[Clips] Banks Seek Better Online-Security Tools

Janusz A. Urbanowicz alex at bofh.net.pl
Wed Dec 7 11:21:15 EST 2005


On Wed, Dec 07, 2005 at 10:31:52AM -0500, Steven M. Bellovin wrote:
> In message <20051207124835.GH27159 at syjon.fantastyka.net>, "Janusz A. Urbanowicz
> " writes:
> >
> >Bank statements come on paper or in S/MIME signed emails. 
> 
> This is interesting -- the bank is using S/MIME?  What mail readers are 
> common among its clientele?  How is the bank's certificate checked?

From my observation, the most popular standalone MUA here is Outlook
Express, with Mozilla/Thunderbird being a distant second place. Those do
support S/MIME, and the signature is verified properly.

Average internet/internet banking user  is more likely to use some web-based
MUA on a commercial portal, which in general do not support cryptographic
signatures of any kind.

The signature is issued using key Certified by Verisign Class 1 cacert, co
it verifies on Windows machines and in Mozilla-based software with recent CA
certs bundle.

I have attached signature binary stripped from one statement to this
message, in case someone wants to analyze it.

I do not have any hard data on MUA usage among bank clientele; my wild guess
is that it is 1/3 of the users use one of the above programs, 2/3 use
portal services. The signatures were introduced some time after the bank
went into service, so there was some problem to be solved with it.

This is internet-only bank with no physical branches around the country, all
communication with the bank is done via internet, phone and messenger
services.

What I do not understand, is that the bank in question started
turing-encoding requested code number when asking for one time code to
authenticate the transaction.

Alex
-- 
0x46399138
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/octet-stream
Size: 2784 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20051207/65f42ccd/attachment.obj>


More information about the cryptography mailing list