Interests of online banks and their users [was Re: Cryptogram: Palladium Only for DRM]
Anne & Lynn Wheeler
lynn at garlic.com
Tue Sep 17 18:35:08 EDT 2002
At 01:07 PM 9/17/2002 -0700, jon at jonsimon.com wrote:
>As far as I know, banks assume that a certain percentage of their
>transactions will be bad and build that cost into their business
>model. Credit and ATM cards and numbers are as far from secure as could
>be, far less secure than somebody doing online transactions from a Wintel
>machine on an unencrypted connection, let alone an encrypted one. Until
>somebody takes full advantage of the current system and steals a few
>trillion dollars in one day, the problems are easier to deal with than a
>solution. Until that happens, there's no reason for banks to go through
>the pain of dealing with or requiring Pd.
>
>-Jon Simon
note that EU finread standard attempted to address some of this. an
external (secure, finread) token acceptor device with secure display and
secure pin entry. The hardware token is used to "sign" the (financial)
transaction .... PIN code is entered into the finread device and goes
directly to the hardware token (w/o passing thru the PC). Critical pieces
of the transactions passes thru the finread device on the way to the
(signing hardware token) and is displayed on the secure display ... which
then requires the PIN to be entered to confirm the transaction.
There is the issue of 3-factor authentication
* something you have (hardware token)
* something you know (pin)
* something you are (biometrics in addition to &/or in place of PIN)
besides the straight-forward use of signatures to authenticate the source
of the transaction ... there is the nominal legal requirement associated
with physical signatures ... i.e. did you intend to sign what you signed
aka is what you "see" what you signed ... and do you confirm that you
actually want the hardware token to sign what you "see".
A lot of digital signature seems to address the technology part of
authentication ... and then sometimes (just because the term "signature" is
used as part of the description of the technical procedure) that all
technical implementations of the process referred to as "digital signature"
is legally equivalent to "physical signatures" (even when no aspects of
intention have been satisfied).
random past finread & intention posts:
http://www.garlic.com/~lynn/aadsm10.htm#keygen2 Welome to the Internet,
here's your private key
http://www.garlic.com/~lynn/aadsm11.htm#4 AW: Digital signatures as proof
http://www.garlic.com/~lynn/aadsm11.htm#5 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#6 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#7 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#9 Meaning of Non-repudiation
http://www.garlic.com/~lynn/aadsm11.htm#13 Words, Books, and Key Usage
http://www.garlic.com/~lynn/aadsm11.htm#23 Proxy PKI. Was: IBM alternative
to PKI?
http://www.garlic.com/~lynn/aadsm12.htm#0 maximize best case, worst case,
or average case? (TCPA)
http://www.garlic.com/~lynn/aadsm12.htm#19 TCPA not virtualizable during
ownership change (Re: Overcoming the potential downside of TCPA)
http://www.garlic.com/~lynn/2000.html#0 2000 = millennium?
http://www.garlic.com/~lynn/2000.html#94 Those who do not learn from history...
http://www.garlic.com/~lynn/2000f.html#79 Cryptogram Newsletter is off the
wall?
http://www.garlic.com/~lynn/2001f.html#39 Ancient computer humor - DEC WARS
http://www.garlic.com/~lynn/2001g.html#57 Q: Internet banking
http://www.garlic.com/~lynn/2001g.html#60 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001g.html#61 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001g.html#62 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001g.html#64 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001h.html#51 future of e-commerce
http://www.garlic.com/~lynn/2001i.html#25 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#26 No Trusted Viewer possible?
http://www.garlic.com/~lynn/2001j.html#7 No Trusted Viewer possible?
http://www.garlic.com/~lynn/2001j.html#46 Big black helicopters
http://www.garlic.com/~lynn/2001k.html#0 Are client certificates really secure?
http://www.garlic.com/~lynn/2001k.html#43 Why is UNIX semi-immune to viral
infection?
http://www.garlic.com/~lynn/2001m.html#6 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001m.html#9 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001n.html#70 CM-5 Thinking Machines,
Supercomputers
http://www.garlic.com/~lynn/2002c.html#10 Opinion on smartcard security
requested
http://www.garlic.com/~lynn/2002c.html#21 Opinion on smartcard security
requested
http://www.garlic.com/~lynn/2002f.html#46 Security Issues of using Internet
Banking
http://www.garlic.com/~lynn/2002f.html#55 Security Issues of using Internet
Banking
http://www.garlic.com/~lynn/2002g.html#69 Digital signature
http://www.garlic.com/~lynn/2002h.html#13 Biometric authentication for
intranet websites?
http://www.garlic.com/~lynn/2002l.html#24 Two questions on HMACs and hashing
http://www.garlic.com/~lynn/2002l.html#26 Do any architectures use
instruction count instead of timer
http://www.garlic.com/~lynn/2002l.html#28 Two questions on HMACs and hashing
--
Anne & Lynn Wheeler lynn at garlic.com, http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list