The bank fraud blame game

Florian Weimer fw at deneb.enyo.de
Sun Jul 1 17:49:48 EDT 2007


* Anne & Lynn Wheeler:

> In the mid-90s, financial institutions looking at the internet for
> online, commercial banking and cash management (i.e. business
> equivalent to consumer online banking) were extremely conflicted
> ... they frequently were almost insisting on their own appliance at
> the business (and low-end of SOHO at least overlaps high-end
> of consumer online banking).

Well, in 1994, German Postbank already had 300,000 online banking
customers.  (To put this into perspective, there are somewhere around
3 million online customers today, and this was well before the
Internet took off in Germany.)

On top of that, there were other forms of digital banking that were
mainly used by business customers, such as transactions submitted on
floppy disks.

> Various of the PC-based dedicated financial applications go to
> quite some lengths to compensate for kind of vulnerabilities
> typically associated with browser activity. For instance,
> instead of relying on a trusted third party to certify that
> some remote location really has a valid digital certificate,
> they have a trusted repository of valid financial institutions.

Oh really?

In Germany, early digital banking had no cryptographic protection at
all.  Integrity and confidentiality were inherited from the underlying
phone system.  There were no end-to-end digital signatures.  Nothing.
Just a one-time password for each transaction, but the password was
not tied to the transaction in any way.

> This has the added benefit of eliminating the horribly complex
> and vulnerable PKI-type of operation

Except that there aren't any attacks on the browser PKI.  That's part
of the reason why the certificate prices plummeted. 8-/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list