Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-13 Thread Anne & Lynn Wheeler
Peter Clay wrote:
> Hmm. What's the evidence that national ID schemes reduce credit fraud
> (what people normally mean when they say "ID theft")? How does it vary
> with the different types of scheme?
> 
> I've been opposing the UK scheme recently on the grounds of unreliable
> biometrics and the bad idea of putting everyone's information in a
> basket from which it can be stolen (in addition to the civil liberties
> reasons). My solution to the credit fraud problem is simple: raise the
> burden of proof for negative credit reports and pursuing people for
> money.

some number of organizations have come up with the term "account fraud"
... where fraudulent transactions are done against existing accounts ...
to differentiate from other forms of "identity theft" which involves
things like using a stolen identity to establish new accounts.

account fraud just requires strong authentication applied consistently
... doesn't require identification ... although there are cases where
identification is confused and is used as a supstitute for
authentication. part of the issue of confusing identification for
authentication ... is that it is typically quite a bit more privacy
evasive than pure authentication.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-13 Thread Peter Clay
On Mon, Dec 05, 2005 at 07:29:11PM +0100, Florian Weimer wrote:
> For those of you who haven't rolled out a national ID scheme in time,
> there's still the general identity theft problem, but this affects you
> even if you don't use online banking.

Hmm. What's the evidence that national ID schemes reduce credit fraud
(what people normally mean when they say "ID theft")? How does it vary
with the different types of scheme?

I've been opposing the UK scheme recently on the grounds of unreliable
biometrics and the bad idea of putting everyone's information in a
basket from which it can be stolen (in addition to the civil liberties
reasons). My solution to the credit fraud problem is simple: raise the
burden of proof for negative credit reports and pursuing people for
money.

Pete
-- 
Peter Clay   | Campaign for   _  _| .__
 | Digital   /  / | |
 | Rights!   \_ \_| |
 | http://www.ukcdr.org

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [spam]::Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-13 Thread Jonathan Thornburg

In an earlier message, I wrote

I would never use online banking, and I advise all my friends and
colleagues (particularly those who _aren't_ computer-security-geeks) to
avoid it.



Jason Axley asked

Why do you not use OLB?


Basically, so far as I know the fine print in online bank service
agreements basically says "you (the customer) are responsible for any
transactions we receive with your username and pin, and our electronic
records are the final word on this".

Thus if there is an a false transaction on my account, i.e. one which
I did not intend to authorize (whether this happened due to insider
fraud in the bank, MITM phishing, virus in my computer, or whatever
other cause), the basic legal presumption is that it's my loss, not
the bank's.  I consider the risks of this too high.



 What would need to
be fixed for you to use OLB in the future?


I would want the same ability to refuse an unauthorized transaction
that I have now with credit cards, where basically any losses over
50 Euros/dollars are the bank's problem, not mine.



What is your threat model
(WIYTM)?


For online banking, any/all of
(a) insider fraud at the bank and/or anyone else to whom they've
outsourced relevant processing
(b) computer breakin/theft at the bank and/or anyone else to whom
they've outsourced relevant processing
(c) MITM phishing or DNS hijacking
(d) viruses/worms in my computer



 What risks are present in OLB that are not present in the
offline world?


(c) and (d) above.  Also liability for problems is mine, not the bank's
(see above).  Also there are few paper records that I can use to help
document problems.

In the offline world, (a) and (b) are mitigated by paper records
(and forms with my written signature) which crooks usually don't
bother forging.



What about the risks of the offline financial world?


If I wire-transfer money from my bank in Germany to my credit union
in Canada, my written signature is (supposed to be) required to verify
that I did in fact authorize the transaction.  If the bank sends my
money off to a crook's account (whether by mistake or due to deliberate
fraud), the next time I get a statement I'll notice, and I'll ask them
what happened.  If the bank can't show me a piece of paper with my
signature on it, my understanding is that (if I complain enough) I can
force them to refund the money to me (so it's then their problem to try
to recover it from wherever it went).



 For example, all of
the information that someone needs to put money in, or take it out, of
your checking account via ACH is nicely printed in magnetic ink on your
checks in the US.  And you give it out to anyone when you write them a
check.


Where I live now (Germany) people don't use cheques, they do bank
transfers which the *payer* gives direct to her bank.  These (are
supposed to) have the written signature of the payer (the account-holder).
If someone forges one of these and takes money out of my account, I can
refuse the transaction and (I understand) the bank is legally required
to refund the money to me (and it's their problem to recover it from
whoever got it).

When I lived in Canada (where people use cheques in the same way
as in the US), my understanding is that
(a) Even with the transit/routing numbers, noone is supposed to be able
to take money out of an account without prior written permission.
A cheque constitutes such permission _for_a_specific_transaction_,
but not for any other transaction(s).
(b) If someone forges another cheque (eg scans my signature etc),
and my bank honors it and takes the money out of my account.
then since I didn't actually sign that cheque, legally it's the
bank's fault for honoring it, and (if I complain enough)
I can force the bank to refund the money to me (so it's then
the bank's problem to try to recover it from the crook).



