At 01:07 PM 9/17/2002 -0700, [EMAIL PROTECTED] wrote: >As far as I know, banks assume that a certain percentage of their >transactions will be bad and build that cost into their business >model. Credit and ATM cards and numbers are as far from secure as could >be, far less secure than somebody doing online transactions from a Wintel >machine on an unencrypted connection, let alone an encrypted one. Until >somebody takes full advantage of the current system and steals a few >trillion dollars in one day, the problems are easier to deal with than a >solution. Until that happens, there's no reason for banks to go through >the pain of dealing with or requiring Pd. > >-Jon Simon
note that EU finread standard attempted to address some of this. an external (secure, finread) token acceptor device with secure display and secure pin entry. The hardware token is used to "sign" the (financial) transaction .... PIN code is entered into the finread device and goes directly to the hardware token (w/o passing thru the PC). Critical pieces of the transactions passes thru the finread device on the way to the (signing hardware token) and is displayed on the secure display ... which then requires the PIN to be entered to confirm the transaction. There is the issue of 3-factor authentication * something you have (hardware token) * something you know (pin) * something you are (biometrics in addition to &/or in place of PIN) besides the straight-forward use of signatures to authenticate the source of the transaction ... there is the nominal legal requirement associated with physical signatures ... i.e. did you intend to sign what you signed aka is what you "see" what you signed ... and do you confirm that you actually want the hardware token to sign what you "see". A lot of digital signature seems to address the technology part of authentication ... and then sometimes (just because the term "signature" is used as part of the description of the technical procedure) that all technical implementations of the process referred to as "digital signature" is legally equivalent to "physical signatures" (even when no aspects of intention have been satisfied). random past finread & intention posts: http://www.garlic.com/~lynn/aadsm10.htm#keygen2 Welome to the Internet, here's your private key http://www.garlic.com/~lynn/aadsm11.htm#4 AW: Digital signatures as proof http://www.garlic.com/~lynn/aadsm11.htm#5 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#6 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#7 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#9 Meaning of Non-repudiation http://www.garlic.com/~lynn/aadsm11.htm#13 Words, Books, and Key Usage http://www.garlic.com/~lynn/aadsm11.htm#23 Proxy PKI. Was: IBM alternative to PKI? http://www.garlic.com/~lynn/aadsm12.htm#0 maximize best case, worst case, or average case? (TCPA) http://www.garlic.com/~lynn/aadsm12.htm#19 TCPA not virtualizable during ownership change (Re: Overcoming the potential downside of TCPA) http://www.garlic.com/~lynn/2000.html#0 2000 = millennium? http://www.garlic.com/~lynn/2000.html#94 Those who do not learn from history... http://www.garlic.com/~lynn/2000f.html#79 Cryptogram Newsletter is off the wall? http://www.garlic.com/~lynn/2001f.html#39 Ancient computer humor - DEC WARS http://www.garlic.com/~lynn/2001g.html#57 Q: Internet banking http://www.garlic.com/~lynn/2001g.html#60 PKI/Digital signature doesn't work http://www.garlic.com/~lynn/2001g.html#61 PKI/Digital signature doesn't work http://www.garlic.com/~lynn/2001g.html#62 PKI/Digital signature doesn't work http://www.garlic.com/~lynn/2001g.html#64 PKI/Digital signature doesn't work http://www.garlic.com/~lynn/2001h.html#51 future of e-commerce http://www.garlic.com/~lynn/2001i.html#25 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#26 No Trusted Viewer possible? http://www.garlic.com/~lynn/2001j.html#7 No Trusted Viewer possible? http://www.garlic.com/~lynn/2001j.html#46 Big black helicopters http://www.garlic.com/~lynn/2001k.html#0 Are client certificates really secure? http://www.garlic.com/~lynn/2001k.html#43 Why is UNIX semi-immune to viral infection? http://www.garlic.com/~lynn/2001m.html#6 Smart Card vs. Magnetic Strip Market http://www.garlic.com/~lynn/2001m.html#9 Smart Card vs. Magnetic Strip Market http://www.garlic.com/~lynn/2001n.html#70 CM-5 Thinking Machines, Supercomputers http://www.garlic.com/~lynn/2002c.html#10 Opinion on smartcard security requested http://www.garlic.com/~lynn/2002c.html#21 Opinion on smartcard security requested http://www.garlic.com/~lynn/2002f.html#46 Security Issues of using Internet Banking http://www.garlic.com/~lynn/2002f.html#55 Security Issues of using Internet Banking http://www.garlic.com/~lynn/2002g.html#69 Digital signature http://www.garlic.com/~lynn/2002h.html#13 Biometric authentication for intranet websites? http://www.garlic.com/~lynn/2002l.html#24 Two questions on HMACs and hashing http://www.garlic.com/~lynn/2002l.html#26 Do any architectures use instruction count instead of timer http://www.garlic.com/~lynn/2002l.html#28 Two questions on HMACs and hashing -- Anne & Lynn Wheeler [EMAIL PROTECTED], http://www.garlic.com/~lynn/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
