[Clips] Banks Seek Better Online-Security Tools
Jonathan Thornburg
jthorn at aei.mpg.de
Mon Dec 5 13:09:33 EST 2005
I would never use online banking, and I advise all my friends and
colleagues (particularly those who _aren't_ computer-security-geeks)
to avoid it.
> On Sun, Dec 04, 2005 at 05:51:11PM -0500, leichter_jerrold at emc.com wrote:
> I've been using online banking for many years, both US and Germany.
> The German PIN/TAN system is reasonably secure,
> being an effective one-time pad distributed through out of band channel
Ahh, but how do you know that the transaction actually sent to the
bank is the same as the one you thought you authorized with that OTP?
If your computer (or web browser) has been cracked, you can't trust
_anything_ it displays. There are already viruses "in the wild"
attacking German online banking this way:
http://www.bsi.bund.de/av/vb/pwsteal_e.htm
I also don't trust RSAsafe or other such "2-factor authentication"
gadgets, for the same reason.
[I don't particularly trust buying things online with a credit card,
either, but there my liability is limited to 50 Euros or so, and the
credit card companies actually put a modicum of effort into watching
for suspicious transactions, so I'm willing to buy (a few) things online.]
ciao,
--
-- Jonathan Thornburg <jthorn at aei.mpg.de>
Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list