now head of the FCC) to look out for your interests. To them, it's about control. And if they can get you to support giving them the control they want, all the better.
Everybody keeps claiming that it will be like POTS voice regulation. But that was back in the 1930's. The FCC exercised much more control over television broadcasting, and they will implement even greater control over the Internet, if given half a chance.
Think for a minute about how Comcast, the FCC, most of Congress, etc., views you as an Internet user. You are a member of the "consumer" group, while the 5 media corporations are the "content owners". They have licenses, and you do not. They distribute lawful content, and your content will be subject to their terms and conditions.
Be careful what you ask for.
Stellar rays prove fibbing never pays. Embezzlement is another matter.
