[19138] in cryptography@c2.net mail archive
Re: [Clips] Banks Seek Better Online-Security Tools
daemon@ATHENA.MIT.EDU (Janusz A. Urbanowicz)
Wed Dec 7 10:17:00 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 7 Dec 2005 13:48:35 +0100
From: "Janusz A. Urbanowicz" <alex@bofh.net.pl>
Cc: cryptography@metzdowd.com
In-Reply-To: <20051203040529.1ABF71BF9EC@absinthe.tinho.net>
On Fri, Dec 02, 2005 at 11:05:29PM -0500, dan@geer.org wrote:
>
> You know, I'd wonder how many people on this
> list use or have used online banking.
>
> To start the ball rolling, I have not and won't.
This is from European perspective: I do and couldn't do without it now. Most
of my obligations, from rent though auctions, to lending a friend a local
equivalent of 20 bucks are paid with bank transfers.
But I believe online banking works in a slightly different way than in US.
Of online banking systems I've seen, almost all banks use two-factor auth in
some way (except Polish branch of Citibank and a bank that uses very broken
and complicated scheme where stored client RSA keypair is sent to his
browser ActiveX when client logs in with user/pass). Most common are lists
of one-time passwords delivered securely, or hardware tokens, RSA SecurID or
Vasco Digipass DP100 wih challenge-response mode used to verify
transactions. In those banks, if you have login name and pass, you can only
do non-balance changing operations on a account without the something you
have part; and you cannot change personal info wihout some form of out-of
band authentication (to change registered address user needs to send a form
with attached copy of national ID card, to confirm that or to reset lost
password bank calls user's preregistered phone number).
I can say I HAVE a secure link to one of the nations's traffic exchange
points (unintended job benefit), and I run my own DNS servers, so MITM
probability is reduced. I do not log in from machines I don't trust and own
(with one exception on own) and using networks I don't trust. Bank
statements come on paper or in S/MIME signed emails. I do not log in using
links provided in HTML emails.
Am I secure? I consider the risk of fraud using online banking to be less
than the one of paying with a VISA in a restaurant or a taxi.
Alex
--
mors ab alto
0x46399138
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
