[spam]::Re: [Clips] Banks Seek Better Online-Security Tools

[Jason Axley]

> I would never use online banking, and I advise all my friends and
colleagues (particularly those who _aren't_ computer-security-geeks) to
avoid it.
>

I have to say that I am puzzled by the way that this thread has unfolded.

It started off with Dan Geer:

"You know, I'd wonder how many people on this list use or have used online
banking.

To start the ball rolling, I have not and won't."

John Gilmore also agreed that he doesn't and won't.

And the thread has continued with other people either saying similar
things or admitting that they do use it or may use it in limited ways, as
if it was somehow shameful to manage risk rather than avoid it.  I think
there was just one posting that actually explicitly talked about a risk
evaluation and decision to use OLB.  I'm surprised to see how much "risk
avoidance" is practiced by members of the list.

I personally think that the "why" is the more interesting question, not
the original binary question.  Why do you not use OLB?  What would need to
be fixed for you to use OLB in the future?  What is your threat model
(WIYTM)?  What risks are present in OLB that are not present in the
offline world?
What about the risks of the offline financial world?  For example, all of
the information that someone needs to put money in, or take it out, of
your checking account via ACH is nicely printed in magnetic ink on your
checks in the US.  And you give it out to anyone when you write them a
check.

This reminded me of how I laughed when I saw an interview with a local
security person where he said that he didn't even connect a computer to
the Internet at home due to the risk.  To me, this seems akin to deciding
to not leave your house because you "can't be sure" someone won't shoot
you dead.

-Jason


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com