This reminded me of how I laughed when I saw an interview with a local
security person where he said that he didn't even connect a computer to
the Internet at home due to the risk.  To me, this seems akin to deciding
to not leave your house because you "can't be sure" someone won't shoot
you dead.


Well, in certain places that's basically what people do.  For example,
many foreign people in Bhagdad don't venture out of the "green zone".
My point is that when substantial amounts of money are involved, IMHO
the internet is basically a "red zone" where I don't feel safe venturing.

ciao,

--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam


-
The Cryptography Mailing List
Unsubscribe by send

Re: [spam]::Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-09 Thread Jason Axley
> I would never use online banking, and I advise all my friends and
colleagues (particularly those who _aren't_ computer-security-geeks) to
avoid it.
>

I have to say that I am puzzled by the way that this thread has unfolded.

It started off with Dan Geer:

"You know, I'd wonder how many people on this list use or have used online
banking.

To start the ball rolling, I have not and won't."

John Gilmore also agreed that he doesn't and won't.

And the thread has continued with other people either saying similar
things or admitting that they do use it or may use it in limited ways, as
if it was somehow shameful to manage risk rather than avoid it.  I think
there was just one posting that actually explicitly talked about a risk
evaluation and decision to use OLB.  I'm surprised to see how much "risk
avoidance" is practiced by members of the list.

I personally think that the "why" is the more interesting question, not
the original binary question.  Why do you not use OLB?  What would need to
be fixed for you to use OLB in the future?  What is your threat model
(WIYTM)?  What risks are present in OLB that are not present in the
offline world?
What about the risks of the offline financial world?  For example, all of
the information that someone needs to put money in, or take it out, of
your checking account via ACH is nicely printed in magnetic ink on your
checks in the US.  And you give it out to anyone when you write them a
check.

This reminded me of how I laughed when I saw an interview with a local
security person where he said that he didn't even connect a computer to
the Internet at home due to the risk.  To me, this seems akin to deciding
to not leave your house because you "can't be sure" someone won't shoot
you dead.

-Jason


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-08 Thread leichter_jerrold
On Wed, 7 Dec 2005, Bill Stewart wrote:
| At 08:05 PM 12/2/2005, [EMAIL PROTECTED] wrote:
| >You know, I'd wonder how many people on this
| >list use or have used online banking.
| 
| I've used it for about a decade at my credit union,
| and I've had my paychecks deposited directly for decades.
| There are things I absolutely won't do,
| like have a debit card attached to the account,
| or have companies authorized to take money out directly,
| or have electronic checks of various sorts taken out of the account.
Be aware that when you authorize direct deposit to your account, you are
also implicitly authorizing "direct withdrawal".  I found this out many
years ago when an employer accidentally issued paychecks for too much money.
My next bank statement showed the deposit, followed a day later by a
withdrawal to get back to the correct value.

Nothing on any direct deposit authorization form seems to mention this, and
I know of no way to block it - the authorizations are a unit, you can't
agree to one without the other.

Of course, first with check truncation by large institutions, and now
Check 21, the line between paper checks and electronic withdrawals has
become
rather difficult to define.  In theory, you do have the same recourse with
electronically transfered checks (Check 21) that you did with paper ones.
In practice, the copy you receive doesn't normally grant you that level of
recourse - you need an official copy (I forget the actual term in the law),
and unless you know to ask for it, your bank won't give it to you.

Check truncation - where you send a check to a credit card company, say, and
it turns it into a direct withdrawal, so you don't even get a copy of the
check back - is even more problematic.  If, as has happened to me more than
once, they misread the value on the check (typically, the error is to forget
to add .00), yes, the same amount is credited to your card bill as is
debited
from your bank account - but you could be hit up for interest and various
penalties.  The only proof of what the check really said is in the hands of
the credit card company - and I'm not even sure what their obligations are
in
terms of retaining the image and making it available to you.

I wonder if these new processes have given the various financial
institutions
what they wanted, but could never get the courts to agree to, eliminate for
years:  Effectively destroying the legal enforceability of a mark of "In
full
payment" on a check.*
-- Jerry

* If there is a pre-existing dispute between you and another party about
what you owe them, and you give them a check for the amount you claim they
owe that is marked "In Full Payment", if they cash it, they have legally
agreed that that check settles the dispute.  I've only had to use this once,
years back, when a landlord had for months "not gotten 'round to" paying me
a referral fee:  I took the referral fee out of my next month's rent and
marked it "In Full Payment".  I pointed this out to them, because I didn't
really want to go to court about this issue!  They refused to cash the
check,
but by an amazing coincidence delivered my referral check a day later and
then asked me to replace the rent check.  This right remains there - but if
you can't get your hands on the check, it's very difficult to enforce!

