Lack of User Authentication
Additionally, theres little in the way of authentication. In most cases, the IM program starts up when the user logs in. If the user walks away, they are still logged into the IM program and anyone can potentially walk up to their PC, click on a buddy within the organizations accounting department, send a message asking for customer Jane Does credit card number, and order themselves a nice new stereo from their favorite net electronics provider without the accounting clerks knowledge that the person who submitted the credit card number request was unauthorized to do it. (After all, in IM today, messages tend to be sent in text rather than by voice, so they lack even the primitive authentication mechanism we have with voice conversations, that of, Does that voice sound like the person I expect to be talking with?) As noted above, some solutions have started to address the need for user authentication via PKI, but commonly-available clients have yet to support authentication beyond, If you know the user ID, and you know the password, you must be that user.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.