Re: [Clips] Banks Seek Better Online-Security Tools
On Fri, Dec 02, 2005 at 11:05:29PM -0500, [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. This is from European perspective: I do and couldn't do without it now. Most of my obligations, from rent though auctions, to lending a friend a local equivalent of 20 bucks are paid with bank transfers. But I believe online banking works in a slightly different way than in US. Of online banking systems I've seen, almost all banks use two-factor auth in some way (except Polish branch of Citibank and a bank that uses very broken and complicated scheme where stored client RSA keypair is sent to his browser ActiveX when client logs in with user/pass). Most common are lists of one-time passwords delivered securely, or hardware tokens, RSA SecurID or Vasco Digipass DP100 wih challenge-response mode used to verify transactions. In those banks, if you have login name and pass, you can only do non-balance changing operations on a account without the something you have part; and you cannot change personal info wihout some form of out-of band authentication (to change registered address user needs to send a form with attached copy of national ID card, to confirm that or to reset lost password bank calls user's preregistered phone number). I can say I HAVE a secure link to one of the nations's traffic exchange points (unintended job benefit), and I run my own DNS servers, so MITM probability is reduced. I do not log in from machines I don't trust and own (with one exception on own) and using networks I don't trust. Bank statements come on paper or in S/MIME signed emails. I do not log in using links provided in HTML emails. Am I secure? I consider the risk of fraud using online banking to be less than the one of paying with a VISA in a restaurant or a taxi. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
On Wed, Dec 07, 2005 at 10:31:52AM -0500, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Janusz A. Urbanowicz writes: Bank statements come on paper or in S/MIME signed emails. This is interesting -- the bank is using S/MIME? What mail readers are common among its clientele? How is the bank's certificate checked? From my observation, the most popular standalone MUA here is Outlook Express, with Mozilla/Thunderbird being a distant second place. Those do support S/MIME, and the signature is verified properly. Average internet/internet banking user is more likely to use some web-based MUA on a commercial portal, which in general do not support cryptographic signatures of any kind. The signature is issued using key Certified by Verisign Class 1 cacert, co it verifies on Windows machines and in Mozilla-based software with recent CA certs bundle. I have attached signature binary stripped from one statement to this message, in case someone wants to analyze it. I do not have any hard data on MUA usage among bank clientele; my wild guess is that it is 1/3 of the users use one of the above programs, 2/3 use portal services. The signatures were introduced some time after the bank went into service, so there was some problem to be solved with it. This is internet-only bank with no physical branches around the country, all communication with the bank is done via internet, phone and messenger services. What I do not understand, is that the bank in question started turing-encoding requested code number when asking for one time code to authenticate the transaction. Alex -- 0x46399138 smime.p7s Description: Binary data
Re: mother's maiden names...
On Wed, Jul 13, 2005 at 12:26:52PM -0400, Perry E. Metzger wrote: A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? Some, like Citibank do. I have a photo on my VISA from them, but I believe the photo is not linked to the account nor taken into consideration when doing identification at the bank. When I asked about it, the answer was something about that the photo is stored only by the credit card issuing center, and not in the main system. Random peeking on clerk's screen while I'm at the bank seems to confirm this - no place for customer picture in the account info. Sometimes they aren't allowed to do so, data privacy policy here says that a business may not request or store any personal information that is not directly needed to conduct business with that person; a national ID card is routinely xeroxed when establishing an account and the copy is kept at the bank, then the photo is blackened out; when the regulation came live bank staffs had working weekends sitting with black felt-tip pens, blacking out photos and other unneeded info on the ID xerocopies. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
On Tue, Jan 04, 2005 at 03:24:56PM -0500, Trei, Peter wrote: R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH The slashdot article title is really, really misleading. In both cases, this is SecurID. In some cases this also may be VASCO DigiPass, which is system very similar to SecurID, only cheaper. This technology seems to be quite popular in Europe as couple banks in Poland routinely issue tokens, both VASCO and SecurID to their customers for online authorization, and the tokens are used both in password generation (as described in article) and challenge-response modes. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]