[Clips] Banks Seek Better Online-Security Tools

Janusz A. Urbanowicz alex at bofh.net.pl
Wed Dec 7 07:48:35 EST 2005


On Fri, Dec 02, 2005 at 11:05:29PM -0500, dan at geer.org wrote:
> 
> You know, I'd wonder how many people on this
> list use or have used online banking.  
> 
> To start the ball rolling, I have not and won't.

This is from European perspective: I do and couldn't do without it now. Most
of my obligations, from rent though auctions, to lending a friend a local
equivalent of 20 bucks are paid with bank transfers. 

But I believe online banking works in a slightly different way than in US.
Of online banking systems I've seen, almost all banks use two-factor auth in
some way (except Polish branch of Citibank and a bank that uses very broken
and complicated scheme where stored client RSA keypair is sent to his
browser ActiveX when client logs in with user/pass). Most common are lists
of one-time passwords delivered securely, or hardware tokens, RSA SecurID or
Vasco Digipass DP100 wih challenge-response mode used to verify
transactions. In those banks, if you have login name and pass, you can only
do non-balance changing operations on a account without the something you
have part; and you cannot change personal info wihout some form of out-of
band authentication (to change registered address user needs to send a form
with attached copy of national ID card, to confirm that or to reset lost
password bank calls user's preregistered phone number).

I can say I HAVE a secure link to one of the nations's traffic exchange
points (unintended job benefit), and I run my own DNS servers, so MITM
probability is reduced. I do not log in from machines I don't trust and own
(with one exception on own) and using networks I don't trust. Bank
statements come on paper or in S/MIME signed emails. I do not log in using
links provided in HTML emails.

Am I secure? I consider the risk of fraud using online banking to be less
than the one of paying with a VISA in a restaurant or a taxi. 

Alex
-- 
mors ab alto 
0x46399138

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list