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-08 Thread Bill Stewart

At 08:05 PM 12/2/2005, [EMAIL PROTECTED] wrote:

You know, I'd wonder how many people on this
list use or have used online banking.


I've used it for about a decade at my credit union,
and I've had my paychecks deposited directly for decades.
There are things I absolutely won't do,
like have a debit card attached to the account,
or have companies authorized to take money out directly,
or have electronic checks of various sorts taken out of the account.
Normally I don't do email with them (though nobody appears to have
noticed them as a phishing target), but I did have one time
I had to ask about a transaction, and they do that by email,
so I was able to trust the responses.

But for basic services where I tell them what to send to whom,
it's reliable, appears to be at least as secure as
the other risks to the account, and it means that the
basic payments I need to make every month happen automatically,
so I only have to pay attention to the occasional variable transaction.

I've also used account-based electronic gold services,
but only transactionally, so at most they end up with a couple dollars
worth of exchange-rate breakage in them, and there are some
non-account-based services that I've also used.
I won't use e-gold - not that their website is obviously insecure,
but for a while there was so much e-gold phishing that
I set my filters to automatically discard anything purporting
to be from them, which might interfere with doing real business.
On the other hand, they don't appear to state a policy of
always digitally signing all transactions, so I'm a bit concerned
beyond the more blatant phishing risks.

Thanks; Bill Stewart




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-07 Thread Janusz A. Urbanowicz
On Wed, Dec 07, 2005 at 10:31:52AM -0500, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, "Janusz A. Urbanowicz
> " writes:
> >
> >Bank statements come on paper or in S/MIME signed emails. 
> 
> This is interesting -- the bank is using S/MIME?  What mail readers are 
> common among its clientele?  How is the bank's certificate checked?

From my observation, the most popular standalone MUA here is Outlook
Express, with Mozilla/Thunderbird being a distant second place. Those do
support S/MIME, and the signature is verified properly.

Average internet/internet banking user  is more likely to use some web-based
MUA on a commercial portal, which in general do not support cryptographic
signatures of any kind.

The signature is issued using key Certified by Verisign Class 1 cacert, co
it verifies on Windows machines and in Mozilla-based software with recent CA
certs bundle.

I have attached signature binary stripped from one statement to this
message, in case someone wants to analyze it.

I do not have any hard data on MUA usage among bank clientele; my wild guess
is that it is 1/3 of the users use one of the above programs, 2/3 use
portal services. The signatures were introduced some time after the bank
went into service, so there was some problem to be solved with it.

This is internet-only bank with no physical branches around the country, all
communication with the bank is done via internet, phone and messenger
services.

What I do not understand, is that the bank in question started
turing-encoding requested code number when asking for one time code to
authenticate the transaction.

Alex
-- 
0x46399138


smime.p7s
Description: Binary data


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-07 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, "Janusz A. Urbanowicz
" writes:
>
>Bank
>statements come on paper or in S/MIME signed emails. 

This is interesting -- the bank is using S/MIME?  What mail readers are 
common among its clientele?  How is the bank's certificate checked?

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-07 Thread Janusz A. Urbanowicz
On Fri, Dec 02, 2005 at 11:05:29PM -0500, [EMAIL PROTECTED] wrote:
> 
> You know, I'd wonder how many people on this
> list use or have used online banking.  
> 
> To start the ball rolling, I have not and won't.

This is from European perspective: I do and couldn't do without it now. Most
of my obligations, from rent though auctions, to lending a friend a local
equivalent of 20 bucks are paid with bank transfers. 

But I believe online banking works in a slightly different way than in US.
Of online banking systems I've seen, almost all banks use two-factor auth in
some way (except Polish branch of Citibank and a bank that uses very broken
and complicated scheme where stored client RSA keypair is sent to his
browser ActiveX when client logs in with user/pass). Most common are lists
of one-time passwords delivered securely, or hardware tokens, RSA SecurID or
Vasco Digipass DP100 wih challenge-response mode used to verify
transactions. In those banks, if you have login name and pass, you can only
do non-balance changing operations on a account without the something you
have part; and you cannot change personal info wihout some form of out-of
band authentication (to change registered address user needs to send a form
with attached copy of national ID card, to confirm that or to reset lost
password bank calls user's preregistered phone number).

I can say I HAVE a secure link to one of the nations's traffic exchange
points (unintended job benefit), and I run my own DNS servers, so MITM
probability is reduced. I do not log in from machines I don't trust and own
(with one exception on own) and using networks I don't trust. Bank
statements come on paper or in S/MIME signed emails. I do not log in using
links provided in HTML emails.

Am I secure? I consider the risk of fraud using online banking to be less
than the one of paying with a VISA in a restaurant or a taxi. 

