[spam]::Re: [Clips] Banks Seek Better Online-Security Tools

Jonathan Thornburg jthorn at aei.mpg.de
Mon Dec 12 15:47:55 EST 2005 

In an earlier message, I wrote
> I would never use online banking, and I advise all my friends and
> colleagues (particularly those who _aren't_ computer-security-geeks) to
> avoid it.


Jason Axley asked
> Why do you not use OLB?

Basically, so far as I know the fine print in online bank service
agreements basically says "you (the customer) are responsible for any
transactions we receive with your username and pin, and our electronic
records are the final word on this".

Thus if there is an a false transaction on my account, i.e. one which
I did not intend to authorize (whether this happened due to insider
fraud in the bank, MITM phishing, virus in my computer, or whatever
other cause), the basic legal presumption is that it's my loss, not
the bank's.  I consider the risks of this too high.


>  What would need to
> be fixed for you to use OLB in the future?

I would want the same ability to refuse an unauthorized transaction
that I have now with credit cards, where basically any losses over
50 Euros/dollars are the bank's problem, not mine.


> What is your threat model
> (WIYTM)?

For online banking, any/all of
(a) insider fraud at the bank and/or anyone else to whom they've
     outsourced relevant processing
(b) computer breakin/theft at the bank and/or anyone else to whom
     they've outsourced relevant processing
(c) MITM phishing or DNS hijacking
(d) viruses/worms in my computer


>  What risks are present in OLB that are not present in the
> offline world?

(c) and (d) above.  Also liability for problems is mine, not the bank's
(see above).  Also there are few paper records that I can use to help
document problems.

In the offline world, (a) and (b) are mitigated by paper records
(and forms with my written signature) which crooks usually don't
bother forging.


> What about the risks of the offline financial world?

If I wire-transfer money from my bank in Germany to my credit union
in Canada, my written signature is (supposed to be) required to verify
that I did in fact authorize the transaction.  If the bank sends my
money off to a crook's account (whether by mistake or due to deliberate
fraud), the next time I get a statement I'll notice, and I'll ask them
what happened.  If the bank can't show me a piece of paper with my
signature on it, my understanding is that (if I complain enough) I can
force them to refund the money to me (so it's then their problem to try
to recover it from wherever it went).


>  For example, all of
> the information that someone needs to put money in, or take it out, of
> your checking account via ACH is nicely printed in magnetic ink on your
> checks in the US.  And you give it out to anyone when you write them a
> check.

Where I live now (Germany) people don't use cheques, they do bank
transfers which the *payer* gives direct to her bank.  These (are
supposed to) have the written signature of the payer (the account-holder).
If someone forges one of these and takes money out of my account, I can
refuse the transaction and (I understand) the bank is legally required
to refund the money to me (and it's their problem to recover it from
whoever got it).

When I lived in Canada (where people use cheques in the same way
as in the US), my understanding is that
(a) Even with the transit/routing numbers, noone is supposed to be able
     to take money out of an account without prior written permission.
     A cheque constitutes such permission _for_a_specific_transaction_,
     but not for any other transaction(s).
(b) If someone forges another cheque (eg scans my signature etc),
     and my bank honors it and takes the money out of my account.
     then since I didn't actually sign that cheque, legally it's the
     bank's fault for honoring it, and (if I complain enough)
     I can force the bank to refund the money to me (so it's then
     the bank's problem to try to recover it from the crook).


> This reminded me of how I laughed when I saw an interview with a local
> security person where he said that he didn't even connect a computer to
> the Internet at home due to the risk.  To me, this seems akin to deciding
> to not leave your house because you "can't be sure" someone won't shoot
> you dead.

Well, in certain places that's basically what people do.  For example,
many foreign people in Bhagdad don't venture out of the "green zone".
My point is that when substantial amounts of money are involved, IMHO
the internet is basically a "red zone" where I don't feel safe venturing.

ciao,

-- 
-- Jonathan Thornburg <jthorn at aei.mpg.de>
    Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
    Golm, Germany, "Old Europe"     http://www.aei.mpg.de/~jthorn/home.html
    "Washing one's hands of the conflict between the powerful and the
     powerless means to side with the powerful, not to be neutral."
                                       -- quote by Freire / poster by Oxfam


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list