[19142] in cryptography@c2.net mail archive
Re: [Clips] Banks Seek Better Online-Security Tools
daemon@ATHENA.MIT.EDU (Janusz A. Urbanowicz)
Wed Dec 7 13:21:53 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 7 Dec 2005 17:21:15 +0100
From: "Janusz A. Urbanowicz" <alex@bofh.net.pl>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: cryptography@metzdowd.com
In-Reply-To: <20051207153152.3DC323BFDB8@berkshire.machshav.com>
--a2FkP9tdjPU2nyhF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Dec 07, 2005 at 10:31:52AM -0500, Steven M. Bellovin wrote:
> In message <20051207124835.GH27159@syjon.fantastyka.net>, "Janusz A. Urba=
nowicz
> " writes:
> >
> >Bank statements come on paper or in S/MIME signed emails.=20
>=20
> This is interesting -- the bank is using S/MIME? What mail readers are=
=20
> common among its clientele? How is the bank's certificate checked?
=46rom my observation, the most popular standalone MUA here is Outlook
Express, with Mozilla/Thunderbird being a distant second place. Those do
support S/MIME, and the signature is verified properly.
Average internet/internet banking user is more likely to use some web-based
MUA on a commercial portal, which in general do not support cryptographic
signatures of any kind.
The signature is issued using key Certified by Verisign Class 1 cacert, co
it verifies on Windows machines and in Mozilla-based software with recent CA
certs bundle.
I have attached signature binary stripped from one statement to this
message, in case someone wants to analyze it.
I do not have any hard data on MUA usage among bank clientele; my wild guess
is that it is 1/3 of the users use one of the above programs, 2/3 use
portal services. The signatures were introduced some time after the bank
went into service, so there was some problem to be solved with it.
This is internet-only bank with no physical branches around the country, all
communication with the bank is done via internet, phone and messenger
services.
What I do not understand, is that the bank in question started
turing-encoding requested code number when asking for one time code to
authenticate the transaction.
Alex
--=20
0x46399138
--a2FkP9tdjPU2nyhF
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64
MIIK3AYJKoZIhvcNAQcCoIIKzTCCCskCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
CGgwggQwMIIDmaADAgECAhBc8o+4YD8g8b4+fxKuGZp/MA0GCSqGSIb3DQEBBQUAMIHMMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTA1MTAxODAwMDAw
MFoXDTA2MTAxODIzNTk1OVowggEmMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBN
aWNyb3NvZnQgRnVsbCBTZXJ2aWNlMScwJQYDVQQDFB5JbnRlbGlnbyBGaW5hbmNpYWwgU2Vy
dmljZXMgU0ExIzAhBgkqhkiG9w0BCQEWFGludGVsaWdvQGludGVsaWdvLnBsMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDDwtJL3vHqhxTSgUa8fej8JcGh/p5m2o7w3pGnkEE46ieG
MWiovND7jcfqCl4zwT5Q9QOG/+dRi5zmqU+Ojc2uxmYApjKBMr25QHkwQk8PKWHINB4Uqz8r
jz4Gu0Il7qfUi2skLlLmYnpQbSbRd/CnLreONDGHjoYAEYSG880EywIDAQABo4G1MIGyMAkG
A1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRw
czovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDBAYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5j
b20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQUFAAOBgQBEybpJtAqz3kHJwHofvSX1maBn4XXl
rbwFUOjiCqeagvYS3LgS24//u/BWI88D+shFrn4BvZF63Ix5wXYfReTZgXdnyWE7be6znqjl
6+IuV+MndLMFaQt6ecNyK8tEXIlrIOJjF7ks/Bfrixj/i1pGyaTvFrgXHWqB/KVsmPn/FTCC
BDAwggOZoAMCAQICEFzyj7hgPyDxvj5/Eq4Zmn8wDQYJKoZIhvcNAQEFBQAwgcwxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw
RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVm
LixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1
YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDUxMDE4MDAwMDAwWhcN
MDYxMDE4MjM1OTU5WjCCASYxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9z
aXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz
b25hIE5vdCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jv
c29mdCBGdWxsIFNlcnZpY2UxJzAlBgNVBAMUHkludGVsaWdvIEZpbmFuY2lhbCBTZXJ2aWNl
cyBTQTEjMCEGCSqGSIb3DQEJARYUaW50ZWxpZ29AaW50ZWxpZ28ucGwwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMPC0kve8eqHFNKBRrx96PwlwaH+nmbajvDekaeQQTjqJ4YxaKi8
0PuNx+oKXjPBPlD1A4b/51GLnOapT46Nza7GZgCmMoEyvblAeTBCTw8pYcg0HhSrPyuPPga7
QiXup9SLayQuUuZielBtJtF38Kcut440MYeOhgARhIbzzQTLAgMBAAGjgbUwgbIwCQYDVR0T
BAIwADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LnZlcmlzaWduLmNvbS9ycGEwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwME
BggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9j
bGFzczEuY3JsMA0GCSqGSIb3DQEBBQUAA4GBAETJukm0CrPeQcnAeh+9JfWZoGfhdeWtvAVQ
6OIKp5qC9hLcuBLbj/+78FYjzwP6yEWufgG9kXrcjHnBdh9F5NmBd2fJYTtt7rOeqOXr4i5X
4yd0swVpC3p5w3Iry0RciWsg4mMXuSz8F+uLGP+LWkbJpO8WuBcdaoH8pWyY+f8VMYICPDCC
AjgCAQEwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln
biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkv
UlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBD
bGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQC
EFzyj7hgPyDxvj5/Eq4Zmn8wCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNTExMTIwNDExMTJaMCMGCSqGSIb3DQEJBDEWBBTIVHAQ
7Ji3jM4c2nnEFm/7UHACXjBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG
9w0BAQEFAASBgGKYgLiruh8e2Yf7YDkVe8LwZvU4tucc3xioTSxw8Lcs+rs1wrbCW/hemdYS
QxPIeF8iSIOamQeQT1iYgx6mXY+XZPs+HVJQ7U+KUYb1jHKGOfxMLCIfC7LJgjRWM6Me04YM
8YI6W/sY0MWF8At9TCpXlgZXNxbBkE0jAcH8zQ2z
--a2FkP9tdjPU2nyhF--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