Alex
-- 
mors ab alto 
0x46399138

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Nicholas Bohm
Florian Weimer wrote:
> * Nicholas Bohm:
> 
> 
>>[EMAIL PROTECTED] wrote:
>>
>>>You know, I'd wonder how many people on this
>>>list use or have used online banking.  
>>>
>>>To start the ball rolling, I have not and won't.
>>>
>>>--dan
>>
>>I do.
>>
>>My bank provides an RSA SecureId, so I feel reasonably safe against
>>anyone other than the bank.
> 
> 
> But it's just a token measure.  You should be afraid of your own
> computer, your own network.  SecureID does not authenticate the server
> you're going to send your data to.  It does not detect if your
> computer is compromised.
> 
> Sure, right now, it might help you personally, but once these simple
> tokens gain market share, attackers will adjust.  It's not a general
> solution.

I accept all that.

I hope, not too confidently, that before the attackers adjust enough,
banks will start giving their customers FINREAD type
secure-signature-creation devices of decent provenance whose security
does not rely on non-compromise of my PC or network.

Nicholas Bohm
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone   01279 871272(+44 1279 871272)
Fax  020 7788 2198   (+44 20 7788 2198)
Mobile  07715 419728(+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Ian G

[EMAIL PROTECTED] wrote:

okay, i read this story from 7/2005 reporting an incident in 5/2005.  the short 
form of it is:


Not a bad summary.  I'd say that when one is
dealing with any such crime, there are always
unanswered questions, and issues of confusion
(probably as much for the attacker as the victim).


even more off-topic:
i'm surprised that the people on this list don't feel as if they have 
enough
personal connections that at least they could figure out what happened 
to them
as *some* financial institution.  doesn't anyone else ask, as a basis 
for imputing
	trust  "exactly who did that {protocol, architecture, code} review as a basis for 
	imputing trust?  maybe i'm delusional, but i give fidelity some residual credit 
	for having adam shostack there, even some years ago, and there are some firms

i'd use because i've been there enough to see their level of care.


Well, even though phishing has been discussed
on this list for about 2 years, it is only in
the last 6 months or so that there has been a
wider acceptance in the subject.  I think your
specific question has been asked so many times
that people's eyes glaze over.

Only in the last few *weeks* did two of the browser
manufacturers acknowledge it publically.  So I
wouldn't expect too much from the banks, who have
to receive authoritive press, institution & regulatory
input before they will shift on matters of security.

iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Florian Weimer
* Jonathan Thornburg:

> Ahh, but how do you know that the transaction actually sent to the
> bank is the same as the one you thought you authorized with that OTP?
> If your computer (or web browser) has been cracked, you can't trust
> _anything_ it displays.  There are already viruses "in the wild"
> attacking German online banking this way:
>   http://www.bsi.bund.de/av/vb/pwsteal_e.htm

Of course you don't.  In some sense, the next-generation security
technology which U.S. banks plan to roll out (either voluntarily, or
due to regulation) has already been broken in Germany.

If you bring the topic up in discussions, the usual answer is "don't
MITM me!" (meaning: "Don't mention man-in-the-middle attacks,
including compromised customer systems, because you know we can't
defend against them! This is not fair!").  But this is not a valid
response when experience shows that the relevant attacks *are* MITM
attacks.

> I also don't trust RSAsafe or other such "2-factor authentication"
> gadgets, for the same reason.

I'm always glad to read someone who agrees with me on this matter. 8-)

I don't understand why almost everyone is in a frenzy to deploy them.
If you can somehow weasel through the next 6 months or so, it will be
completely non-repudiatable that transactions covered by two-factor
authentication are fully repudiatable.  You can save a lot of money
(including your customers' money) if you manage to skip this
technology cycle.  The only problem could be that the media and
security experts smack you if you don't deploy the same, broken
countermeasures everyone else does.

By the way, one interesting aspect of the online banking problem is
its implications for threat modelling, attack trees, and similar
approaches.  It would be interesting to compare a few models and why
they fail to adequately describe the situation.  My hunch is that
these models do not take two factors into account: Attacks aren't
targeted by the cost/revenue alone, tradition plays a major role, too,
as does sheer luck.  And you are caught in a feedback loop; the
attacks change as you deploy new countermeasures, and the changes are
mostly unpredictable.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Florian Weimer
* Eugen Leitl:

> The German PIN/TAN system is reasonably secure, being an effective
> one-time pad distributed through out of band channel (mailed dead
> tree in a tamperproof envelope).

Some banks have optimized away the special envelope. 8-(

> It is of course not immune to phishing (PIN/TAN harvesting), which
> has become quite rampant recently.

And we face quite advanced attack technology, mainly compromised end
systems.  We are well beyond the point where simple tokens (like RSA
SecureID) would help.

> I do have a HBCI smartcard setup with my private account but don't use it
> since it's locked in a proprietary software jail.

The way the current attacks are carried out, smartcard-based HBCI is
less secure than the PIN/TAN model because with HBCI, you don't need
to authorize each transaction separately.  At this stage, few people
recognize this problem, and German banks put high hopes on
smartcard-based online banking, despite its high costs in terms of
consumer devices and support calls.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread mis
please, can people tell us about what their country's liability
framework is, as they understand it, and where the onus of proof is
for what sorts of transactions?

this is one of the few areas where consumers have some actual
protection in the us.

due to ross anderson, i have heard about the uk.   has this been harmonized
in the eu?

many other countries are a mystery to me.

it would seem to me even in countries with pro-bank/anti-consumer stances
the risk could be limited by putting few eggs in that basket, rather than
giving up on using baskets entirely.

as an offering from left field, here's an pretty good paper about
fraud and identity in .au and .nz
http://www.aic.gov.au/conferences/other/smith_russell/2003-09-identity.html


On Mon, Dec 05, 2005 at 07:09:33PM +0100, Jonathan Thornburg wrote:
> I would never use online banking, and I advise all my friends and
> colleagues (particularly those who _aren't_ computer-security-geeks)
> to avoid it.
> 
> 
> >On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote:
> >I've been using online banking for many years, both US and Germany.
> >The German PIN/TAN system is reasonably secure,
> >being an effective one-time pad distributed through out of band channel
> 
> Ahh, but how do you know that the transaction actually sent to the
> bank is the same as the one you thought you authorized with that OTP?
> If your computer (or web browser) has been cracked, you can't trust
> _anything_ it displays.  There are already viruses "in the wild"
> attacking German online banking this way:
>   http://www.bsi.bund.de/av/vb/pwsteal_e.htm
> 
> 
> I also don't trust RSAsafe or other such "2-factor authentication"
> gadgets, for the same reason.
> 
> [I don't particularly trust buying things online with a credit card,
> either, but there my liability is limited to 50 Euros or so, and the
> credit card companies actually put a modicum of effort into watching
> for suspicious transactions, so I'm willing to buy (a few) things online.]
> 
> ciao,
> 
> -- 
> -- Jonathan Thornburg <[EMAIL PROTECTED]>
>Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
>Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
>"Washing one's hands of the conflict between the powerful and the
> powerless means to side with the powerful, not to be neutral."
>   -- quote by Freire / poster by Oxfam
> 
> 
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Florian Weimer
* Nicholas Bohm:

> [EMAIL PROTECTED] wrote:
>> You know, I'd wonder how many people on this
>> list use or have used online banking.  
>> 
>> To start the ball rolling, I have not and won't.
>> 
>> --dan
>
> I do.
>
> My bank provides an RSA SecureId, so I feel reasonably safe against
> anyone other than the bank.

But it's just a token measure.  You should be afraid of your own
computer, your own network.  SecureID does not authenticate the server
you're going to send your data to.  It does not detect if your
computer is compromised.

Sure, right now, it might help you personally, but once these simple
tokens gain market share, attackers will adjust.  It's not a general
solution.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, Jonathan Thor
nburg writes:
>I would never use online banking, and I advise all my friends and
>colleagues (particularly those who _aren't_ computer-security-geeks)
>to avoid it.
>

I do use it -- but never from a Windows machine.  The OS I use is 
probably better, but it's *definitely* a much less attractive target 
for malware writers.

Problems?  I did have my credit card number stolen, but almost 
certainly not that way.  The bank believes it was a random card number 
generator.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Florian Weimer
> You know, I'd wonder how many people on this
> list use or have used online banking.  
>
> To start the ball rolling, I have not and won't.

Why?  Repudiating transactions is easier than ever.  As a consumer, I
fear technology which is completely secure according to experts, but
which can be broken nevertheless.  The current situation is very
different.  Everybody agrees that online banking is insecure, and in
most markets, it's the banks who swallow the losses, not the consumer
(even those who were very stupid).

For those of you who haven't rolled out a national ID scheme in time,
there's still the general identity theft problem, but this affects you
even if you don't use online banking.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread Jonathan Thornburg

I would never use online banking, and I advise all my friends and
colleagues (particularly those who _aren't_ computer-security-geeks)
to avoid it.



On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote:
I've been using online banking for many years, both US and Germany.
The German PIN/TAN system is reasonably secure,
being an effective one-time pad distributed through out of band channel


Ahh, but how do you know that the transaction actually sent to the
bank is the same as the one you thought you authorized with that OTP?
If your computer (or web browser) has been cracked, you can't trust
_anything_ it displays.  There are already viruses "in the wild"
attacking German online banking this way:
  http://www.bsi.bund.de/av/vb/pwsteal_e.htm


I also don't trust RSAsafe or other such "2-factor authentication"
gadgets, for the same reason.

[I don't particularly trust buying things online with a credit card,
either, but there my liability is limited to 50 Euros or so, and the
credit card companies actually put a modicum of effort into watching
for suspicious transactions, so I'm willing to buy (a few) things online.]

ciao,

--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread mis
On Mon, Dec 05, 2005 at 09:24:04AM +, Ian G wrote:
> [EMAIL PROTECTED] wrote:

> >it seems to me the question is how much liability do i expose myself to by
> >doing this, in return for what savings and convenience.  
> 
> That part I agree with, but this part:
> 
> >i don't keep a lot of money in banks (why would anyone?)  -- most of
> >the assets are in (e.g.)  brokerage accounts.  at most  i'm exposing
> >a month of payroll check to an attacker briefly until it pays some
> >bill or is transferred to another asset account.  
> 
> George's story - watching my Ameritrade account get phished out in 3 minutes
> https://www.financialcryptography.com/mt/archives/000515.html
> 
> Seems like a hopeful categorisation!
> 
> iang

okay, i read this story from 7/2005 reporting an incident in 5/2005.  the short 
form of it is:

the bad guys changed the associated bank account,
then they placed orders to sell everything at market prices.
at some point they changed the email address to a hotmail account  (if they'd 
done this first he would
have gotten less notice)
for some unexplained reason he received confirmations of the trades at the old 
email address.
actual cash didn't get transfered at least because of the 3 day settlement time 
for the trades.

the rest was dealing with law enforcement and customer service punes who 
wouldn't tell him
anything for "privacy reasons".  

well, i have lots of nit-picking questions, about the actual incident
and about the general point.

about the actual incident:
maybe his password was phished, maybe it was malware, 
maybe it was password reuse and some other account was phished.  
how was the bofa account set up?  (the fraudster's destination account) 
in these days of 
patriot act "know your customer"? (or was it someone's phished account 
also used just for transit?)

why didn't they just do the wire transfer early, and leave him with a 
giant margin balance
to be paid from the proceeds at settlement?  


about the general point:

the main thing online access changes (compared with phone access, or written
instructions) is the velocity.  
most sensible institutions provide "change of account status" 
notifications
by both email and postal mail (to both the old and the new addresses).
some sensible institutions put brakes on removing money from the system,
certainly for new accounts and (as i recommend to my clients) after an 
account 
change reflecting identity or control.

aside from the time and energy drain of identity theft, what is the
financial liability for consumers if your us-based brokerage account
is phished resulting in a fraudulent funds transfer?  does anyone know 
if there is any uniform protection (such as reg e would cover for interbank
funds transfers?)

i insert the weasel-words "consumers" and "us-based" because
of bofa's behavior in the joe lopez malware case, where they
are trying to claim he is a business not a consumer, and that
they are without fault in wire transfering his funds to latvia.

slightly off-topic:
remember abraham abdallah, the brooklyn busboy who assumed the
identity of a large number of the fortune 200 richest?  made goldman
sachs "signature guaranteed stamps" and opened accounts in their number?
had 800 fraudulent credit cards and 2 blank cards when he was 
arrested?  ("hey kids!  collect 'em all!").  my point is only that this 
is
possible without my participating.  as jerry leichter reminded me, 
the fact there there are these facilities available means a bad guy can
use them even if i do not, unless i can not only opt out but forbid 
anyone
else from subsequently opting in, the moral equivalent of cutting your 
debit
card in half and returning it to the bank (rather than just destroying 
the PIN).


even more off-topic:
i'm surprised that the people on this list don't feel as if they have 
enough
personal connections that at least they could figure out what happened 
to them
as *some* financial institution.  doesn't anyone else ask, as a basis 
for imputing
trust  "exactly who did that {protocol, architecture, code} review as a 
basis for 
imputing trust?  maybe i'm delusional, but i give fidelity some 
residual credit 
for having adam shostack there, even some years ago, and there are some 
firms
i'd use because i've been there enough to see their level of care.






-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread Nicholas Bohm
Kerry Thompson wrote:
> [EMAIL PROTECTED] said:
> 
>>You know, I'd wonder how many people on this
>>list use or have used online banking.
>>
>>To start the ball rolling, I have not and won't.
> 
> 
> I do. Although, only from PCs that I trust such as my linux box at home.
> And I keep a close watch on my bank statements.
> 
> All things considered, its safer than posting cheques or distributing your
> credit card number around.

That depends on how the risk of loss is allocated.  This can vary
between different legal systems, and may depend on the terms in force
between bank and customer.

For an exploration of this in the context of English law, see
http://elj.warwick.ac.uk/jilt/00-3/bohm.html

Nicholas Bohm
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone   01279 871272(+44 1279 871272)
Fax  020 7788 2198   (+44 20 7788 2198)
Mobile  07715 419728(+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread Ian G

[EMAIL PROTECTED] wrote:

dan, maybe you should just keep less money in the bank.

i use online banking and financial services of almost every kind
(except bill presentment, because i like paper bills).  i ccannot do
without it.

it seems to me the question is how much liability do i expose myself to by
doing this, in return for what savings and convenience.  


That part I agree with, but this part:


i don't keep a lot of money in banks (why would anyone?)  -- most of
the assets are in (e.g.)  brokerage accounts.  at most  i'm exposing
a month of payroll check to an attacker briefly until it pays some
bill or is transferred to another asset account.  


George's story - watching my Ameritrade account get phished out in 3 minutes
https://www.financialcryptography.com/mt/archives/000515.html

Seems like a hopeful categorisation!

iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread Eugen Leitl
On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote:

> | To start the ball rolling, I have not and won't.
> Until a couple of months ago, I avoided doing anything of this sort at all.
> Simple reasoning:  If I know I never do any financial stuff on-line, I can
> safely delete any message from a bank or other financial institution.

I've been using online banking for many years, both US and Germany. 
The German PIN/TAN system is reasonably secure,
being an effective one-time pad distributed through out of band channel
(mailed dead tree in a tamperproof envelope). It is of course not immune
to phishing (PIN/TAN harvesting), which has become quite rampant recently.

I'm about to setup HBCI with my business account (both GnuCash and
openhbci/aqbanking from the command line), which can in principle cooperate
with a smartcard. It is a major pain to set up, however, especially on an
unsupported platform.

I do have a HBCI smartcard setup with my private account but don't use it
since it's locked in a proprietary software jail.
 
-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread Kerry Thompson
[EMAIL PROTECTED] said:
>
> You know, I'd wonder how many people on this
> list use or have used online banking.
>
> To start the ball rolling, I have not and won't.

I do. Although, only from PCs that I trust such as my linux box at home.
And I keep a close watch on my bank statements.

All things considered, its safer than posting cheques or distributing your
credit card number around.


-- 
Kerry Thompson
http://www.crypt.gen.nz



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread leichter_jerrold
| You know, I'd wonder how many people on this
| list use or have used online banking.  
| 
| To start the ball rolling, I have not and won't.
Until a couple of months ago, I avoided doing anything of this sort at all.
Simple reasoning:  If I know I never do any financial stuff on-line, I can
safely delete any message from a bank or other financial institution.

Now, I pay some large bills - mortgage, credit cards - on line.  I just got
tired of the ever-increasing penalties for being even a day late in paying -
coupled with ever-more-unpredictable post office delivery times.  (Then
again,
who can really say when the letter arrived at the credit card company?  You
have to accept their word for it, and they have every incentive to err in 
their own favor.)

I have consistently refused on-line delivery of statements, automated
paying, 
or anything of that sort.  I cannot at this point forsee a world in which I 
would trust these systems enough to willingly move in that direction.  (It
doesn't help that, for example, one credit-card site I use - AT&T Universal
-
sends an "invalid" certificate.  AT&T Universal has its own URL, but they
are 
owned by Citibank, so use the citibank.com certificate)

Of course, increasingly one has little choice.  My employer doesn't provide
an 
option:  Pay "stubs" are on-line only.  Reimbursment reports likewise.

There are increasing hints of various "benefits" if you use the on-line
systems for banking and credit cards and such.  The next step - it won't
be long - will be charges for using the old paper systems.  How many people 
here still ask for paper airline tickets?  (I gave up on this one)

-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread Ian G

[EMAIL PROTECTED] wrote:

You know, I'd wonder how many people on this
list use or have used online banking.  


To start the ball rolling, I have not and won't.


I have not!  I declined the chance when my
bank told me that I had to download their
special client that only runs on windows...

However, I have used and/or written many
online DGC tools (which is for the sake of
this discussion, gold-denominated online
payments) which are honed through experience,
incentive and willingness to deal with the
issues.

( As an aside, e-gold was generally the first
to be hit by these problems as well as all the
other problems that have only effected banks
in passing.  Generally the DGC sector is much
more savvy about threats, through repetitive
losses, at least. )

iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread Nicholas Bohm
[EMAIL PROTECTED] wrote:
> You know, I'd wonder how many people on this
> list use or have used online banking.  
> 
> To start the ball rolling, I have not and won't.
> 
> --dan

I do.

My bank provides an RSA SecureId, so I feel reasonably safe against
anyone other than the bank.  I have no basis for knowing how good the
bank's precautions against insider fraud are, but they phone back to
confirm unusual instructions, and they ask for only fragments of
passwords when they do, so there is evidence that they make sensible
efforts to do the right thing.

I have been a good customer for more than 30 years, it's a highly
respectable specialist bank, I am a lawyer, and if I find a fake
transaction on my account I believe I stand a good chance of fighting
it.  I know who to hire as an expert to investigate the bank's system
when I have put it in issue in litigation.  The aggregate of my balance
and my credit limit is an amount I can afford to lose.

In this context the convenience of online banking is enough to justify
the risk.

Nicholas Bohm
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone   01279 871272(+44 1279 871272)
Fax  020 7788 2198   (+44 20 7788 2198)
Mobile  07715 419728(+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread mis
dan, maybe you should just keep less money in the bank.

i use online banking and financial services of almost every kind
(except bill presentment, because i like paper bills).  i ccannot do
without it.

it seems to me the question is how much liability do i expose myself to by
doing this, in return for what savings and convenience.  

i don't keep a lot of money in banks (why would anyone?)  -- most of
the assets are in (e.g.)  brokerage accounts.  at most  i'm exposing
a month of payroll check to an attacker briefly until it pays some
bill or is transferred to another asset account.  

(the lack of payment planning tools is my biggest beef with bill
paying systems... it's so stupid that they don't show you the future
running balances based on already arranged scheduled payments and
regular withdrawals).

i have an slightly too elaborate drip-feed system set up, with direct
deposit of the paycheck into an account which pays (as scheduled
payments) my fixed bills automatically every month and makes minimum
credit card payments too, so i don't often pay nuisance fees.  (my
utilities have been switched to "average payment" plans, or more
recently to bill to credit cards so they fit into this plan).

i haven't written more than a few paper checks in years.  i just add the
payee to the online system and have the bank do it.  the online system
has paid around 200 bills so far this year. 

so i save on time, on postage, on the float (since the banks do ach
transfers to the larger payees which often post in 2-3 days), on
nuisance and finance charges, and on the phone, complaining about
problems posting paper checks.

i would notice a fraudulent transfer on my online backing long before
i would notice a fraudulent paper check written against the same account.

not only do i use online banking, i use aggregation systems which scrape
screens for most of my accounts and display recent transactions,
current balances, etc.  

i think i've tried almost all of these.
fidelity's "full view" seems among the best of the group (they 
use
yodlee for the scraping but manage their own password store).
(while dan is surveying, i'll ask if anyone is using gnucash 
for this).

i find this extremely helpful in managing diversification across
several accounts, and in noticing such details such as both sides of
payments or transfers between institutions or charges on infrequently
used credit card accounts.

an interesting question regarding aggregation was whether i should let
them use the information they scraped to decide what to offer me.  (so
far they haven't offered me a free toaster to entice me to move assets
to them.  according to an informant, they don't use the information
for poaching.)

On Fri, Dec 02, 2005 at 11:05:29PM -0500, [EMAIL PROTECTED] wrote:
> 
> You know, I'd wonder how many people on this
> list use or have used online banking.  
> 
> To start the ball rolling, I have not and won't.
> 
> --dan
> 
> 
> Cryptography is nothing more than a mathematical framework for
> discussing the implications of various paranoid delusions.
> -- Don Alvarez 
> 
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread R. A. Hettinga
At 2:29 PM -0800 12/3/05, John Gilmore wrote:
>> ...how many people on this list use or have used online banking?
>> To start the ball rolling, I have not and won't.
>
>Dan, that makes two of us.

The only thing I ever use it for is to make sure the wires are in before I
spend money. :-)

Cheers,
RAH
Still living at the bottom of the bathtub curve...
-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-03 Thread Paul Hoffman

At 11:05 PM -0500 12/2/05, [EMAIL PROTECTED] wrote:

You know, I'd wonder how many people on this
list use or have used online banking. 


To start the ball rolling, I have not and won't.


I have, and it's nice for making Quicken data entry faster, but 
that's about all. The rest gives me the willies when I see the 
security clue of the folks running the site.


FWIW, I have never had a problem changing my password to something 
very long and all-alphabetic, even if I don't include "at least one 
capital letter and one digit" or whatever the CYA rules for passwords 
are these days.


--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-03 Thread John Gilmore
> ...how many people on this list use or have used online banking?
> To start the ball rolling, I have not and won't.

Dan, that makes two of us.

John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-03 Thread Greg Black
On 2005-12-02, [EMAIL PROTECTED] wrote:

> You know, I'd wonder how many people on this
> list use or have used online banking.  
> 
> To start the ball rolling, I have not and won't.

I've been using it for me and my wife with 3 banks since they
first offered it; I use it every week to pay all our bills and
would not be without it.  The benefits I have gained from not
having to waste time doing things the old way have proved to be
substantial and I get to notice and resolve the occasional error
(always in the form of fraudulent debits to credit cards) much
faster than in the old days when I had to wait for the monthly
statements.

It's probably not related to my use of online banking, but it
has also been noticeable that fraudulent debits to our credit
cards have dropped from about 5 per card per year five years ago
to one such debit to the 6 cards we use in the past two years.

I detest banks and have had many battles with them over various
issues over the years, but I remain confident that my careful
practices, meticulous record keeping and careful management of
passwords will continue to give me the edge in any dispute with
them.  And the cost to me of any such disputes seems unlikely to
be anything like the benefits I have gained from online banking.

Greg

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-03 Thread dan

You know, I'd wonder how many people on this
list use or have used online banking.  

To start the ball rolling, I have not and won't.

--dan


Cryptography is nothing more than a mathematical framework for
discussing the implications of various paranoid delusions.
-- Don Alvarez 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]